glupteba | 861bc492e059dd01b309812ef24197e64ce23c32dcb09af887cffab4399bde1c

Analysis

max time kernel
73s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Size

2.0MB
MD5

72fb4b278b6a9927a7d8a7801e5bb672
SHA1

7c27b347c171974bc21697165177c93717b8fc30
SHA256

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59
SHA512

49c752c3773b998e7ecce4d2acbcfe769c0e6ae0b2661e99085614982a840ad15c682344c4554478bfe6f9ed6fa9e5dc7d8cfd122db6e69b7ecd6de1398adf38
SSDEEP

49152:qL8Zj+zbbJ+ejFvwvHw+SKZDH/CQesuengxRztOQxHAfS:rj+n1+e2o9WCkNnYFtOQxH8

Score

10^/10

glupteba lumma redline smokeloader stealc 777 up3 backdoor collection discovery dropper evasion infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

stealc

http://5.42.66.58

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Signatures

Detect Lumma Stealer payload V4 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1808-99-0x0000000002500000-0x000000000257C000-memory.dmp	family_lumma_v4
behavioral2/memory/1808-100-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/1808-101-0x0000000000400000-0x0000000000892000-memory.dmp	family_lumma_v4
behavioral2/memory/1808-102-0x0000000002500000-0x000000000257C000-memory.dmp	family_lumma_v4

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-193-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral2/memory/3212-261-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3212-426-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral2/memory/3212-500-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1464-750-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2016 netsh.exe
Drops startup file 1 IoCs

Processes:

4IQ909YE.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 4IQ909YE.exe
Executes dropped EXE 6 IoCs

Processes:

Jl8SY93.exe4IQ909YE.exe6iK5kO2.exe7bL8aq67.exe47F1.exe5F72.exe

pid process

2044 Jl8SY93.exe
2056 4IQ909YE.exe
1808 6iK5kO2.exe
628 7bL8aq67.exe
1788 47F1.exe
4324 5F72.exe
Loads dropped DLL 1 IoCs

Processes:

4IQ909YE.exe

pid process

2056 4IQ909YE.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2116 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2016	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	4IQ909YE.exe

pid	process
2044	Jl8SY93.exe
2056	4IQ909YE.exe
1808	6iK5kO2.exe
628	7bL8aq67.exe
1788	47F1.exe
4324	5F72.exe

pid	process
2116	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe
Key opened	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe
Key opened	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4IQ909YE.exe7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exeJl8SY93.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	4IQ909YE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jl8SY93.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ipinfo.io
70 api.ipify.org
25 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

4IQ909YE.exe

pid process

2056 4IQ909YE.exe
2056 4IQ909YE.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4168 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
26	ipinfo.io
70	api.ipify.org
25	ipinfo.io

pid	process
4168	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1052	2056	WerFault.exe	4IQ909YE.exe
1932	1808	WerFault.exe	6iK5kO2.exe
4156	3160	WerFault.exe	toolspub2.exe
3328	3332	WerFault.exe	E82E.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7bL8aq67.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bL8aq67.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bL8aq67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bL8aq67.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3244 schtasks.exe
4324 schtasks.exe
3248 schtasks.exe
1912 schtasks.exe
Runs net.exe

pid	process
3244	schtasks.exe
4324	schtasks.exe
3248	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4IQ909YE.exe7bL8aq67.exe

pid	process
2056	4IQ909YE.exe
2056	4IQ909YE.exe
628	7bL8aq67.exe
628	7bL8aq67.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7bL8aq67.exe

pid process

628 7bL8aq67.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4IQ909YE.exe

description pid process

Token: SeDebugPrivilege 2056 4IQ909YE.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4IQ909YE.exe

pid process

2056 4IQ909YE.exe

pid	process
628	7bL8aq67.exe

description	pid	process
Token: SeDebugPrivilege	2056	4IQ909YE.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exeJl8SY93.exe4IQ909YE.execmd.execmd.exe

