glupteba | 41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb

Analysis

max time kernel
142s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0cbdb53bbd724bb231f0b6958edfc4.exe
Size

38KB
MD5

bf0cbdb53bbd724bb231f0b6958edfc4
SHA1

d825f3d47987356477f6a1d916a0e34cb581ecc5
SHA256

41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb
SHA512

5073f5f04c954de70247254e1983939c330fa95f11e1d36f615f52a9649e77f8ffa93269ba19b7a734f4528ad5907b3e960414a54ee442dd1e1a70365af1358e
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score

10^/10

glupteba redline smokeloader stealc zgrat 777 up3 backdoor dropper infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

stealc

http://5.42.66.58

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8CD7.exe	family_zgrat_v1
behavioral2/memory/1196-26-0x0000000000A80000-0x0000000000B14000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4376-122-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral2/memory/4376-133-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4376-196-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral2/memory/4376-197-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4376-540-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4376-592-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4520-555-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

8005.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 8005.exe
Deletes itself 1 IoCs

Processes:

pid process

3532

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	8005.exe

pid	process
3532

Executes dropped EXE 12 IoCs

Processes:

16CA.exe8005.exe8CD7.exeInstallSetup8.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetuc4.exetoolspub2.exeetopt.exeBroomSetup.exetuc4.tmpnsfDC30.tmp.exe

pid	process
2696	16CA.exe
3904	8005.exe
1196	8CD7.exe
4536	InstallSetup8.exe
1448	toolspub2.exe
4376	31839b57a4f11171d6abc8bbc4451ee4.exe
1468	tuc4.exe
3332	toolspub2.exe
1044	etopt.exe
324	BroomSetup.exe
3816	tuc4.tmp
2016	nsfDC30.tmp.exe

Loads dropped DLL 9 IoCs

Processes:

etopt.exeInstallSetup8.exetuc4.tmp16CA.exe

pid process

1044 etopt.exe
4536 InstallSetup8.exe
1044 etopt.exe
4536 InstallSetup8.exe
3816 tuc4.tmp
3816 tuc4.tmp
3816 tuc4.tmp
4536 InstallSetup8.exe
2696 16CA.exe

pid	process
1044	etopt.exe
4536	InstallSetup8.exe
1044	etopt.exe
4536	InstallSetup8.exe
3816	tuc4.tmp
3816	tuc4.tmp
3816	tuc4.tmp
4536	InstallSetup8.exe
2696	16CA.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

102 api.ipify.org

flow	ioc
102	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

8CD7.exetoolspub2.exe

description	pid	process	target process
PID 1196 set thread context of 2352	1196	8CD7.exe	RegAsm.exe
PID 1448 set thread context of 3332	1448	toolspub2.exe	toolspub2.exe

Drops file in Program Files directory 64 IoCs

Processes:

etopt.exetuc4.tmp

description	ioc	process
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.png	etopt.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\CalendarExt.dll	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BigBen.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Apple.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaMade.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BaiWeather.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockRed.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\BackupAlarms.bat	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackBallRoman.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallStd.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Japanese.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Russian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Suomi.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Earth2.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Deutsch.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Romanian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.BMP	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hebrew.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Srpski.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Bosanski.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaLarge.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Estonian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Korean.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua_Apple_Clock.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Blue_sphere.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.TXT	etopt.exe
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Danish.lng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\BallClockIce.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Slovak.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockRed.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Turkce.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Espanol.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Italiano.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Nederlands.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Ukrainian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaB.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Czech.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Indonesian.lng	etopt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf0cbdb53bbd724bb231f0b6958edfc4.exetoolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf0cbdb53bbd724bb231f0b6958edfc4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf0cbdb53bbd724bb231f0b6958edfc4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf0cbdb53bbd724bb231f0b6958edfc4.exe

