cryptbot | 79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a

Analysis

max time kernel
160s
max time network
170s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

4.8MB
MD5

8e88e9762c2c7020225ef6c369f2ef0e
SHA1

15eb5c3f205e19471d3e60322efbddc2e8b2792e
SHA256

e847b7593382c56f6443caea1929e4657e8706a0e55deda227ab98231bde7667
SHA512

3bdeebd9e7f0e1895eebd6d749e9195903fa5e9dfab620e2e50fa719878680106c1f03925cf3fdb4bebbe98b72b6350ccedba6405c03f367591a8741bf8e53da
SSDEEP

98304:xRCvLUBsggNYhWYlw2Cs5llZA9PYJKmt6jFeQXhkYN3g0bM/1Tfe:x6LUCggNSlPllZAZI9t6sQ2fe

Malware Config

Extracted

Family

nullmixer

http://sornx.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub1

viacetequn.site:80

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

cryptbot

bunhiv18.top

morkix01.top

Attributes

payload_url
http://tobdol01.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 2 IoCs

resource	yara_rule
behavioral3/memory/2008-396-0x0000000005AB0000-0x0000000005B53000-memory.dmp	family_cryptbot
behavioral3/memory/2008-631-0x0000000005AB0000-0x0000000005B53000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/memory/2532-168-0x0000000003420000-0x0000000003442000-memory.dmp	family_redline
behavioral3/memory/2532-190-0x00000000049E0000-0x0000000004A00000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral3/memory/2532-168-0x0000000003420000-0x0000000003442000-memory.dmp	family_sectoprat
behavioral3/memory/2532-190-0x00000000049E0000-0x0000000004A00000-memory.dmp	family_sectoprat
behavioral3/memory/2148-195-0x00000000008D0000-0x0000000000910000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral3/memory/2440-185-0x0000000003CF0000-0x0000000003D8D000-memory.dmp	family_vidar
behavioral3/memory/2440-191-0x0000000000400000-0x0000000002402000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x0008000000013aa6-45.dat	aspack_v212_v242
behavioral3/files/0x002800000001390b-47.dat	aspack_v212_v242
behavioral3/files/0x0007000000014110-52.dat	aspack_v212_v242

Executes dropped EXE 14 IoCs

pid	Process
2232	setup_install.exe
1500	Mon17a1622b32c19d79.exe
2168	Mon178e2a4bb3.exe
2420	Mon1729d1f65d.exe
1976	Mon17adba8184e.exe
1624	Mon1739ea489bd.exe
1232	Mon176198e28ea2.exe
2440	Mon1775222792.exe
2532	Mon17fc3714aa3427.exe
1540	Mon179660fc887.exe
1544	Mon17a1622b32c19d79.exe
1040	Mon178e2a4bb3.exe
988	Prendero.exe.com
2008	Prendero.exe.com

Loads dropped DLL 48 IoCs

pid	Process
2208	setup_installer.exe
2208	setup_installer.exe
2208	setup_installer.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
2232	setup_install.exe
268	cmd.exe
268	cmd.exe
1500	Mon17a1622b32c19d79.exe
1500	Mon17a1622b32c19d79.exe
2584	cmd.exe
2664	cmd.exe
2664	cmd.exe
2744	cmd.exe
1964	cmd.exe
2420	Mon1729d1f65d.exe
2420	Mon1729d1f65d.exe
2716	cmd.exe
2716	cmd.exe
1232	Mon176198e28ea2.exe
1232	Mon176198e28ea2.exe
2712	cmd.exe
2712	cmd.exe
2440	Mon1775222792.exe
2440	Mon1775222792.exe
2532	Mon17fc3714aa3427.exe
2532	Mon17fc3714aa3427.exe
1500	Mon17a1622b32c19d79.exe
2748	cmd.exe
1540	Mon179660fc887.exe
1540	Mon179660fc887.exe
1544	Mon17a1622b32c19d79.exe
1544	Mon17a1622b32c19d79.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
2108	cmd.exe
1872	WerFault.exe
988	Prendero.exe.com
2904	WerFault.exe
2904	WerFault.exe
2904	WerFault.exe
2904	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Mon179660fc887.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1872	2232	WerFault.exe	27
2904	2440	WerFault.exe	47

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Prendero.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Prendero.exe.com

