agenttesla | 8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

Resubmissions

20-05-2023 01:01

230520-bdhlhahd64 10

20-05-2023 00:59

17-05-2023 15:12

16-05-2023 18:13

16-05-2023 18:11

16-05-2023 18:10

16-05-2023 18:03

Analysis

max time kernel
12s
max time network
301s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-05-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

69525fa93fd47eb3c533afe3b1baba48
SHA1

3dea1b337987177c73c64e89b370d90dc94c64cb
SHA256

8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
SHA512

909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
SSDEEP

48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Score

10^/10

agenttesla redline deren infostealer keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6225839139:AAHOVxUdRr3_xezeR4e_GlriGQEKuUFBpW0/

Extracted

Family

redline

Botnet

deren

77.91.68.253:19065

Attributes

auth_value
04a169f1fb198bfbeca74d0e06ea2d54

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

bs1.exewealthzx.exevbc.exeoloriii.exefoto0195.exex1116520.exex9350166.exef4172121.exe

pid process

2500 bs1.exe
4244 wealthzx.exe
3800 vbc.exe
2220 oloriii.exe
1416 foto0195.exe
4252 x1116520.exe
4136 x9350166.exe
3464 f4172121.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2500	bs1.exe
4244	wealthzx.exe
3800	vbc.exe
2220	oloriii.exe
1416	foto0195.exe
4252	x1116520.exe
4136	x9350166.exe
3464	f4172121.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\bs1.exe	upx
behavioral1/memory/2500-122-0x00007FF6BBFE0000-0x00007FF6BCE37000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x9350166.exefoto0195.exex1116520.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9350166.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto0195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto0195.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1116520.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1116520.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9350166.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
61 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

wealthzx.exe

description pid process target process

PID 4244 set thread context of 4816 4244 wealthzx.exe Caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
10	ipinfo.io
11	ipinfo.io
61	api.ipify.org

description	pid	process	target process
PID 4244 set thread context of 4816	4244	wealthzx.exe	Caspol.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

256 systeminfo.exe

pid	process
256	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290253116518445"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bs1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bs1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bs1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bs1.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wealthzx.exechrome.exe

pid process

4244 wealthzx.exe
4244 wealthzx.exe
4300 chrome.exe
4300 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4300 chrome.exe
4300 chrome.exe
4300 chrome.exe
4300 chrome.exe

pid	process
4244	wealthzx.exe
4244	wealthzx.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a.exewmic.exewealthzx.exechrome.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1700	a.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: 36	2644	wmic.exe
Token: SeIncreaseQuotaPrivilege	2644	wmic.exe
Token: SeSecurityPrivilege	2644	wmic.exe
Token: SeTakeOwnershipPrivilege	2644	wmic.exe
Token: SeLoadDriverPrivilege	2644	wmic.exe
Token: SeSystemProfilePrivilege	2644	wmic.exe
Token: SeSystemtimePrivilege	2644	wmic.exe
Token: SeProfSingleProcessPrivilege	2644	wmic.exe
Token: SeIncBasePriorityPrivilege	2644	wmic.exe
Token: SeCreatePagefilePrivilege	2644	wmic.exe
Token: SeBackupPrivilege	2644	wmic.exe
Token: SeRestorePrivilege	2644	wmic.exe
Token: SeShutdownPrivilege	2644	wmic.exe
Token: SeDebugPrivilege	2644	wmic.exe
Token: SeSystemEnvironmentPrivilege	2644	wmic.exe
Token: SeRemoteShutdownPrivilege	2644	wmic.exe
Token: SeUndockPrivilege	2644	wmic.exe
Token: SeManageVolumePrivilege	2644	wmic.exe
Token: 33	2644	wmic.exe
Token: 34	2644	wmic.exe
Token: 35	2644	wmic.exe
Token: 36	2644	wmic.exe
Token: SeDebugPrivilege	4244	wealthzx.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeIncreaseQuotaPrivilege	3400	wmic.exe
Token: SeSecurityPrivilege	3400	wmic.exe
Token: SeTakeOwnershipPrivilege	3400	wmic.exe
Token: SeLoadDriverPrivilege	3400	wmic.exe
Token: SeSystemProfilePrivilege	3400	wmic.exe
Token: SeSystemtimePrivilege	3400	wmic.exe
Token: SeProfSingleProcessPrivilege	3400	wmic.exe
Token: SeIncBasePriorityPrivilege	3400	wmic.exe
Token: SeCreatePagefilePrivilege	3400	wmic.exe
Token: SeBackupPrivilege	3400	wmic.exe
Token: SeRestorePrivilege	3400	wmic.exe
Token: SeShutdownPrivilege	3400	wmic.exe
Token: SeDebugPrivilege	3400	wmic.exe
Token: SeSystemEnvironmentPrivilege	3400	wmic.exe
Token: SeRemoteShutdownPrivilege	3400	wmic.exe
Token: SeUndockPrivilege	3400	wmic.exe
Token: SeManageVolumePrivilege	3400	wmic.exe
Token: 33	3400	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a.exebs1.exechrome.exewealthzx.exe