Modifies registry class 10 IoCs

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{1FE48382-0295-0EC3-52B8-1A26E9EF2DAC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EE48382-0295-0EC3-52B8-1A26E9EF2DAC}	etopt.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf0cbdb53bbd724bb231f0b6958edfc4.exe

pid	process
4976	bf0cbdb53bbd724bb231f0b6958edfc4.exe
4976	bf0cbdb53bbd724bb231f0b6958edfc4.exe
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bf0cbdb53bbd724bb231f0b6958edfc4.exetoolspub2.exe

pid process

4976 bf0cbdb53bbd724bb231f0b6958edfc4.exe
3332 toolspub2.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

tuc4.tmp

pid process

3532
3532
3816 tuc4.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

324 BroomSetup.exe

pid	process
3532
3532
3816	tuc4.tmp

pid	process
324	BroomSetup.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

8CD7.exe8005.exetoolspub2.exeInstallSetup8.exetuc4.exe

description	pid	process	target process
PID 3532 wrote to memory of 2696	3532		16CA.exe
PID 3532 wrote to memory of 2696	3532		16CA.exe
PID 3532 wrote to memory of 2696	3532		16CA.exe
PID 3532 wrote to memory of 3904	3532		8005.exe
PID 3532 wrote to memory of 3904	3532		8005.exe
PID 3532 wrote to memory of 3904	3532		8005.exe
PID 3532 wrote to memory of 1196	3532		8CD7.exe
PID 3532 wrote to memory of 1196	3532		8CD7.exe
PID 3532 wrote to memory of 1196	3532		8CD7.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 1196 wrote to memory of 2352	1196	8CD7.exe	RegAsm.exe
PID 3904 wrote to memory of 4536	3904	8005.exe	InstallSetup8.exe
PID 3904 wrote to memory of 4536	3904	8005.exe	InstallSetup8.exe
PID 3904 wrote to memory of 4536	3904	8005.exe	InstallSetup8.exe
PID 3904 wrote to memory of 1448	3904	8005.exe	toolspub2.exe
PID 3904 wrote to memory of 1448	3904	8005.exe	toolspub2.exe
PID 3904 wrote to memory of 1448	3904	8005.exe	toolspub2.exe
PID 3904 wrote to memory of 4376	3904	8005.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3904 wrote to memory of 4376	3904	8005.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3904 wrote to memory of 4376	3904	8005.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3904 wrote to memory of 1468	3904	8005.exe	tuc4.exe
PID 3904 wrote to memory of 1468	3904	8005.exe	tuc4.exe
PID 3904 wrote to memory of 1468	3904	8005.exe	tuc4.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 1448 wrote to memory of 3332	1448	toolspub2.exe	toolspub2.exe
PID 3904 wrote to memory of 1044	3904	8005.exe	etopt.exe
PID 3904 wrote to memory of 1044	3904	8005.exe	etopt.exe
PID 3904 wrote to memory of 1044	3904	8005.exe	etopt.exe
PID 4536 wrote to memory of 324	4536	InstallSetup8.exe	BroomSetup.exe
PID 4536 wrote to memory of 324	4536	InstallSetup8.exe	BroomSetup.exe
PID 4536 wrote to memory of 324	4536	InstallSetup8.exe	BroomSetup.exe
PID 1468 wrote to memory of 3816	1468	tuc4.exe	tuc4.tmp
PID 1468 wrote to memory of 3816	1468	tuc4.exe	tuc4.tmp
PID 1468 wrote to memory of 3816	1468	tuc4.exe	tuc4.tmp
PID 4536 wrote to memory of 2016	4536	InstallSetup8.exe	nsfDC30.tmp.exe
PID 4536 wrote to memory of 2016	4536	InstallSetup8.exe	nsfDC30.tmp.exe
PID 4536 wrote to memory of 2016	4536	InstallSetup8.exe	nsfDC30.tmp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bf0cbdb53bbd724bb231f0b6958edfc4.exe
"C:\Users\Admin\AppData\Local\Temp\bf0cbdb53bbd724bb231f0b6958edfc4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4976

C:\Users\Admin\AppData\Local\Temp\16CA.exe
C:\Users\Admin\AppData\Local\Temp\16CA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\8005.exe
C:\Users\Admin\AppData\Local\Temp\8005.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:324

C:\Users\Admin\AppData\Local\Temp\nsfDC30.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsfDC30.tmp.exe
3⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3332

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
PID:4376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\is-1TGIU.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1TGIU.tmp\tuc4.tmp" /SL5="$B0226,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3816

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:1812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:4128

