nullmixer | bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32

Analysis

max time kernel
53s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.4MB
MD5

15eb5a44613074dee64d6f25eceb66be
SHA1

a414befb2fdf6c508d4936f723f8b142828b2b16
SHA256

57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999
SHA512

e749bfd0ccb846547bf2759b6c39515caded7103fb5197059f60321ba26dfc367f9e69f2b7f889173b330ee5342ff94a4b6aec69aee9cedf9eb040dbbafc27a4
SSDEEP

98304:xwCvLUBsgQPoIXHs02aorqdKmUzKDwXQXKV9fV:xNLUCgeoIXM0R3nUz8wrPfV

Score

10^/10

nullmixer privateloader redline sectoprat smokeloader vidar 706 pab3 pub6 aspackv2 backdoor dropper infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/memory/1140-105-0x0000000004980000-0x00000000049A2000-memory.dmp	family_redline
behavioral4/memory/1140-112-0x0000000004F10000-0x0000000004F30000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral4/memory/1140-105-0x0000000004980000-0x00000000049A2000-memory.dmp	family_sectoprat
behavioral4/memory/1140-112-0x0000000004F10000-0x0000000004F30000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral4/memory/768-144-0x00000000049B0000-0x0000000004A4D000-memory.dmp	family_vidar
behavioral4/memory/768-149-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar
behavioral4/memory/768-194-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0008000000023203-40.dat	aspack_v212_v242
behavioral4/files/0x0008000000023206-39.dat	aspack_v212_v242
behavioral4/files/0x000700000002320c-46.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Tue022b0c9446.exe

Executes dropped EXE 13 IoCs

pid	Process
4892	setup_install.exe
1140	Tue02ef36b3f1289c5.exe
4448	Tue027536c4694d45.exe
1804	Tue021e08b886995.exe
2072	Tue022a930da16b.exe
924	Tue021b99042c7.exe
768	Tue02693e04f014707bc.exe
3836	Tue022b0c9446.exe
1728	Tue025ccbbdb1799f42b.exe
2472	Tue0237249404942fe.exe
3152	Tue022b0c9446.exe
3716	Talune.exe.com
4520	Talune.exe.com

Loads dropped DLL 5 IoCs

pid	Process
4892	setup_install.exe
4892	setup_install.exe
4892	setup_install.exe
4892	setup_install.exe
4892	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Tue025ccbbdb1799f42b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
26	iplogger.org
27	iplogger.org
36	iplogger.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4320	4892	WerFault.exe	90
4172	924	WerFault.exe	110
396	768	WerFault.exe	111
64	768	WerFault.exe	111
2900	768	WerFault.exe	111
4592	768	WerFault.exe	111
4908	768	WerFault.exe	111
4000	768	WerFault.exe	111
540	768	WerFault.exe	111
4016	768	WerFault.exe	111
4684	768	WerFault.exe	111
4628	768	WerFault.exe	111
1996	768	WerFault.exe	111

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue021b99042c7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue021b99042c7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue021b99042c7.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1820	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
924	Tue021b99042c7.exe
924	Tue021b99042c7.exe
408	powershell.exe
408	powershell.exe
408	powershell.exe
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
924	Tue021b99042c7.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	Tue027536c4694d45.exe
Token: SeDebugPrivilege	2472	Tue0237249404942fe.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1140	Tue02ef36b3f1289c5.exe
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found
Token: SeShutdownPrivilege	3588	Process not Found
Token: SeCreatePagefilePrivilege	3588	Process not Found

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
3716	Talune.exe.com
3588	Process not Found
3588	Process not Found
3716	Talune.exe.com
3716	Talune.exe.com
3588	Process not Found
3588	Process not Found
4520	Talune.exe.com
3588	Process not Found
3588	Process not Found
4520	Talune.exe.com
4520	Talune.exe.com
3588	Process not Found
3588	Process not Found