description	pid	process	target process
PID 1700 wrote to memory of 2500	1700	a.exe	bs1.exe
PID 1700 wrote to memory of 2500	1700	a.exe	bs1.exe
PID 2500 wrote to memory of 3924	2500	bs1.exe	cmd.exe
PID 2500 wrote to memory of 3924	2500	bs1.exe	cmd.exe
PID 1700 wrote to memory of 4300	1700	a.exe	chrome.exe
PID 1700 wrote to memory of 4300	1700	a.exe	chrome.exe
PID 4300 wrote to memory of 4316	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4316	4300	chrome.exe	chrome.exe
PID 1700 wrote to memory of 4244	1700	a.exe	wealthzx.exe
PID 1700 wrote to memory of 4244	1700	a.exe	wealthzx.exe
PID 2500 wrote to memory of 2644	2500	bs1.exe	wmic.exe
PID 2500 wrote to memory of 2644	2500	bs1.exe	wmic.exe
PID 4244 wrote to memory of 4240	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4240	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4240	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 4244 wrote to memory of 4816	4244	wealthzx.exe	Caspol.exe
PID 1700 wrote to memory of 3800	1700	a.exe	vbc.exe
PID 1700 wrote to memory of 3800	1700	a.exe	vbc.exe
PID 1700 wrote to memory of 3800	1700	a.exe	vbc.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4152	4300	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\a\bs1.exe
"C:\Users\Admin\AppData\Local\Temp\a\bs1.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SYSTEM32\cmd.exe
cmd /c
3⤵
PID:3924

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\Wbem\wmic.exe
wmic desktopmonitor get "screenheight, screenwidth"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\cmd.exe
cmd /C net session
3⤵
PID:2444

C:\Windows\system32\net.exe
net session
4⤵
PID:2464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1784

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab62f9758,0x7ffab62f9768,0x7ffab62f9778
3⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:1
3⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:1
3⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:2
3⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:1
3⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4860 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:1
3⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1732,i,2314302143804573771,7779304802179937491,131072 /prefetch:8
3⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
2⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\a\oloriii.exe
"C:\Users\Admin\AppData\Local\Temp\a\oloriii.exe"
2⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\a\foto0195.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto0195.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116520.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116520.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350166.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350166.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4172121.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4172121.exe
5⤵
- Executes dropped EXE
PID:3464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116520.exe
Filesize
751KB

MD5
cd882d1818445ef6929f6350178e9079

SHA1
fd4f9d7e1b6158fac8bce5f8e1e94805001e2b7a

SHA256
ce94607b93e01ea6d17b6ffa4968e95ee364a3ab1661cfef5d75e577555df583

SHA512
8b5ce45410d82207f7064ff152eb7f4f31f5c4b7b37c1b7c330c37382cc68a60cc6c69df1855a85259602b12c26c1f14b87f3249cc036a0805989b5f332a672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1116520.exe
Filesize
751KB

MD5
cd882d1818445ef6929f6350178e9079

SHA1
fd4f9d7e1b6158fac8bce5f8e1e94805001e2b7a

SHA256
ce94607b93e01ea6d17b6ffa4968e95ee364a3ab1661cfef5d75e577555df583

SHA512
8b5ce45410d82207f7064ff152eb7f4f31f5c4b7b37c1b7c330c37382cc68a60cc6c69df1855a85259602b12c26c1f14b87f3249cc036a0805989b5f332a672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350166.exe
Filesize
306KB