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1044

C:\Users\Admin\AppData\Local\Temp\8CD7.exe
C:\Users\Admin\AppData\Local\Temp\8CD7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
Filesize
30.8MB

MD5
4209883c0f0892056b3df21294eaa9db

SHA1
de42cf4af2fa91010188237bb120710b5b2c818f

SHA256
671d09bc54dc6beacb5777c9dda08bb24f8ccc09bf69df81045848b3b9fc508c

SHA512
453a07f70e316f47b9e1cce1c0d7cf77a9b85b903c3638d282ebce9fe85ed2da51564984ab478354dd09b756743499573151598e8e865c80eba3b6eddf9ab666

Download Submit
C:\Users\Admin\AppData\Local\Temp\16CA.exe
Filesize
3.8MB

MD5
6c495d32cd41ec78c256d1f3dbf53312

SHA1
088e77057a7967826bdada4fa494381312a7186a

SHA256
de5b12b7d320bb45eabbb5bbcb80668d01b3c3f4bff3b25f418c90e4506b4637

SHA512
98c4f2164bcc448a69b40a69f88e24d5fa7db1a6a0f6c3f17c71859290ad5b6aaa09682f069a260ddaf8f362e399381c43e67eacf4bc4485e2a3d7bcb773e791

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.4MB

MD5
76c145b0ab85f3018f0f39797ca353bb

SHA1
fa5ad86b358e257ca52389799ddf53fe99f89a14

SHA256
28ad6b957b5ee16f8ba975d4bde22c4455e617abfb158bc0cfabc130d8c3adfc

SHA512
cd2c49cda10308b03a67f627859d92bf82000c448002474171a52693d0259ba08c33d26e1172433fdef80a55f0c66e679cfc1e4de7eff689748abc5e8c8e2293

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
256KB

MD5
18c3d37a8109bf9994d733423b316729

SHA1
ca0af03c3cf133c3c70a047eab99375420e72ed1

SHA256
ad816bd6dc9202637408ec2a504b8cfacfc2483d2d819d7793a9dd4f7701b60d

SHA512
0a228f968c07b96bd6fac33adf27a00ac9c0d4b4032d6300b4c197848fa263706b24ee8a7e33ba9fe17ad1c0137b3dad9fa2757b6724034eb577ea4fd177a5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
832KB

MD5
2810f03c6bd7866dc811b095a18942e9

SHA1
835cf185b7230118c5eb011659c5e8460012f560

SHA256
52949145ebadffeb876015c4768d20cb0977a3bb4fa595b45def32021c691dd0

SHA512
5944c0379e4a6c7a52a65a36e3698740f0eea4dc3dcfc45aedc2540ae3fd2bef6945af33710d5896d84941abbe2b780ca4f20de065b67207e5c6b6a877e0f56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8005.exe
Filesize
18.8MB

MD5
ed2fd5173af900c56220101ce6648515

SHA1
d8783b8dc155314c5680aebddd4e36df7ddfebbf

SHA256
ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098

SHA512
ef7bac0140e2e492a4d1751d9a6d1fe6ec94649bd6a00006f159a067b774ee8870d567e0fae2e08ebf16db3d11c2dfe2fcf5884d7d27d74fdba34781500f9806

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CD7.exe
Filesize
567KB

MD5
1a344159928228af15c9bd838c73e319

SHA1
07295709b38bf6bab750669e09dfe4671e03a345

SHA256
50cb0c5541343e8b900ddc1cb400a91d95a1ecd7d70ef0195d7c875ce7225321

SHA512
289ae9c41d6a535e576da4780b195a6bb79cd10ca9eedf4f39b9bb8d46931443924ed3e9524abc54c10cb7b3603ba218ba200ad6a90e80481126d4cd8d996c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
768KB

MD5
1113ffc27b3d546df4c668f520876b8c

SHA1
c51c1d9f136dbf46a1b64ce259c10d070b822efb

SHA256
cacdefd1e504c2a475243ec093b05e5b1735850465dcfe4c98dabfb6f2c58096

SHA512
725b7dafd68922c451f2729412159f3906eaada07a16d0bbb892894b04bc591baaa8e67fff09407ba375187e8ca66413270e3b4203d7136bb5a2ba47dc61a620

