lucastealer | 6a292b1db13521d69a235cad26fc3a1b440d914f34903ae6ec2629df85022fa9

Analysis

max time kernel
173s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Generic Patch-Smeagol-TheRadziu-x64.exe
Size

4.5MB
MD5

702f014a9a2fd33905fbcbcfd2ea7012
SHA1

39f9c29d3991209b36c0c857975c7a2d85980d4a
SHA256

6a292b1db13521d69a235cad26fc3a1b440d914f34903ae6ec2629df85022fa9
SHA512

b24cc67150b90aad0f85473ff1df892ce55570518313ddee559d9470c42076314d150e22727052b951fdf780b7e8f35326835cb6013a9ddcef6a3f93210d53e3
SSDEEP

98304:zgtrbTA1Y3C+Ni0iKD6vXLW6jRhdGVQguhhW31ZH:z2c1Yy8iDL5LdGVzu+lJ

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000002321c-60.dat	family_lucastealer
behavioral1/files/0x000700000002321c-62.dat	family_lucastealer
behavioral1/files/0x000400000001e801-85.dat	family_lucastealer
behavioral1/files/0x000400000001e801-84.dat	family_lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YKCJKD.lnk	generic patch-smeagol-theradziu-x64.exe

Executes dropped EXE 16 IoCs

pid	Process
4180	generic patch-smeagol-theradziu-x64.exe
3380	icsys.icn.exe
2944	explorer.exe
4336	spoolsv.exe
3864	svchost.exe
1872	spoolsv.exe
1976	ACNBZD.exe
2968	acnbzd.exe
116	icsys.icn.exe
1512	explorer.exe
3740	generic patch-smeagol-theradziu-x64.exe
1596	icsys.icn.exe
2212	explorer.exe
220	generic patch-smeagol-theradziu-x64.exe
1708	icsys.icn.exe
4608	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKCJKD = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	generic patch-smeagol-theradziu-x64.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000002321a-7.dat	autoit_exe
behavioral1/files/0x000600000002321a-8.dat	autoit_exe
behavioral1/files/0x0007000000023218-80.dat	autoit_exe
behavioral1/files/0x000600000002321a-118.dat	autoit_exe
behavioral1/files/0x000600000002321a-136.dat	autoit_exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3380	icsys.icn.exe
3380	icsys.icn.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
4180	generic patch-smeagol-theradziu-x64.exe
4180	generic patch-smeagol-theradziu-x64.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
3864	svchost.exe
2944	explorer.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
3864	svchost.exe
2944	explorer.exe
3864	svchost.exe
3864	svchost.exe
2944	explorer.exe
2944	explorer.exe
3864	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4180	generic patch-smeagol-theradziu-x64.exe
2944	explorer.exe
3864	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	taskmgr.exe
Token: SeSystemProfilePrivilege	4428	taskmgr.exe
Token: SeCreateGlobalPrivilege	4428	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe
4428	taskmgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1440	Generic Patch-Smeagol-TheRadziu-x64.exe
1440	Generic Patch-Smeagol-TheRadziu-x64.exe
3380	icsys.icn.exe
3380	icsys.icn.exe
2944	explorer.exe
2944	explorer.exe
4336	spoolsv.exe
4336	spoolsv.exe
3864	svchost.exe
3864	svchost.exe
1872	spoolsv.exe
1872	spoolsv.exe
1976	ACNBZD.exe
2944	explorer.exe
2944	explorer.exe
1976	ACNBZD.exe
116	icsys.icn.exe
116	icsys.icn.exe
1512	explorer.exe
1512	explorer.exe
2708	Generic Patch-Smeagol-TheRadziu-x64.exe
2708	Generic Patch-Smeagol-TheRadziu-x64.exe
1596	icsys.icn.exe
1596	icsys.icn.exe
2212	explorer.exe
2212	explorer.exe
3736	Generic Patch-Smeagol-TheRadziu-x64.exe
3736	Generic Patch-Smeagol-TheRadziu-x64.exe
1708	icsys.icn.exe
1708	icsys.icn.exe
4608	explorer.exe
4608	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4180	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	84
PID 1440 wrote to memory of 4180	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	84
PID 1440 wrote to memory of 4180	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	84
PID 1440 wrote to memory of 3380	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	86