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3716	Talune.exe.com
3716	Talune.exe.com
3716	Talune.exe.com
4520	Talune.exe.com
4520	Talune.exe.com
4520	Talune.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4892	4944	setup_installer.exe	90
PID 4944 wrote to memory of 4892	4944	setup_installer.exe	90
PID 4944 wrote to memory of 4892	4944	setup_installer.exe	90
PID 4892 wrote to memory of 3872	4892	setup_install.exe	94
PID 4892 wrote to memory of 3872	4892	setup_install.exe	94
PID 4892 wrote to memory of 3872	4892	setup_install.exe	94
PID 4892 wrote to memory of 4104	4892	setup_install.exe	95
PID 4892 wrote to memory of 4104	4892	setup_install.exe	95
PID 4892 wrote to memory of 4104	4892	setup_install.exe	95
PID 4892 wrote to memory of 664	4892	setup_install.exe	96
PID 4892 wrote to memory of 664	4892	setup_install.exe	96
PID 4892 wrote to memory of 664	4892	setup_install.exe	96
PID 4892 wrote to memory of 3520	4892	setup_install.exe	97
PID 4892 wrote to memory of 3520	4892	setup_install.exe	97
PID 4892 wrote to memory of 3520	4892	setup_install.exe	97
PID 4892 wrote to memory of 752	4892	setup_install.exe	98
PID 4892 wrote to memory of 752	4892	setup_install.exe	98
PID 4892 wrote to memory of 752	4892	setup_install.exe	98
PID 4892 wrote to memory of 4644	4892	setup_install.exe	99
PID 4892 wrote to memory of 4644	4892	setup_install.exe	99
PID 4892 wrote to memory of 4644	4892	setup_install.exe	99
PID 4892 wrote to memory of 1536	4892	setup_install.exe	100
PID 4892 wrote to memory of 1536	4892	setup_install.exe	100
PID 4892 wrote to memory of 1536	4892	setup_install.exe	100
PID 4892 wrote to memory of 5112	4892	setup_install.exe	101
PID 4892 wrote to memory of 5112	4892	setup_install.exe	101
PID 4892 wrote to memory of 5112	4892	setup_install.exe	101
PID 4892 wrote to memory of 1004	4892	setup_install.exe	102
PID 4892 wrote to memory of 1004	4892	setup_install.exe	102
PID 4892 wrote to memory of 1004	4892	setup_install.exe	102
PID 4892 wrote to memory of 4704	4892	setup_install.exe	103
PID 4892 wrote to memory of 4704	4892	setup_install.exe	103
PID 4892 wrote to memory of 4704	4892	setup_install.exe	103
PID 4644 wrote to memory of 1140	4644	cmd.exe	106
PID 4644 wrote to memory of 1140	4644	cmd.exe	106
PID 4644 wrote to memory of 1140	4644	cmd.exe	106
PID 4704 wrote to memory of 4448	4704	cmd.exe	108
PID 4704 wrote to memory of 4448	4704	cmd.exe	108
PID 3520 wrote to memory of 2072	3520	cmd.exe	109
PID 3520 wrote to memory of 2072	3520	cmd.exe	109
PID 1536 wrote to memory of 1804	1536	cmd.exe	107
PID 1536 wrote to memory of 1804	1536	cmd.exe	107
PID 1536 wrote to memory of 1804	1536	cmd.exe	107
PID 664 wrote to memory of 924	664	cmd.exe	110
PID 664 wrote to memory of 924	664	cmd.exe	110
PID 664 wrote to memory of 924	664	cmd.exe	110
PID 752 wrote to memory of 768	752	cmd.exe	111
PID 752 wrote to memory of 768	752	cmd.exe	111
PID 752 wrote to memory of 768	752	cmd.exe	111
PID 1004 wrote to memory of 1728	1004	cmd.exe	112
PID 1004 wrote to memory of 1728	1004	cmd.exe	112
PID 1004 wrote to memory of 1728	1004	cmd.exe	112
PID 4104 wrote to memory of 3836	4104	cmd.exe	113
PID 4104 wrote to memory of 3836	4104	cmd.exe	113
PID 4104 wrote to memory of 3836	4104	cmd.exe	113
PID 3872 wrote to memory of 408	3872	cmd.exe	114
PID 3872 wrote to memory of 408	3872	cmd.exe	114
PID 3872 wrote to memory of 408	3872	cmd.exe	114
PID 5112 wrote to memory of 2472	5112	cmd.exe	116
PID 5112 wrote to memory of 2472	5112	cmd.exe	116
PID 1728 wrote to memory of 4520	1728	Tue025ccbbdb1799f42b.exe	127
PID 1728 wrote to memory of 4520	1728	Tue025ccbbdb1799f42b.exe	127
PID 1728 wrote to memory of 4520	1728	Tue025ccbbdb1799f42b.exe	127
PID 3836 wrote to memory of 3152	3836	Tue022b0c9446.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\7zS05335B47\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS05335B47\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue022b0c9446.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022b0c9446.exe
      Tue022b0c9446.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022b0c9446.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022b0c9446.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue021b99042c7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue021b99042c7.exe
      Tue021b99042c7.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 372
        5⤵
        Program crash
        
        PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue022a930da16b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022a930da16b.exe
      Tue022a930da16b.exe
      4⤵
      Executes dropped EXE
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue02693e04f014707bc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue02693e04f014707bc.exe
      Tue02693e04f014707bc.exe
      4⤵
      Executes dropped EXE
      PID:768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 696
        5⤵
        Program crash
        
        PID:396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 832
        5⤵
        Program crash
        
        PID:64
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 852
        5⤵
        Program crash
        
