purecrypter | af8ea2ae4917c68825f1c60f3900634cc7c2d3d2de079215f1aacf116841418c

Analysis

max time kernel
121s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deflated-gimp-2.10.32.-setup-1.exe
Size

217KB
MD5

009d70132e15d6f0bf593da170f0b7b0
SHA1

5a1bd8f31059de4e46778510fffd23c87bc32740
SHA256

af8ea2ae4917c68825f1c60f3900634cc7c2d3d2de079215f1aacf116841418c
SHA512

5192b9c860b4e10a329b181f4419cd7443f602ec9174d9c538e0843d10e59e4472df0e1b2a6572d96f89ad061eb1f6ea6240c8dd11d860664f93500dbee4824d
SSDEEP

3072:uI71VdaROKutNI6mKR0QHTT1Xm4B1jj0hhih3GD2xvwN64u/KKR7:uInda0KuksNzB1jjAoGD2lww4V

Score

10^/10

purecrypter redline redline discovery downloader infostealer loader persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

redline

79.137.133.225:25999

Attributes

auth_value
38284dbf15da9b4a9eaee0ef0d2b343f

Signatures

Detect PureCrypter injector 4 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1356-77-0x0000000004CE0000-0x00000000050E4000-memory.dmp	family_purecrypter
behavioral1/memory/676-78-0x0000000004B50000-0x0000000004DAC000-memory.dmp	family_purecrypter
behavioral1/memory/1468-76-0x0000000004AF0000-0x0000000004DA4000-memory.dmp	family_purecrypter
behavioral1/memory/1424-88-0x000000001BBF0000-0x000000001BEC8000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

tmp3DCB.tmp.exetmp3DDB.tmp.exetmp3E3B.tmp.exetmp3E0B.tmp.exetmp3DCB.tmp.exetmp3E3B.tmp.exetmp3E0B.tmp.exe

pid process

676 tmp3DCB.tmp.exe
1356 tmp3DDB.tmp.exe
1468 tmp3E3B.tmp.exe
1424 tmp3E0B.tmp.exe
1440 tmp3DCB.tmp.exe
612 tmp3E3B.tmp.exe
676 tmp3E0B.tmp.exe

pid	process
676	tmp3DCB.tmp.exe
1356	tmp3DDB.tmp.exe
1468	tmp3E3B.tmp.exe
1424	tmp3E0B.tmp.exe
1440	tmp3DCB.tmp.exe
612	tmp3E3B.tmp.exe
676	tmp3E0B.tmp.exe

Loads dropped DLL 7 IoCs

Processes:

deflated-gimp-2.10.32.-setup-1.exetmp3DCB.tmp.exetmp3E3B.tmp.exetmp3E0B.tmp.exe

pid	process
2020	deflated-gimp-2.10.32.-setup-1.exe
2020	deflated-gimp-2.10.32.-setup-1.exe
2020	deflated-gimp-2.10.32.-setup-1.exe
2020	deflated-gimp-2.10.32.-setup-1.exe
676	tmp3DCB.tmp.exe
1468	tmp3E3B.tmp.exe
1424	tmp3E0B.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp3E3B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gzltzqrlzsv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Quhaolav\\Gzltzqrlzsv.exe\""	tmp3E3B.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp3DCB.tmp.exetmp3E3B.tmp.exetmp3E0B.tmp.exe

description	pid	process	target process
PID 676 set thread context of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 1468 set thread context of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1424 set thread context of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

deflated-gimp-2.10.32.-setup-1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	deflated-gimp-2.10.32.-setup-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	deflated-gimp-2.10.32.-setup-1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	deflated-gimp-2.10.32.-setup-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	deflated-gimp-2.10.32.-setup-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	deflated-gimp-2.10.32.-setup-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	deflated-gimp-2.10.32.-setup-1.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exetmp3DCB.tmp.exetmp3E0B.tmp.exepowershell.exe

pid	process
1996	powershell.exe
1620	powershell.exe
1612	powershell.exe
1440	tmp3DCB.tmp.exe
1440	tmp3DCB.tmp.exe
676	tmp3E0B.tmp.exe
676	tmp3E0B.tmp.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

deflated-gimp-2.10.32.-setup-1.exetmp3DDB.tmp.exetmp3E3B.tmp.exetmp3DCB.tmp.exepowershell.exepowershell.exepowershell.exetmp3E3B.tmp.exetmp3DCB.tmp.exetmp3E0B.tmp.exetmp3E0B.tmp.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2020	deflated-gimp-2.10.32.-setup-1.exe
Token: SeDebugPrivilege	1356	tmp3DDB.tmp.exe
Token: SeDebugPrivilege	1468	tmp3E3B.tmp.exe
Token: SeDebugPrivilege	676	tmp3DCB.tmp.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	612	tmp3E3B.tmp.exe
Token: SeDebugPrivilege	1440	tmp3DCB.tmp.exe
Token: SeDebugPrivilege	1424	tmp3E0B.tmp.exe
Token: SeDebugPrivilege	676	tmp3E0B.tmp.exe
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