PID 1440 wrote to memory of 3380	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	86
PID 1440 wrote to memory of 3380	1440	Generic Patch-Smeagol-TheRadziu-x64.exe	86
PID 3380 wrote to memory of 2944	3380	icsys.icn.exe	87
PID 3380 wrote to memory of 2944	3380	icsys.icn.exe	87
PID 3380 wrote to memory of 2944	3380	icsys.icn.exe	87
PID 2944 wrote to memory of 4336	2944	explorer.exe	88
PID 2944 wrote to memory of 4336	2944	explorer.exe	88
PID 2944 wrote to memory of 4336	2944	explorer.exe	88
PID 4336 wrote to memory of 3864	4336	spoolsv.exe	89
PID 4336 wrote to memory of 3864	4336	spoolsv.exe	89
PID 4336 wrote to memory of 3864	4336	spoolsv.exe	89
PID 4180 wrote to memory of 1976	4180	generic patch-smeagol-theradziu-x64.exe	90
PID 4180 wrote to memory of 1976	4180	generic patch-smeagol-theradziu-x64.exe	90
PID 4180 wrote to memory of 1976	4180	generic patch-smeagol-theradziu-x64.exe	90
PID 3864 wrote to memory of 1872	3864	svchost.exe	92
PID 3864 wrote to memory of 1872	3864	svchost.exe	92
PID 3864 wrote to memory of 1872	3864	svchost.exe	92
PID 4180 wrote to memory of 4548	4180	generic patch-smeagol-theradziu-x64.exe	93
PID 4180 wrote to memory of 4548	4180	generic patch-smeagol-theradziu-x64.exe	93
PID 4180 wrote to memory of 4548	4180	generic patch-smeagol-theradziu-x64.exe	93
PID 3864 wrote to memory of 4584	3864	svchost.exe	98
PID 3864 wrote to memory of 4584	3864	svchost.exe	98
PID 3864 wrote to memory of 4584	3864	svchost.exe	98
PID 4548 wrote to memory of 4280	4548	cmd.exe	101
PID 4548 wrote to memory of 4280	4548	cmd.exe	101
PID 4548 wrote to memory of 4280	4548	cmd.exe	101
PID 4180 wrote to memory of 4724	4180	generic patch-smeagol-theradziu-x64.exe	99
PID 4180 wrote to memory of 4724	4180	generic patch-smeagol-theradziu-x64.exe	99
PID 4180 wrote to memory of 4724	4180	generic patch-smeagol-theradziu-x64.exe	99
PID 4724 wrote to memory of 3484	4724	cmd.exe	102
PID 4724 wrote to memory of 3484	4724	cmd.exe	102
PID 4724 wrote to memory of 3484	4724	cmd.exe	102
PID 1976 wrote to memory of 2968	1976	ACNBZD.exe	103
PID 1976 wrote to memory of 2968	1976	ACNBZD.exe	103
PID 1976 wrote to memory of 116	1976	ACNBZD.exe	106
PID 1976 wrote to memory of 116	1976	ACNBZD.exe	106
PID 1976 wrote to memory of 116	1976	ACNBZD.exe	106
PID 116 wrote to memory of 1512	116	icsys.icn.exe	107
PID 116 wrote to memory of 1512	116	icsys.icn.exe	107
PID 116 wrote to memory of 1512	116	icsys.icn.exe	107
PID 3864 wrote to memory of 3132	3864	svchost.exe	114
PID 3864 wrote to memory of 3132	3864	svchost.exe	114
PID 3864 wrote to memory of 3132	3864	svchost.exe	114
PID 3864 wrote to memory of 3320	3864	svchost.exe	116
PID 3864 wrote to memory of 3320	3864	svchost.exe	116
PID 3864 wrote to memory of 3320	3864	svchost.exe	116
PID 2708 wrote to memory of 3740	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	120
PID 2708 wrote to memory of 3740	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	120
PID 2708 wrote to memory of 3740	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	120
PID 2708 wrote to memory of 1596	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	121
PID 2708 wrote to memory of 1596	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	121
PID 2708 wrote to memory of 1596	2708	Generic Patch-Smeagol-TheRadziu-x64.exe	121
PID 1596 wrote to memory of 2212	1596	icsys.icn.exe	122
PID 1596 wrote to memory of 2212	1596	icsys.icn.exe	122
PID 1596 wrote to memory of 2212	1596	icsys.icn.exe	122
PID 3736 wrote to memory of 220	3736	Generic Patch-Smeagol-TheRadziu-x64.exe	124
PID 3736 wrote to memory of 220	3736	Generic Patch-Smeagol-TheRadziu-x64.exe	124
PID 3736 wrote to memory of 220	3736	Generic Patch-Smeagol-TheRadziu-x64.exe	124
PID 3736 wrote to memory of 1708	3736	Generic Patch-Smeagol-TheRadziu-x64.exe	125
PID 3736 wrote to memory of 1708	3736	Generic Patch-Smeagol-TheRadziu-x64.exe	125