        PID:2900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 864
        5⤵
        Program crash
        
        PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1028
        5⤵
        Program crash
        
        PID:4908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1036
        5⤵
        Program crash
        
        PID:4000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1520
        5⤵
        Program crash
        
        PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1568
        5⤵
        Program crash
        
        PID:4016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1780
        5⤵
        Program crash
        
        PID:4684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1788
        5⤵
        Program crash
        
        PID:4628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1800
        5⤵
        Program crash
        
        PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue02ef36b3f1289c5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue02ef36b3f1289c5.exe
      Tue02ef36b3f1289c5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue021e08b886995.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue021e08b886995.exe
      Tue021e08b886995.exe
      4⤵
      Executes dropped EXE
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue0237249404942fe.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue0237249404942fe.exe
      Tue0237249404942fe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue025ccbbdb1799f42b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue025ccbbdb1799f42b.exe
      Tue025ccbbdb1799f42b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Conservava.xlam
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^aXXPLdOdpKvHEwwcALYIInWmgGDtBFsVVodqfjpjFmFfheNjFpLslXxTwbAyMJPDzALcKwugCMepSGkjSsms$" Suoi.xlam
        7⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
        
        Talune.exe.com K
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com K
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping SLVJLBBW -n 30
        7⤵
        Runs ping.exe
        
        PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue027536c4694d45.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue027536c4694d45.exe
      Tue027536c4694d45.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 476
    3⤵
    - Program crash
    PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4892 -ip 4892
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 924 -ip 924
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 768 -ip 768
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 768 -ip 768
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 768 -ip 768
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 768 -ip 768
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 768 -ip 768
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 768 -ip 768
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 768 -ip 768
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 768 -ip 768
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 768 -ip 768
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 768 -ip 768
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 768 -ip 768
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 768 -ip 768
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue021b99042c7.exe

Filesize
272KB

MD5
5f270ca7d7e51d491870597597eda178

SHA1
2d0d689a15f7702beb5b07fdf8025c60804b5e9b

SHA256
d5c307d313d350c10c5858798a7d8d5d1e9d7a512d529b4480d39e23eadbfe04

SHA512
3125593efd872216fc637526fdcac78eac6648822b40532b4493f3c2738dbfee3f4905dedcdd68e73ad394517149ff154c5f388e42456d36230577310edc4ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue021e08b886995.exe

Filesize
631KB

MD5
64be7ccaa252abfd99ecf77bc8cce4d5

SHA1
9a9633c3cd6b394d149982021e008da3ceb64be0

SHA256
d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c

SHA512
392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022a930da16b.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue022b0c9446.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue0237249404942fe.exe

Filesize
124KB

MD5
9996968bf823f79bb6cd767642974947

SHA1
51ec008918335b895fb8fecb186dec0dacdd64d8

SHA256
252a203815e00302d4eda7c66b0432494adfaadd555859ee89ca775dc013fe76

SHA512
4cc7d0ec1572d5a8a72b714018402c90028dc194ce2919295cf9b726848e80824a45c5a241f1f2d0532be1e953a184aecf2e05430361d3a2f399c37cc92bd72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue025ccbbdb1799f42b.exe

Filesize
512KB

MD5
e1264c54d0ab3023c2c48fa707cc7323

SHA1
e9245d36f36f428f418331736af34ee2a686d1cf

SHA256
ea5aadca7c87c139d6f3cbb15fbc46441de8ad4f51987013f47eef95e7e17381

SHA512
c96e1a3df3100fdc340fcc0c15066932c7c2795be72625ff8b4449b792f834d90bffc229e227be4ae92dd90a60bf1fde15d23ea78a71cdac624e4df55d161160

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue025ccbbdb1799f42b.exe

Filesize
1.1MB

MD5
151c65cf1ce031437d262a9c53064b17

SHA1
e830752dad5c6db3abe868e63f39c1c026c8979e

SHA256
89aa23aecdac9c9ce8fda01c799ab8dee02b49311819c455a76e37ad3a9bf6c0

SHA512
0bc5d5bfa370263a98b13f5620425fe3d0a3f05cf11aba6ed2e5bd5ad0edf9386077e3c9f996bbba2d5535d2b3dd0af47a4d151c576ee7ada3b06da9ca4e1e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue02693e04f014707bc.exe

Filesize
557KB

MD5
e8dd2c2b42ddc701b1e2c34cc1fe99b1

SHA1
c3751581986d6cada60747843792d286fd671657

SHA256
835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

SHA512
e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue027536c4694d45.exe

Filesize
8KB

MD5
ce3a49b916b81a7d349c0f8c9f283d34

SHA1
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4

SHA256
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40

SHA512
e7e0150f3c79300c4e11ca391de9553440846c4b9594b49d8854769a347deb4ba10d5f7d3e7684e3a942ff15b61484910adc12014495adef68eaeb98f887ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\Tue02ef36b3f1289c5.exe