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.2MB

MD5
31f42479194700f598c22ea83fa196c1

SHA1
0552ca7766283d7add7c06312ecb5e858d3a2ea0

SHA256
098b76a1d654efe963b1d6167dc77d34627b8488d742c49bfb70e8d70b1755a7

SHA512
afc83e94dc92453312a4d24193b0d3c17cf37644a5cf25b2c934f27d58968c41a5b176de12c2c5c5c8c1d2fbdb57d235a5073fe304f6b12e11a40e2cb52ee836

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
1.9MB

MD5
72daa65e321ed01b4cd36fd4ee491f7e

SHA1
c2f6e83869669ec4c37ad0f1a5628c3535aeb3bb

SHA256
d911442d5dfdb4b0a517a4de3b75ea382c6f48ff62e750cc34796b54aff50da0

SHA512
10ce108f6acdb6b271571faf0395c1dfce0df006e79adc34aac361a675ea81097fb20594cea08d13ec611906272ea6bba8d2d8aab1013e71ac1768306945e950

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wqyd0txw.xqf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
1.1MB

MD5
cab31bef3e3e467c7e49b279d5b1b803

SHA1
51336a8da7ef5e737e64c198d48df12119fe28a8

SHA256
79ec3981550f421022c23cd1d1574ac4da85bd715498d7f0295989ce831a3e95

SHA512
c1d762314853be56bfbde7e2e8cfd30629f4bfe4ed795682e4c4b9f9f470225e82795560bcaf200712104a08d3805791c7eb0c93a40015761d079ce97b9a085c

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
320KB

MD5
20bd7024faaa8d1133d0c32a4774ea4f

SHA1
aeeda1c1714700265d2bb13a6b0cf5eb3f62552d

SHA256
d88066d261fc7932117d77be379f66abefb482d6090a619b17782fc7da5616ea

SHA512
8a36fa1ddefe78d2666a169f2551da66e943e9da0026f73e2a7265a41ca7e294f5aa282d87c0cc9bcd5a893215ddf813c0dfec43820a5107dc889656266134c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
1.7MB

MD5
6fb9735ae41679e87e938b794fcb6728

SHA1
9b7fb88597bd42e36451241f35e2c99686931812

SHA256
859ca40174fe2e08cb8558c1f6ead15ad9d34d504e8d11570e4d5047e92afd83

SHA512
dc260f66abbad6a46b8d23046304442cce5a1a4a880b1685f06ff4ff52d4ab1a2ee377b91a6bedc615fbe62d0f8367bbc0bd4086c19e0f27a6ea1a2ccd1db7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TGIU.tmp\tuc4.tmp
Filesize
576KB

MD5
bd95e2391b02e5ecda76f0b8a1a63435

SHA1
6fd4a9a0c6c323a40d786e9a2c27b899d8bc3f28

SHA256
621179faa5fe45ab1546a60d94d53df815c3ca3275b4bd0138bd4db5d5aa5ad9

SHA512
be4aa63e2a64962924719b4bf885e9099bfe314aecb148111c89aca10ace69abe952722b02a2a06f3b3ed40f02d94d83f8b9f852cb8104700301c7d94f8edd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1TGIU.tmp\tuc4.tmp
Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S53IF.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S53IF.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbC3E5.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDC30.tmp.exe
Filesize
271KB

MD5
d677ea3b96a1a333a49264c8015579bb

SHA1
5f3e2afcb0e376a38ab3404baa090e432c56e025

SHA256
b126688dc1beec17e774628be407158fb2b69e73b33d2037a98759575450cef5

SHA512
121fb5784e430baa623ce2feb2b55d5aed28a62f7b3103f9797e01219ad6db65c3fb26c3cecd750d33843e6ab45044ded3f782696d214f23f7d209b16a71af1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC664.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC664.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
2.2MB

MD5
b1725ed3deeab4c60987978cfcb04c15

SHA1
a9a87ac499b86ef7ef91683362e8c8deddf159a3

SHA256
e4891aad211b6f66a77f0d6305fed2cac28aa6e7dc1df41fb23e29f9b1b2e165

SHA512
6164a27000b8b28baace2709335805cfb5d4c97bd37baf8a95479c0f47c6b3076088e257d3aa90d1ad6cb0145446a647c3969dfd6020746e902bcf866c786776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
2.2MB