deflated-gimp-2.10.32.-setup-1.exetmp3E3B.tmp.exetmp3DCB.tmp.exetmp3E0B.tmp.exetmp3E0B.tmp.exe

description	pid	process	target process
PID 2020 wrote to memory of 676	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DCB.tmp.exe
PID 2020 wrote to memory of 676	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DCB.tmp.exe
PID 2020 wrote to memory of 676	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DCB.tmp.exe
PID 2020 wrote to memory of 676	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DCB.tmp.exe
PID 2020 wrote to memory of 1356	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DDB.tmp.exe
PID 2020 wrote to memory of 1356	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DDB.tmp.exe
PID 2020 wrote to memory of 1356	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DDB.tmp.exe
PID 2020 wrote to memory of 1356	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3DDB.tmp.exe
PID 2020 wrote to memory of 1424	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E0B.tmp.exe
PID 2020 wrote to memory of 1424	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E0B.tmp.exe
PID 2020 wrote to memory of 1424	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E0B.tmp.exe
PID 2020 wrote to memory of 1424	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E0B.tmp.exe
PID 2020 wrote to memory of 1468	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E3B.tmp.exe
PID 2020 wrote to memory of 1468	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E3B.tmp.exe
PID 2020 wrote to memory of 1468	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E3B.tmp.exe
PID 2020 wrote to memory of 1468	2020	deflated-gimp-2.10.32.-setup-1.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 1996	1468	tmp3E3B.tmp.exe	powershell.exe
PID 1468 wrote to memory of 1996	1468	tmp3E3B.tmp.exe	powershell.exe
PID 1468 wrote to memory of 1996	1468	tmp3E3B.tmp.exe	powershell.exe
PID 1468 wrote to memory of 1996	1468	tmp3E3B.tmp.exe	powershell.exe
PID 676 wrote to memory of 1620	676	tmp3DCB.tmp.exe	powershell.exe
PID 676 wrote to memory of 1620	676	tmp3DCB.tmp.exe	powershell.exe
PID 676 wrote to memory of 1620	676	tmp3DCB.tmp.exe	powershell.exe
PID 676 wrote to memory of 1620	676	tmp3DCB.tmp.exe	powershell.exe
PID 1424 wrote to memory of 1612	1424	tmp3E0B.tmp.exe	powershell.exe
PID 1424 wrote to memory of 1612	1424	tmp3E0B.tmp.exe	powershell.exe
PID 1424 wrote to memory of 1612	1424	tmp3E0B.tmp.exe	powershell.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 676 wrote to memory of 1440	676	tmp3DCB.tmp.exe	tmp3DCB.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1468 wrote to memory of 612	1468	tmp3E3B.tmp.exe	tmp3E3B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 1424 wrote to memory of 676	1424	tmp3E0B.tmp.exe	tmp3E0B.tmp.exe
PID 676 wrote to memory of 1736	676	tmp3E0B.tmp.exe	powershell.exe
PID 676 wrote to memory of 1736	676	tmp3E0B.tmp.exe	powershell.exe
PID 676 wrote to memory of 1736	676	tmp3E0B.tmp.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\deflated-gimp-2.10.32.-setup-1.exe
"C:\Users\Admin\AppData\Local\Temp\deflated-gimp-2.10.32.-setup-1.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp3DDB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3DDB.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 676 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e17f505346ec76004f34d78b7e0cabb6

SHA1
29bf3aa896edaf95ed15b62c337d37305382bdd3

SHA256
87ab3f7b63f20ee9af4d8b7d7eee6ff5ea70dd3de4e0b5ff581e91488bb08d2a

SHA512
63b4532768c7b8d32fc1fa03d92373e2f83c232ae24f9d4a8b015ddf7f3f8f7f88dec7ee92c8a3526c314b68d539a80998926f8c8c286c350a84efdf9c799761

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DDB.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DDB.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c530d40f5161d6003cc887405cc152e9

SHA1
fe9a27d72b23e5d4c9da2cfb6e665ad206260aa3

SHA256
99a7fc9216dbaf60ed0346aa0743ccc0f0ae196023fe09c686dfaf770e18e12c

SHA512
045fcb41ab9d599097ead9c0e2f0536abac3e003da314365c9d9373683a3988e43189e8d0ca4d9dcdcbb30131d60f503d34e06d2c154601a0d0d50ac9e992042