C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440
- \??\c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe
  "c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe "
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe
    "C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - \??\c:\users\admin\appdata\local\temp\acnbzd.exe
      c:\users\admin\appdata\local\temp\acnbzd.exe
      4⤵
      Executes dropped EXE
      PID:2968
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:116
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOTDPN.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn YKCJKD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn YKCJKD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:3484
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3380
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4336
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
      - C:\Windows\SysWOW64\at.exe
        
        at 01:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4584
      - C:\Windows\SysWOW64\at.exe
        
        at 01:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3132
      - C:\Windows\SysWOW64\at.exe
        
        at 01:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428

C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- \??\c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe
  "c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe "
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1596
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2212

C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Generic Patch-Smeagol-TheRadziu-x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736
- \??\c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe
  "c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe "
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOTDPN.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\Temp\generic patch-smeagol-theradziu-x64.exe

Filesize
4.3MB

MD5
cbba62d63aae7cd63550c7d7ac45f92f

SHA1
637491329bc5e10fb5c760e740a9d02b95554ca6

SHA256
d37a0834bb841d0489cbf56348ab36838cd8a3146dbb790d53c2daef292f90c4

SHA512
5395bad560e9a6a0c042cd624d4e267b88652807a3e163528cb815f206c9bdf5ab90d239db9551564401460231532a146c52f4241ac6a738eb51ce8cd459f097

Download Submit
C:\Users\Admin\AppData\Local\Temp\generic patch-smeagol-theradziu-x64.exe

Filesize
4.3MB

MD5
cbba62d63aae7cd63550c7d7ac45f92f

SHA1
637491329bc5e10fb5c760e740a9d02b95554ca6

SHA256
d37a0834bb841d0489cbf56348ab36838cd8a3146dbb790d53c2daef292f90c4

SHA512
5395bad560e9a6a0c042cd624d4e267b88652807a3e163528cb815f206c9bdf5ab90d239db9551564401460231532a146c52f4241ac6a738eb51ce8cd459f097

Download Submit
C:\Users\Admin\AppData\Local\Temp\generic patch-smeagol-theradziu-x64.exe

Filesize
4.3MB

MD5
cbba62d63aae7cd63550c7d7ac45f92f

SHA1
637491329bc5e10fb5c760e740a9d02b95554ca6

SHA256
d37a0834bb841d0489cbf56348ab36838cd8a3146dbb790d53c2daef292f90c4

SHA512
5395bad560e9a6a0c042cd624d4e267b88652807a3e163528cb815f206c9bdf5ab90d239db9551564401460231532a146c52f4241ac6a738eb51ce8cd459f097

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe

Filesize
4.3MB

MD5
cbba62d63aae7cd63550c7d7ac45f92f

SHA1
637491329bc5e10fb5c760e740a9d02b95554ca6

SHA256
d37a0834bb841d0489cbf56348ab36838cd8a3146dbb790d53c2daef292f90c4

SHA512
5395bad560e9a6a0c042cd624d4e267b88652807a3e163528cb815f206c9bdf5ab90d239db9551564401460231532a146c52f4241ac6a738eb51ce8cd459f097

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9b9b960f0635a845b0cd841ec29b76c9

SHA1
6525c6f61cb2dbc3882e4f24d34a9efb1bd9d072

SHA256
8257522f32a64f384c152822a72cc16e6868409a2fa79eefdaeb7a9add433435

SHA512
3fbd92ef194d31a2ec22c939b0d954ba26eefe91108b3344efb0a3de803d5683ce307a6ad1a79ff10d6751773f2a9269ea665773bf01f340c973b42efbc527e5