description	pid	process	target process
PID 1436 wrote to memory of 2044	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 1436 wrote to memory of 2044	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 1436 wrote to memory of 2044	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	Jl8SY93.exe
PID 2044 wrote to memory of 2056	2044	Jl8SY93.exe	4IQ909YE.exe
PID 2044 wrote to memory of 2056	2044	Jl8SY93.exe	4IQ909YE.exe
PID 2044 wrote to memory of 2056	2044	Jl8SY93.exe	4IQ909YE.exe
PID 2056 wrote to memory of 5108	2056	4IQ909YE.exe	cmd.exe
PID 2056 wrote to memory of 5108	2056	4IQ909YE.exe	cmd.exe
PID 2056 wrote to memory of 5108	2056	4IQ909YE.exe	cmd.exe
PID 5108 wrote to memory of 3248	5108	cmd.exe	schtasks.exe
PID 5108 wrote to memory of 3248	5108	cmd.exe	schtasks.exe
PID 5108 wrote to memory of 3248	5108	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 116	2056	4IQ909YE.exe	cmd.exe
PID 2056 wrote to memory of 116	2056	4IQ909YE.exe	cmd.exe
PID 2056 wrote to memory of 116	2056	4IQ909YE.exe	cmd.exe
PID 116 wrote to memory of 1912	116	cmd.exe	schtasks.exe
PID 116 wrote to memory of 1912	116	cmd.exe	schtasks.exe
PID 116 wrote to memory of 1912	116	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1808	2044	Jl8SY93.exe	6iK5kO2.exe
PID 2044 wrote to memory of 1808	2044	Jl8SY93.exe	6iK5kO2.exe
PID 2044 wrote to memory of 1808	2044	Jl8SY93.exe	6iK5kO2.exe
PID 1436 wrote to memory of 628	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	7bL8aq67.exe
PID 1436 wrote to memory of 628	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	7bL8aq67.exe
PID 1436 wrote to memory of 628	1436	7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe	7bL8aq67.exe
PID 3384 wrote to memory of 1788	3384		47F1.exe
PID 3384 wrote to memory of 1788	3384		47F1.exe
PID 3384 wrote to memory of 1788	3384		47F1.exe
PID 3384 wrote to memory of 4324	3384		5F72.exe
PID 3384 wrote to memory of 4324	3384		5F72.exe
PID 3384 wrote to memory of 4324	3384		5F72.exe

outlook_office_path 1 IoCs

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

outlook_win_path 1 IoCs

Processes:

4IQ909YE.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4IQ909YE.exe

C:\Users\Admin\AppData\Local\Temp\7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
"C:\Users\Admin\AppData\Local\Temp\7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2056

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:3248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 3000
4⤵
- Program crash
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6iK5kO2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6iK5kO2.exe
3⤵
- Executes dropped EXE
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1004
4⤵
- Program crash
PID:1932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL8aq67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL8aq67.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2056 -ip 2056
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1808 -ip 1808
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\47F1.exe
C:\Users\Admin\AppData\Local\Temp\47F1.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\5F72.exe
C:\Users\Admin\AppData\Local\Temp\5F72.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 328
4⤵
- Program crash
PID:4156

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\is-BQ5F5.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BQ5F5.tmp\tuc4.tmp" /SL5="$5005A,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:1832

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:1900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:528

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:3244

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2468

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2800

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1376

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\nsw6DEB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsw6DEB.tmp.exe
3⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
PID:3256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3160 -ip 3160
1⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\7D0D.exe
C:\Users\Admin\AppData\Local\Temp\7D0D.exe
1⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1256

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C90B.bat" "
1⤵
PID:3200

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2168

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CBBB.bat" "
1⤵
PID:4580

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4936

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:4168

C:\Users\Admin\AppData\Local\Temp\E82E.exe
C:\Users\Admin\AppData\Local\Temp\E82E.exe
1⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\E82E.exe
C:\Users\Admin\AppData\Local\Temp\E82E.exe
2⤵
PID:2148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e9125904-2448-459a-978c-32813e5e414a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2116

C:\Users\Admin\AppData\Local\Temp\E82E.exe
"C:\Users\Admin\AppData\Local\Temp\E82E.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\E82E.exe
"C:\Users\Admin\AppData\Local\Temp\E82E.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 568
5⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3332 -ip 3332
1⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\2864.exe
C:\Users\Admin\AppData\Local\Temp\2864.exe
1⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3C2C.exe
C:\Users\Admin\AppData\Local\Temp\3C2C.exe
1⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.4MB