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d6b1984c8d4c049c7e44691147727510

SHA1
043878c98a3fc0e130ada22a69662f991f3b51e3

SHA256
ccccb833ab6ef7784ec2c2104533a2f3f811aa8aceb14d264875f73df53cc828

SHA512
3007a51ddb6bdfe03bf534ff4b6d15440c5a42ba8e5c37983b3c69b40eb2347738808524de321dc228224aea1d8b02d93b992b889db3275fb1ae5e667ac04af2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3DDB.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3E3B.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
memory/612-124-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-126-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-122-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-125-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-127-0x00000000004A0E0E-mapping.dmp

Download
memory/612-132-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-130-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/612-121-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/676-63-0x0000000001220000-0x000000000147E000-memory.dmp

Filesize
2.4MB

Download
memory/676-149-0x0000000002780000-0x000000000281E000-memory.dmp

Filesize
632KB

Download
memory/676-58-0x0000000000000000-mapping.dmp

Download
memory/676-78-0x0000000004B50000-0x0000000004DAC000-memory.dmp

Filesize
2.4MB

Download
memory/676-144-0x0000000140000000-mapping.dmp

Download
memory/676-154-0x000000001B140000-0x000000001B194000-memory.dmp

Filesize
336KB

Download
memory/676-139-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/676-142-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/676-104-0x0000000000F30000-0x0000000000F7C000-memory.dmp

Filesize
304KB

Download
memory/676-153-0x0000000000920000-0x000000000096C000-memory.dmp

Filesize
304KB

Download
memory/676-140-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/676-150-0x0000000000820000-0x0000000000876000-memory.dmp

Filesize
344KB

Download
memory/676-143-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1356-68-0x0000000000110000-0x0000000000516000-memory.dmp

Filesize
4.0MB

Download
memory/1356-61-0x0000000000000000-mapping.dmp

Download
memory/1356-77-0x0000000004CE0000-0x00000000050E4000-memory.dmp

Filesize
4.0MB

Download
memory/1424-137-0x000000001BFC0000-0x000000001C072000-memory.dmp

Filesize
712KB

Download
memory/1424-95-0x000000001B677000-0x000000001B696000-memory.dmp

Filesize
124KB

Download
memory/1424-88-0x000000001BBF0000-0x000000001BEC8000-memory.dmp

Filesize
2.8MB

Download
memory/1424-147-0x000000001B677000-0x000000001B696000-memory.dmp

Filesize
124KB

Download
memory/1424-79-0x0000000000A10000-0x0000000000CE8000-memory.dmp

Filesize
2.8MB

Download
memory/1424-66-0x0000000000000000-mapping.dmp

Download
memory/1440-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-116-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-113-0x000000000041B59A-mapping.dmp

Download
memory/1440-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1468-119-0x00000000059B0000-0x0000000005A46000-memory.dmp

Filesize
600KB

Download
memory/1468-70-0x0000000000000000-mapping.dmp

Download
memory/1468-76-0x0000000004AF0000-0x0000000004DA4000-memory.dmp

Filesize
2.7MB

Download
memory/1468-74-0x0000000000C90000-0x0000000000F44000-memory.dmp

Filesize
2.7MB

Download
memory/1612-93-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1612-96-0x000007FEEBE80000-0x000007FEEC9DD000-memory.dmp

Filesize
11.4MB

Download
memory/1612-135-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1612-136-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1612-94-0x000007FEEC9E0000-0x000007FEED403000-memory.dmp

Filesize
10.1MB

Download
memory/1612-97-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1612-92-0x0000000000000000-mapping.dmp

Download
memory/1612-103-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1612-100-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1620-90-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-98-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-102-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-84-0x0000000000000000-mapping.dmp

Download
memory/1736-159-0x000007FEED690000-0x000007FEEE0B3000-memory.dmp

Filesize
10.1MB

Download
memory/1736-162-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1736-155-0x0000000000000000-mapping.dmp

Download
memory/1736-165-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1736-164-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1736-163-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1736-161-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1736-160-0x000007FEECB30000-0x000007FEED68D000-memory.dmp

Filesize
11.4MB

Download
memory/1996-101-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-99-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-83-0x0000000000000000-mapping.dmp

Download
memory/1996-91-0x000000006DF10000-0x000000006E4BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-89-0x00000000043A5000-0x00000000043B6000-memory.dmp

Filesize
68KB

Download
memory/2020-54-0x0000000000AE0000-0x0000000000B1C000-memory.dmp

Filesize
240KB

Download
memory/2020-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x00000000043A5000-0x00000000043B6000-memory.dmp

Filesize
68KB

Download