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
509400908222b09054a02f04afc681b6

SHA1
369686379574720bbb74aececfe888d9f941cd76

SHA256
3a28c3616e8950f3f2d55c3ef35b03207dfca02acc628b3f2257300d57e3ab65

SHA512
5dcc60e224359d33c82f5497098ce27ce3b75d64a3dc118a2e9a5e7d548cda09d72e893ba47a0fb748dfc986b38355963a3f89a6505263f53a1b4b793e0d5ba0

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
509400908222b09054a02f04afc681b6

SHA1
369686379574720bbb74aececfe888d9f941cd76

SHA256
3a28c3616e8950f3f2d55c3ef35b03207dfca02acc628b3f2257300d57e3ab65

SHA512
5dcc60e224359d33c82f5497098ce27ce3b75d64a3dc118a2e9a5e7d548cda09d72e893ba47a0fb748dfc986b38355963a3f89a6505263f53a1b4b793e0d5ba0

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
c8d75aadb0c3c98b4ec98d2549c35fd1

SHA1
af6e6529beb637c7530ab802b2f51ac17e40b132

SHA256
027ab829b9e16222f1968492df48d988117ffafad9f6074353c817677b862151

SHA512
06fd7ff41642ff976571615a79ca55d42925b607ae704ea758c6360e89a9ce5728c6eeaeee0a28587f1e285a24cfb82c2e3fd841d4c574dfa93261e7bf477424

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
5eaf1796f67b4ae5cf1e4b3c8c72e9a4

SHA1
d722f04a61daa2fab3e9e5acbdc0ec8c4014c071

SHA256
2842e9853207ec091c4d2d03bcff6055ff75fcd76c7ef31a50b6b6387ca004c1

SHA512
669f4e977a2b78d7f31494381ffef2503f80ff542ea522cd4cba704f1a87891ddc70426237b13c182057e5600eb98cf23d3f38c0071d7c748f4b78c839b5076e

Download Submit
\??\c:\users\admin\appdata\local\temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\users\admin\appdata\local\temp\generic patch-smeagol-theradziu-x64.exe

Filesize
4.3MB

MD5
cbba62d63aae7cd63550c7d7ac45f92f

SHA1
637491329bc5e10fb5c760e740a9d02b95554ca6

SHA256
d37a0834bb841d0489cbf56348ab36838cd8a3146dbb790d53c2daef292f90c4

SHA512
5395bad560e9a6a0c042cd624d4e267b88652807a3e163528cb815f206c9bdf5ab90d239db9551564401460231532a146c52f4241ac6a738eb51ce8cd459f097

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
b8630aacb83443136514552487920661

SHA1
45c7b0bd791a54b538d4f3caed8ef36343f340d4

SHA256
08231d8dbcea5cd4d06a74891c671fbb57fabc8eda3d3bc0744f9e8fec360f65

SHA512
8b885e746d9d01ca7841afff2087f80d35279b0f6616dcb5d4ad61b87733d48a5fce87a29cfaee29c7a851acd6095fdce48b14e471d7cdb6cd8c9780d97cbc2b

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
509400908222b09054a02f04afc681b6

SHA1
369686379574720bbb74aececfe888d9f941cd76

SHA256
3a28c3616e8950f3f2d55c3ef35b03207dfca02acc628b3f2257300d57e3ab65

SHA512
5dcc60e224359d33c82f5497098ce27ce3b75d64a3dc118a2e9a5e7d548cda09d72e893ba47a0fb748dfc986b38355963a3f89a6505263f53a1b4b793e0d5ba0

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
c8d75aadb0c3c98b4ec98d2549c35fd1

SHA1
af6e6529beb637c7530ab802b2f51ac17e40b132

SHA256
027ab829b9e16222f1968492df48d988117ffafad9f6074353c817677b862151

SHA512
06fd7ff41642ff976571615a79ca55d42925b607ae704ea758c6360e89a9ce5728c6eeaeee0a28587f1e285a24cfb82c2e3fd841d4c574dfa93261e7bf477424

Download Submit
memory/116-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-108-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-113-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-112-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-111-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-109-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-110-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-107-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-102-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-103-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4428-101-0x0000016F0A180000-0x0000016F0A181000-memory.dmp

Filesize
4KB

Download
memory/4608-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download