MD5
ba6ba144d6fa913727236a0e0d7e358f

SHA1
98784bdc93dc247480eedb5c54e87a3de3b64ffa

SHA256
13967392184076eb7684a76d90b7c8f5f28645e8e1ba78eb72e821811a8d0417

SHA512
3eade887ba8822f46948d1ca3515a5d22935a4b14355a89a2e627a3a52932589e09b404f6e9ef6a6312a7594be5b7eb609ed24e8976fdb9320332afccfc55bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
92KB

MD5
30ecdc165ace5b70f8a22d92adb18c3f

SHA1
c67d61ad12c1be5f054d3d77dc64b9086edb48ca

SHA256
35743c2d007d7764c122dfa756505f3c26cf679c865de58ec7e2f5b9b8a0282b

SHA512
152726f17bbe62d0767267d48d81a15131d54b998b29ebbcb651e2395639ff392135f773fd39950d75e30d3843ddce8118c7388a9df355be30cb359f505dbe74

Download Submit
C:\Users\Admin\AppData\Local\Temp\47F1.exe
Filesize
2.1MB

MD5
dd818f1485af9cfa3d74e9670c50d38e

SHA1
47919fc40db965174fc0acd766a7c4c19beb7fcf

SHA256
ed4e6f0d2337e7b1072ef53e0050ce84b0cc462499133acbd79e7dd2daab000c

SHA512
951f409127eea9f6d82c648cfd9610b6b90ee2067999ce7e1fc7d8520ba1d37ccc7ab1bf2a2e4e62b34c6eb37e40164267d3570be1e3a4856f2ad3a1df1b68c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\47F1.exe
Filesize
1.5MB

MD5
d98ad0014ca1be4ca0d85050f290dbec

SHA1
e4f00b24c1e7f78f4430b84732bc0a5c3a0df8bb

SHA256
bdac8abcea52c465c9d1b47bc283ccd7b5b083c218d952110c9f0d021e464f44

SHA512
2cefce7cd10579ca87b622a162ab6353c8a623b133912195db40d3ba42aa07f8803717619112156c77beeca6eb4aa049b7ff07fa0dd1c8a7466dc4084b054c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F72.exe
Filesize
2.5MB

MD5
eea20494fcf67e4d95d38e63269530ac

SHA1
38e0a8f4162289440d6eb95aa884b93862790ab9

SHA256
b8705493926787134ba5b133a375cc31141b46918777f9105b6e166eddef2034

SHA512
988e820ae39edf07f1f8884f5c5a7f786ece73c368832eb546856091ad132a8e8a1ea15fc26ee9476d116e992c0a08a7662560a65b04e38fc7311784f7cb1538

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F72.exe
Filesize
1.4MB

MD5
29ad4bbb6878e4ae9e86f96d787a4d2a

SHA1
43491d5fb05dcafefbb7ec33fe3215f66aa02eb7

SHA256
c0c3357f225ecf38bd77980dda3cfd617cdcc8b7580d67ddc18953378b1e2839

SHA512
73df42acefcd66ed5c3324c6a3c831d02531202e5e943a280e36a83cb56f7c1679e01966f1fcffc7407db089a050f2cde5bae61826821f6d51ec9a61c446b6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7bL8aq67.exe
Filesize
38KB

MD5
8e747912a78fe6a52557bbb1c9460b7f

SHA1
adf272c9ab78d35ed95e1ca9ade5bcb6e7d6282c

SHA256
d53e2a9fce4b9994f4f6daccf4887fac0fcb2964d3d7575ec4829006bafa3ff5

SHA512
cabfc048aa9e072326070bc10a044b794ababd7613d57ff797123bd05f54d08b04913d6f23f3283b6d6731d8baa30cba9d8ac0d9d6f1cc41f3ba88a64ac5f2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jl8SY93.exe
Filesize
1.9MB