MD5
6f5ac86c40d73c43777f9da3b16b14a8

SHA1
ecc03fe8ba4e3e110640dcbecce210084ca8533b

SHA256
493f702b98afb5a6e0d99890a62ba2169bb974c288a7a480cd9aa698c479c1db

SHA512
f4ef5953b5d791e5d386e0775a4b4588098d89109d8f7f0ab1a29098a1dfc2b3e03160e9daa6ed645b90933cfd8d60e970a383a5e0881b6b324c460182a401f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk
Filesize
1KB

MD5
ca4c3e696ebcd12b681cbe94d3eb4728

SHA1
bb27ad66a45c7d11af91d2df041a244ad6d42343

SHA256
70276d59835fec2248153cf9da3bb6b76850bad50c2b98f16552c00c9557452b

SHA512
949ef55753af80f517b535315f36a4d29b58a77117d181b7df1098a330376e6c3a88c58de87cb80dcd3a8e094e76fe70ab22c504d3c194c072a3a07ffaa82db0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
Filesize
806B

MD5
a0227fa9d632fa7be3355784ac587735

SHA1
f25a03de3723dddb19fed335f2389eab7ea2846c

SHA256
24e6993d1be957b6cca0741c520780501a19394f368e62b6f2a3eb1e74d52c39

SHA512
5dfed3a85087f1bef84d8e858464f20f574379691c82b5f700404e9ae4abbd5294239969c46d92bda2d7320ec592a0612a82c4a46f605739cf8e521fcb41e840

Download Submit
memory/324-546-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/324-137-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/324-284-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/324-621-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1044-132-0x00000000042D0000-0x0000000004EF8000-memory.dmp

Filesize
12.2MB

Download
memory/1044-127-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1044-128-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/1044-147-0x00000000035E0000-0x000000000361A000-memory.dmp

Filesize
232KB

Download
memory/1196-33-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1196-35-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1196-31-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1196-30-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1196-26-0x0000000000A80000-0x0000000000B14000-memory.dmp

Filesize
592KB

Download
memory/1448-94-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/1448-91-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1468-186-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1468-97-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1468-90-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1676-628-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/1676-593-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1676-584-0x0000000004FF0000-0x0000000005026000-memory.dmp

Filesize
216KB

Download
memory/1676-613-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/1676-629-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/1676-577-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1676-627-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/1676-583-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2016-263-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/2016-560-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2016-286-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2016-264-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/2016-590-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2352-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2352-40-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2352-39-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2352-38-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2352-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2352-148-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2352-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2696-185-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-14-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/2696-189-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-27-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-184-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-195-0x0000000006C20000-0x0000000006C30000-memory.dmp

Filesize
64KB

Download
memory/2696-150-0x0000000006810000-0x00000000069A2000-memory.dmp

Filesize
1.6MB

Download
memory/2696-13-0x00000000000A0000-0x0000000000466000-memory.dmp

Filesize
3.8MB

Download
memory/2696-198-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-257-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-259-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-12-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-542-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/2696-45-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2696-46-0x0000000005400000-0x00000000056DA000-memory.dmp

Filesize
2.9MB

Download
memory/2696-558-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-543-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/2696-541-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/3332-102-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3332-154-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3332-93-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3532-152-0x0000000008C40000-0x0000000008C56000-memory.dmp

Filesize
88KB

Download
memory/3532-1-0x0000000003250000-0x0000000003266000-memory.dmp

Filesize
88KB

Download
memory/3816-578-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3816-539-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3816-162-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3816-622-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3904-22-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3904-23-0x00000000000E0000-0x00000000013BE000-memory.dmp

Filesize
18.9MB

Download
memory/3904-123-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-196-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/4376-540-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4376-121-0x0000000002A50000-0x0000000002E52000-memory.dmp

Filesize
4.0MB

Download
memory/4376-194-0x0000000002A50000-0x0000000002E52000-memory.dmp

Filesize
4.0MB

Download
memory/4376-592-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4376-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4376-122-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/4376-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4520-569-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/4520-623-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/4520-559-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4520-557-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-630-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/4520-555-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4976-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4976-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download