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mon1775222792.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon1775222792.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon1775222792.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	Mon1729d1f65d.exe
2420	Mon1729d1f65d.exe
2148	powershell.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2420	Mon1729d1f65d.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1976	Mon17adba8184e.exe
Token: SeDebugPrivilege	1624	Mon1739ea489bd.exe
Token: SeDebugPrivilege	2532	Mon17fc3714aa3427.exe
Token: SeShutdownPrivilege	1192	Process not Found

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
988	Prendero.exe.com
988	Prendero.exe.com
988	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
988	Prendero.exe.com
988	Prendero.exe.com
988	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com
2008	Prendero.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2208 wrote to memory of 2232	2208	setup_installer.exe	27
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 700	2232	setup_install.exe	29
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 268	2232	setup_install.exe	30
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2664	2232	setup_install.exe	31
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2700	2232	setup_install.exe	32
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2712	2232	setup_install.exe	33
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2716	2232	setup_install.exe	34
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2744	2232	setup_install.exe	35
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2584	2232	setup_install.exe	36
PID 2232 wrote to memory of 2748	2232	setup_install.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon17a1622b32c19d79.exe
    3⤵
    - Loads dropped DLL
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17a1622b32c19d79.exe
      Mon17a1622b32c19d79.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17a1622b32c19d79.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17a1622b32c19d79.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1729d1f65d.exe
    3⤵
    - Loads dropped DLL
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1729d1f65d.exe
      Mon1729d1f65d.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon178e2a4bb3.exe
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon178e2a4bb3.exe
      Mon178e2a4bb3.exe
      4⤵
      Executes dropped EXE
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon178e2a4bb3.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon178e2a4bb3.exe"
      4⤵
      Executes dropped EXE
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1775222792.exe
    3⤵
    - Loads dropped DLL
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1775222792.exe
      Mon1775222792.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:2440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 692
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon17fc3714aa3427.exe
    3⤵
    - Loads dropped DLL
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17fc3714aa3427.exe
      Mon17fc3714aa3427.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon176198e28ea2.exe
    3⤵
    - Loads dropped DLL
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon176198e28ea2.exe
      Mon176198e28ea2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1739ea489bd.exe
    3⤵
    - Loads dropped DLL
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1739ea489bd.exe
      Mon1739ea489bd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon179660fc887.exe
    3⤵
    - Loads dropped DLL
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon179660fc887.exe
      Mon179660fc887.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1540
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Mummia.wmz
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
        7⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
        
        Prendero.exe.com z
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping MGILJUBR -n 30
        7⤵
        Runs ping.exe
        
        PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon17adba8184e.exe
    3⤵
    - Loads dropped DLL
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17adba8184e.exe
      Mon17adba8184e.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 436
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1729d1f65d.exe

Filesize
273KB

MD5
3ef04768f662e3c02e9e8c8192d5afa1

SHA1
58371bb09f637e7d42c94f6365a434ca88b3874d

SHA256
b3fb54d410655eba5e22d8aec4876060a668377e0cdb10e66265ee09ff72e132

SHA512
07c0208061b2d03cecae2e0414bda700da07139bad62a078f9c873f0396c0ee005cf6f5eab4f299ecd48d2c90380f73a6565e419f42d95f4d968508858253ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1739ea489bd.exe

Filesize
192KB

MD5
ea5d2a70de26a3f2ce92d1b02b2f3052

SHA1
66045b40d6aebc6a2930c76c6d492fb5fc81426f

SHA256
7abf7953b1532eec5dd50fb9098269a8cd7b65e9afc9d84031039ff9da63f909

SHA512
1437877ea36bf59eb74eef0415f820507fa55bb07b17b59679454e02a99bf48884bfdd0706175a168a005ce9a672b0fbdc904da7a35242402567f06bf22d322b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon176198e28ea2.exe

Filesize
1.5MB

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1775222792.exe

Filesize
384KB

MD5
affbe6434230cffbae65d71209b18a94

SHA1
a6e80a1d8f64e8ffa3f1f4c5298153e74fc1db52

SHA256
49202ca2b906910bc7407f9d7013242b78a40c6004e31ce1977f37faeeffe747

SHA512
daf805199784a1ce083f44a4b36d6f1c06d467204b88dabad33fdc1722286d491a3e17315e36037e89a5f3f342337700354c79618937a75ef331224f2e508c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon1775222792.exe