MD5
cee5de19d672a855630b8ad8019d5e60

SHA1
39c084e2901d3aeddab3aaf51947557a234014fc

SHA256
ef4d5dd82c521bfe741b0782bb9f32081a518a485e5cf06ef67e108caa0c57fe

SHA512
04a4238bec8d5ff4ea080bef0df60da398087dd72c982b165f585c8f47519a632ef582a2ec91283469fc586b97ae100c7fe13c067d1357dff01ecad0074386e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4IQ909YE.exe
Filesize
1.5MB

MD5
c2111e61e7ba399ef043c265c4215de2

SHA1
a7c1289cf1e2ae758d8c1ef409a9b4b8a468da1a

SHA256
606bc55fad2b4b1ec117c8df11571f153ac95736e6fcfa8dd8874d88eaa1a48b

SHA512
9f972eb5a7725507cef4d8a597d2872466a0883ef58d3c2cf1f5e59379129e9531978c73d1cf07ad47d7877f874af8486e182778b1d3acfbebba60bfb21509de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6iK5kO2.exe
Filesize
448KB

MD5
700a9938d0fcff91df12cbefe7435c88

SHA1
f1f661f00b19007a5355a982677761e5cf14a2c4

SHA256
946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818

SHA512
7fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
833KB

MD5
10310214edbf3f8903ad96e0d954ab4c

SHA1
c1a17833aa8f2735528bf32656740c8e69817d0a

SHA256
04437bcf560930e7cd08bdfd8278d53873f531c85f507210b0b1c25d40c4242f

SHA512
938fda85cdfa61c92c2923012fab91a21f5dc19a92b48e3c8bb0b7897066c96499ac0e5c440d9830c889e5488d4468670498f63d3aa2aaecdf8340e43f123724

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.2MB

MD5
31f42479194700f598c22ea83fa196c1

SHA1
0552ca7766283d7add7c06312ecb5e858d3a2ea0

SHA256
098b76a1d654efe963b1d6167dc77d34627b8488d742c49bfb70e8d70b1755a7

SHA512
afc83e94dc92453312a4d24193b0d3c17cf37644a5cf25b2c934f27d58968c41a5b176de12c2c5c5c8c1d2fbdb57d235a5073fe304f6b12e11a40e2cb52ee836

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
92KB

MD5
3d4e9c6b7c72ef640574cec0a0d63437

SHA1
ae6b23512affb5f2cfbcb81b46c5d6bc0cf0d533

SHA256
f43588d137f5daf9aac7e1ec4670217854c6849056522621a641f9cdbb2c0877

SHA512
0d3b49e38c64f3ed9a6a14b4940f4e6746cd3e69cf2020f14a676ec99cf4d62256d291a1648e9c43ec4f88dd218ca34df1522dd0174ad873016a6033a48d3e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSUkvRHym8zk4r\RhQG2vzypzU8Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSUkvRHym8zk4r\juZEOqvYBehrWeb Data
Filesize
92KB

MD5
02687bdd724237480b7a9065aa27a3ce

SHA1
585f0b1772fdab19ff1c669ff71cb33ed4e5589c

SHA256
9a535a05e405b789e9fdaf7eaf38e8673e4d0a8bd83768e72992282a69327d89

SHA512
f8ce4f6ad7211cbd17ba0cb574ac8f292727709479e059f4429a818d3b74dbe75d6e6f8cb5576b6bc7e3c1bd0b471127f0ddb38e816fad8aa44a77c15de7e6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSUkvRHym8zk4r\sqlite3.dll
Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
92KB

MD5
34a8ce442674425ae01d01e7f4c88bcb

SHA1
d7d30970aa75ce1271402a0adae465fe1f9995c9

SHA256
7a084687df35c670ce06698e719664a55198c43660d47fc8fb16afda7ac59062

SHA512
9ddecb5b6827a1aff9682cc442d03a9a711dadf2325a4e3044eb3e8b3b465f0bfbf61b916408da1cc84585185c2794a80d1c636a7646441ed2f104fea6386ea3

Download Submit
memory/348-173-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/348-171-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/628-106-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/628-108-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/744-178-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/744-399-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/940-294-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/940-282-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/940-331-0x0000000004340000-0x0000000004F68000-memory.dmp