MD5
0479705227638d82429d8cd094ada166

SHA1
b3077667b407298eec12c849d733da5033c8814b

SHA256
3b432d495176de6594efb49b3a41b987501649f084a22c123a66aada0b825a57

SHA512
e5f856ddbf40ddcb6266cbf95cf1012d8b92b284a518de3ed9186940d399d9337654dc4b87daedadc8b196caa1dd9067f203375d61d69cb5c7cd36e5284b6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350166.exe
Filesize
306KB

MD5
0479705227638d82429d8cd094ada166

SHA1
b3077667b407298eec12c849d733da5033c8814b

SHA256
3b432d495176de6594efb49b3a41b987501649f084a22c123a66aada0b825a57

SHA512
e5f856ddbf40ddcb6266cbf95cf1012d8b92b284a518de3ed9186940d399d9337654dc4b87daedadc8b196caa1dd9067f203375d61d69cb5c7cd36e5284b6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4172121.exe
Filesize
145KB

MD5
bad20a6649c3cc1f490a7350de0ca9ff

SHA1
c178e27d34da69bb6b576a0db3833989c2f75ce4

SHA256
37c7ecbfbf1fc120e13466b4adda980561b34ae2a7d2b087523bc8b611ace0ea

SHA512
0aa5159857a64a4cd51fe89a3e4da9f7129d898bea9d8f5398caffc286cdc3f4a66e27085de194136b5d2a132cdf85a41844117aea09413a37bd8afdc148693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4172121.exe
Filesize
145KB

MD5
bad20a6649c3cc1f490a7350de0ca9ff

SHA1
c178e27d34da69bb6b576a0db3833989c2f75ce4

SHA256
37c7ecbfbf1fc120e13466b4adda980561b34ae2a7d2b087523bc8b611ace0ea

SHA512
0aa5159857a64a4cd51fe89a3e4da9f7129d898bea9d8f5398caffc286cdc3f4a66e27085de194136b5d2a132cdf85a41844117aea09413a37bd8afdc148693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bs1.exe
Filesize
4.6MB

MD5
10f3b2556027848e861bdf1fa3fad046

SHA1
6a9012a7d600aa432c70ade1aa36cebe04e7ee51

SHA256
d934a1bde6bb75936d223426e64497e92526b8bc75a4f8a59a87f1d25ed1a0d2

SHA512
a58cd4704a499928b39931503dcc6c623c1fc25523b9fab9cdd3cced90813bea39a2fab96c8bd9cf1f25af3b6a0e27c707afa57c504ade6beb1090731b07f4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto0195.exe
Filesize
1.0MB

MD5
e0724e43d2273ee18920b8653cbdf578

SHA1
b5560ab824d0579b3143795a9639a20ebeb8de38

SHA256
137f040c851e03f92823a1095f5aa284f7208caa5f3ae8ad678988f7626b6882

SHA512
29cd7b33c7cac677fbeaec82b4e70417a9d7c2da1f8d2151b4b96a30a02445b08388300d7b0b390deba64c4b21bebdfa07fa48de61af3763a9eb4a7beebbb239

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto0195.exe
Filesize
1.0MB

MD5
e0724e43d2273ee18920b8653cbdf578

SHA1
b5560ab824d0579b3143795a9639a20ebeb8de38

SHA256
137f040c851e03f92823a1095f5aa284f7208caa5f3ae8ad678988f7626b6882

SHA512
29cd7b33c7cac677fbeaec82b4e70417a9d7c2da1f8d2151b4b96a30a02445b08388300d7b0b390deba64c4b21bebdfa07fa48de61af3763a9eb4a7beebbb239

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\oloriii.exe
Filesize
872KB

MD5
e15fce57d8180b568e6e27bb06ddbe23

SHA1
952597bffe6b064d30ab3bed69282d0ac0aad344

SHA256
ccb7f3c0b4ca7addbcb2025f46fb9ea42c1eca54bd19a728ca81046cacf3fe0d

SHA512
033c009791fc0ba9cb47e01b6e2efb9dc9eba517cbf49c9f7bfc7782ad93f5d14cedd8b42300ce7bb71cdbc278be01f7ebccdfe2ff97b659ab8cd43b2fe52e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\oloriii.exe
Filesize
872KB