Filesize
608KB

MD5
42b6c78fd88e0ce139615ca4a975bfc7

SHA1
5ec215ade32285be9a6b3e73031a9e351a5e4fdb

SHA256
73da47aba40b72752b6562114348f823e70e33ef2a2eb5cb16c914e6feffe0d0

SHA512
a7368df6e22f42c1ab60599ab4ecf2eba1fac8def2a8c411491173c881bbfafd014eb11a97067da6fbd3ded2c0daa3ae0574d259d8e13f210ecf40f16e06e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon178e2a4bb3.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon179660fc887.exe

Filesize
1.3MB

MD5
12b8842dded9134ad0cae031c4f06530

SHA1
c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e

SHA256
abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17

SHA512
967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17adba8184e.exe

Filesize
8KB

MD5
4ffcfe89a6f218943793ff6ea9bb5e79

SHA1
8ff66c6fe276857ba0ce6f533d383813e5ce6943

SHA256
710c8df4e791a0f4ac8a7351c0c718a6ddb685a3d57abfd2c064c398617bb9b1

SHA512
8c62a4e43657a7477acc630708205db74ecad794569408b7b0a57ee1ff111f798917b48c929133e8c199312ad797929a61fc69505a636347307edcd2eef2a5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17fc3714aa3427.exe

Filesize
248KB

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A8F4256\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD539.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD676.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\VUpjvTo41aHZS7.zip

Filesize
47KB

MD5
6979685ab89c9001cc9fde6dcc1bc73f

SHA1
fe85c162c5f3b0d3de28f1b03f147250d3d1accd

SHA256
cdba3e54d2feedc9eb1acda7894fd3388d72e831f5d9bcb3d3dcb584b7e14c39

SHA512
ea936bef6e435260d1d5cd9cfe12c41316e23472bbb538b0421b91b35eeed76d19db84e8a2b3fc1f485e09a1791ea72d8832635d0636d92b71d7c08c65854807

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\_Files\_Information.txt

Filesize
8KB

MD5
6427c41daeb56a66ae80ba8105c0398a

SHA1
8edaa4d4393f139cc99eacbd11339d21053601d2

SHA256
f2b400e6dfd09ae5c2a66f48d54e18d2c96dff7a1c873fac0541a8415a31c263

SHA512
1176e0dce32f18afa335c7d23ca4599cdbb58adaab1287dae82d205f71f47e2e873f0005524b5b1fbdbb5000087b35442ab3b77a34c1d214d199a7aeaf9494e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\_Files\_Screen_Desktop.jpeg

Filesize
55KB

MD5
71e43f4dbecf011231457d9943584845

SHA1
63c86e8bdb6b872305770f58f946f68163819684

SHA256
e1620f76f5ba5bc0a0ab94af6a05b1dd17933f276c29055f612db9c699df4bf0

SHA512
5f7cbd22fc73e82ae89af3fbeb1b54d07954b6e45d4bcdfb17e0966a2afe96c3993624e6d685f2f9abe51df4c70e170a67e78590d870dd56e286fcec87f37822

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\files_\system_info.txt

Filesize
1KB

MD5
ec717f4160d3127d66cffb3acf8605d5

SHA1
1ca82d9fb7225ceb7b2339d19fe00584495ae101

SHA256
c277d3f29ec31781c54ba720a48723fb10761852b41303d4f7ecc5808d5fe973

SHA512
e75a9fa0eecc190e1b40e17fc75c85e7513e777ae70519e9a44893647caa3875a23a9a90b5ad3cb960ef578d514cdf84018a9c33fa3a2df4535de608e6c43a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\files_\system_info.txt

Filesize
3KB

MD5
8b8115ebcc8029081074c6c5ad7592e2

SHA1
e1f187cbff442fbb195295a263bad25b26e425c1

SHA256
1d258d75904164548f23b21fc0a836e4ff912bfb7948b8c651af4ead4dda278f

SHA512
9955bdeea0695fa245ad6c58774397e3608daec6d1b8925cf398421536d23aa92ebcbdb4ae015b28a18fffb797657a989aace19162205e70e28d4975d967bd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvKCeTWQk\files_\system_info.txt