Filesize
12.2MB

Download
memory/940-349-0x0000000003080000-0x00000000030BA000-memory.dmp

Filesize
232KB

Download
memory/1028-401-0x00000000009B0000-0x00000000009CC000-memory.dmp

Filesize
112KB

Download
memory/1028-605-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1028-400-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

Filesize
1024KB

Download
memory/1028-528-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1028-402-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1256-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1256-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1336-682-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1464-750-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1788-117-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/1788-116-0x00000000000F0000-0x00000000004B6000-memory.dmp

Filesize
3.8MB

Download
memory/1788-115-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1788-211-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1808-100-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1808-101-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1808-98-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/1808-99-0x0000000002500000-0x000000000257C000-memory.dmp

Filesize
496KB

Download
memory/1808-102-0x0000000002500000-0x000000000257C000-memory.dmp

Filesize
496KB

Download
memory/1832-283-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1832-502-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2056-93-0x0000000000920000-0x0000000000D7E000-memory.dmp

Filesize
4.4MB

Download
memory/2056-30-0x000000000B300000-0x000000000B654000-memory.dmp

Filesize
3.3MB

Download
memory/2056-85-0x000000000AC80000-0x000000000ACE6000-memory.dmp

Filesize
408KB

Download
memory/2056-29-0x000000000AB80000-0x000000000AB9E000-memory.dmp

Filesize
120KB

Download
memory/2056-16-0x0000000008F10000-0x0000000008F86000-memory.dmp

Filesize
472KB

Download
memory/2056-15-0x0000000000920000-0x0000000000D7E000-memory.dmp

Filesize
4.4MB

Download
memory/2056-14-0x0000000000920000-0x0000000000D7E000-memory.dmp

Filesize
4.4MB

Download
memory/2464-364-0x0000000004B50000-0x0000000004B86000-memory.dmp

Filesize
216KB

Download
memory/2464-424-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2464-385-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/2464-372-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/2464-386-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/2464-387-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/2464-375-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2464-365-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2464-374-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/2464-373-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2464-391-0x00000000072A0000-0x00000000072E4000-memory.dmp

Filesize
272KB

Download
memory/2464-370-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2464-437-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/2464-436-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/2464-403-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/2464-404-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/2464-435-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/2464-405-0x00000000076B0000-0x00000000076E2000-memory.dmp

Filesize
200KB

Download
memory/2464-407-0x00000000717E0000-0x000000007182C000-memory.dmp

Filesize
304KB

Download
memory/2464-419-0x00000000076F0000-0x000000000770E000-memory.dmp

Filesize
120KB

Download
memory/2464-406-0x000000007F0D0000-0x000000007F0E0000-memory.dmp

Filesize
64KB

Download
memory/2464-434-0x0000000007860000-0x000000000786E000-memory.dmp

Filesize
56KB

Download
memory/2464-425-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/2464-427-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2464-409-0x0000000070C30000-0x0000000070F84000-memory.dmp

Filesize
3.3MB

Download
memory/2464-428-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/2464-429-0x0000000007820000-0x0000000007831000-memory.dmp

Filesize
68KB

Download
memory/2464-423-0x0000000007710000-0x00000000077B3000-memory.dmp

Filesize
652KB

Download
memory/3160-432-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3160-181-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3160-176-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3212-421-0x0000000002AF0000-0x0000000002EEC000-memory.dmp

Filesize
4.0MB

Download
memory/3212-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3212-193-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/3212-189-0x0000000002AF0000-0x0000000002EEC000-memory.dmp

Filesize
4.0MB

Download
memory/3212-426-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/3212-500-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3244-459-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3244-446-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3256-499-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3256-161-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3256-371-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3384-107-0x0000000003250000-0x0000000003266000-memory.dmp

Filesize
88KB

Download
memory/3384-408-0x0000000007D90000-0x0000000007DA6000-memory.dmp

Filesize
88KB

Download
memory/3896-450-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3896-444-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/4324-123-0x0000000000E20000-0x00000000020FE000-memory.dmp

Filesize
18.9MB

Download
memory/4324-122-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4324-249-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4812-680-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download