MD5
e15fce57d8180b568e6e27bb06ddbe23

SHA1
952597bffe6b064d30ab3bed69282d0ac0aad344

SHA256
ccb7f3c0b4ca7addbcb2025f46fb9ea42c1eca54bd19a728ca81046cacf3fe0d

SHA512
033c009791fc0ba9cb47e01b6e2efb9dc9eba517cbf49c9f7bfc7782ad93f5d14cedd8b42300ce7bb71cdbc278be01f7ebccdfe2ff97b659ab8cd43b2fe52e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
Filesize
908KB

MD5
88f4d678b79d16820bf90404170118c7

SHA1
3f646a5f01639d990184ae7cb443fe5e6ce38683

SHA256
c1548f41733077975fff5009b326af53e7b3d52d48bb44002ca88fc69f710a18

SHA512
4e953bf43a75f1762bb78125b819657cd4896e4d8ecea8a2f426187986a5e228eddb03668e77e01aaf05eb6dfee037fc2994ae4f4e831810c3f046c464d2f181

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
Filesize
908KB

MD5
88f4d678b79d16820bf90404170118c7

SHA1
3f646a5f01639d990184ae7cb443fe5e6ce38683

SHA256
c1548f41733077975fff5009b326af53e7b3d52d48bb44002ca88fc69f710a18

SHA512
4e953bf43a75f1762bb78125b819657cd4896e4d8ecea8a2f426187986a5e228eddb03668e77e01aaf05eb6dfee037fc2994ae4f4e831810c3f046c464d2f181

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe
Filesize
238KB

MD5
a5c83c6ebe289f10bc234898385e889e

SHA1
22d30090942fc7b1f266028450cf05c72d82f4c5

SHA256
bd176aba121ee1111813afe94594ee38b7773dc660833775dd289060db7fe6af

SHA512
bbf7a51fcc80498c27f6432cddce72fbf19e37a83ea828d050b2f0ebb04baa13971534f1ef86178960178ba6493e04143471e19da0cd8906841d091dea87e05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe
Filesize
238KB

MD5
a5c83c6ebe289f10bc234898385e889e

SHA1
22d30090942fc7b1f266028450cf05c72d82f4c5

SHA256
bd176aba121ee1111813afe94594ee38b7773dc660833775dd289060db7fe6af

SHA512
bbf7a51fcc80498c27f6432cddce72fbf19e37a83ea828d050b2f0ebb04baa13971534f1ef86178960178ba6493e04143471e19da0cd8906841d091dea87e05f

Download Submit
\??\pipe\crashpad_4300_VGSMETOYSXXGKIQG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1700-116-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1700-209-0x000000001AF20000-0x000000001AF30000-memory.dmp

Filesize
64KB

Download
memory/1700-117-0x000000001AF20000-0x000000001AF30000-memory.dmp

Filesize
64KB

Download
memory/2220-179-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/2220-178-0x00000000009A0000-0x0000000000A80000-memory.dmp

Filesize
896KB

Download
memory/2500-122-0x00007FF6BBFE0000-0x00007FF6BCE37000-memory.dmp

Filesize
14.3MB

Download
memory/3464-231-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/3800-165-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/3800-170-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3800-164-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3800-159-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/3800-157-0x0000000000A90000-0x0000000000B76000-memory.dmp

Filesize
920KB

Download
memory/4244-140-0x000001C000800000-0x000001C00080A000-memory.dmp

Filesize
40KB

Download
memory/4244-139-0x000001C0006D0000-0x000001C0006FC000-memory.dmp

Filesize
176KB

Download
memory/4244-136-0x000001C066260000-0x000001C06629C000-memory.dmp

Filesize
240KB

Download
memory/4816-163-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4816-162-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4816-158-0x0000000005B70000-0x000000000606E000-memory.dmp

Filesize
5.0MB

Download
memory/4816-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download