Filesize
8KB

MD5
84aa70675f61c99b28feeaaca45b2a13

SHA1
e4bbc3e4c8b252d2e65550c04806a00f05fc3d3b

SHA256
21d944ebea181f252aae4022b2f3fc5a5facc57760a6f5ca26c57ed2ff8eb270

SHA512
fed53d0c29682c9c6f71d84475fd44101752b5188fe098089d85e6c22c6a339d752ef04940d46c092a42545482f99539720021ccec0b205ad0c627578dd828d8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon176198e28ea2.exe

Filesize
1.4MB

MD5
44f8792deaec2d66c6d795bfb3716c7c

SHA1
c23c0f8a93402b2269124afb32bc835b7a63e212

SHA256
15743e8fc4534359efec59faad380fcae647748c3ee6d259a9db9335e9c8ce12

SHA512
9a3d8658fb719041598d2da89b7968e0c8486e93d8828f230ba5b127d9a9af01d6a955f09d8f83da760a94d97b0c156c545d589e8dbb69921f1c4b4f157a2616

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon179660fc887.exe

Filesize
320KB

MD5
9ad619f45232adf616c60754c42ce300

SHA1
1708568c4274e9d06ee2c8691aabe4acf32cd9b4

SHA256
97bf7de6c6f7c9f8d7b615e8224e6fd284d3dcd167dd7ed8325b24a9d2dad576

SHA512
6823a7e112eab64fc8e319ef56c860d2941703cea5fdd99e22c4dec6e987db00888463fc831119814bd9902090518cde73a7c00cb94d288ade08031b71411066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A8F4256\Mon17a1622b32c19d79.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A8F4256\setup_install.exe

Filesize
2.1MB

MD5
e063ed1ff826d9211d72dcd9b57c6db6

SHA1
73edb0e50951df71df4eee9bdf9ecc6b0101994a

SHA256
7e594b7d01a8cbc819f8527f7d1459b02cff4bf97f1a8bc69daea608f4274108

SHA512
a8e9d84d88254f2ba4f1e99cf624d4aff1738fb52044cce69500c32f45fbffd42d2d4578bb504dad9147845bf98f5080193eaeead9e84888e35dd9fa187139ee

Download Submit
memory/1192-199-0x0000000002A60000-0x0000000002A76000-memory.dmp

Filesize
88KB

Download
memory/1624-225-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-198-0x0000000000620000-0x00000000006A0000-memory.dmp

Filesize
512KB

Download
memory/1624-187-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/1624-189-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1624-172-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1624-160-0x00000000009A0000-0x00000000009D6000-memory.dmp

Filesize
216KB

Download
memory/1624-173-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-159-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1976-337-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-330-0x0000000000670000-0x00000000006F0000-memory.dmp

Filesize
512KB

Download
memory/1976-197-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-196-0x0000000000670000-0x00000000006F0000-memory.dmp

Filesize
512KB

Download
memory/2008-374-0x0000000005AB0000-0x0000000005B53000-memory.dmp

Filesize
652KB

Download
memory/2008-373-0x0000000005AB0000-0x0000000005B53000-memory.dmp

Filesize
652KB

Download
memory/2008-396-0x0000000005AB0000-0x0000000005B53000-memory.dmp

Filesize
652KB

Download
memory/2008-631-0x0000000005AB0000-0x0000000005B53000-memory.dmp

Filesize
652KB

Download
memory/2148-246-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-194-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-195-0x00000000008D0000-0x0000000000910000-memory.dmp

Filesize
256KB

Download
memory/2232-181-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-174-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2232-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2232-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2232-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2232-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-62-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2232-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2232-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2232-177-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2232-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2232-178-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2232-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-179-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2232-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2232-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2232-180-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2420-200-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download
memory/2420-193-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/2420-186-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download
memory/2420-192-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download
memory/2440-184-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/2440-185-0x0000000003CF0000-0x0000000003D8D000-memory.dmp

Filesize
628KB

Download
memory/2440-329-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/2440-191-0x0000000000400000-0x0000000002402000-memory.dmp

Filesize
32.0MB

Download
memory/2532-182-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/2532-183-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2532-168-0x0000000003420000-0x0000000003442000-memory.dmp

Filesize
136KB

Download
memory/2532-343-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/2532-244-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/2532-188-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/2532-190-0x00000000049E0000-0x0000000004A00000-memory.dmp

Filesize
128KB

Download
memory/2532-328-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download