Filesize
279KB

MD5
af23965c3e2673940b70f436bb45f766

SHA1
ccc8b03ea8c568f1b333458cff3f156898fc29f7

SHA256
e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

SHA512
f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\setup_install.exe

Filesize
2.1MB

MD5
74bfb4111ccf7f337832534a5a84d2c8

SHA1
c9b397f3393ba4fd312705db1e12caa4613abe89

SHA256
6fc93f454178f4c9f16121c0b185bbbcde83600f446e2bf6a63b5fa42841bdb6

SHA512
80870dd082fbd71fbc4402d5704e1fbbff0e4c71fa2d68630221d0795cb78e89fbd7e828b724189ed2f8f0ac69a8dcaefd45b8095232e4bd9b1700e4a712782c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05335B47\setup_install.exe

Filesize
2.1MB

MD5
53fe1db9a551ec99e92fb5327e298d8e

SHA1
23f74e8ac06f4e6396eeeb084831a14be5257474

SHA256
6910d9327dc41eb4d340cd68f35d4ab3bba67cae4f640f01cd934204ec5b48a4

SHA512
6efb2b2c3f739a95347af5dd74a3b62a27ccd24aff25a6aa1ab00944ac589250d874e257440e3f0d8c714e8a36bc7ffc94509be2f0eb3661e805a46ed89e5047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cercare.xlam

Filesize
626KB

MD5
53a2ce58b1cf5ed9730a6f5ca77a47b4

SHA1
18b391759c11d3d5f3bf423a8acb1335c154f85d

SHA256
7953af07c4c7cc15a4767a5b52c2aa9f880a1d5cf2e12ce4f3aa6ceab82ed7cf

SHA512
79100c0fdbe978d97ce4cd621c41b427f34cdda63e2e569722e3e6f4f3b0cf6fd3c647f774b624f835fa7908d4b91e455057ccd894ed6d256dc49ad446d8c4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Conservava.xlam

Filesize
439B

MD5
67db09870ad0361cb90cfcceffe5c87c

SHA1
3d5071241bc942beab03782aabd90e2618fac1df

SHA256
455e2f47d0fbeee0f9e5b5ea7b51ce923d85fb98ba46572ccf6740814fa524a0

SHA512
1f0d712bf99001a38d3c7af42ca0a6ab226660b18f422963305aef35e33064ad43949eb9b516f3c3efdf8bf4b7bd5e5f8d02baebd3762f79fbdf3850ffc879cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K

Filesize
555KB

MD5
0ece50fe816b2c0ee185b5c2d5a689ee

SHA1
1217e7360f42adc636e79f2ba864394b5b8b96a0

SHA256
ba00aa2d9b4c1debb599986dad930844feaaa08d3bdf04b5f89b3c52cce59635

SHA512
695330b2587cfca9f8003384b401ab88fe070dd30a646677d5b3cbb2f8ff966ab985aeafa34e6f6279b440b79cd92c1e61cce36c299ba064f6364d9884d4f4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Passaggio.xlam

Filesize
634KB

MD5
a53b20839963af7716ba3992becf228c

SHA1
a94b94dd5b569f3760c0f9fc9996e1d716577328

SHA256
39762f41b7fc66f6138035391d0cdffbbdf1690af5be02d801417399af6f9b8d

SHA512
210d6c0089ef78859766360c1e80e54a46640f7a326aedf847df1cf284b6f069984ca6fe4b1dd18eb99768a1131551e117304bc8cabf0b6d8926042c1c3a92a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.xlam

Filesize
872KB

MD5
6e9215f829cd2d493f8039d830c622bd

SHA1
7aa530b215904365235477baa8c6dd92020ee3bd

SHA256
7acc59a5ff51435e3ab49a02c2efd2a096aeb4811b2cc9c677709c46e3ff30cf

SHA512
f9a4b7b2063b6da1d7aadf782d5b3e0bc256707f9085db3a95b00493f3e80dcbd8e2196bba7a98986a711452401e053152a86b25321bb06536a6d05566dea89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
772KB

MD5
28da0aa5487d4d8a0c614954aebe3895

SHA1
264c83d40fadffdbeacaf18d6fb5b8ece4cf0523

SHA256
10a08b905a8d5288a96c4329eb3903029f4efd82a8667cead52687b0dcfb9ff4

SHA512
94432dc543db80c4d144660973d42e33b0a7c6aa7862c1a6a95229080279d849cf0e1c10c1b9de9f9a967db6d16412f2edd3daaed293bce8b5878182188afbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
526KB

MD5
c03d77439348155642d21013748077f4

SHA1
326d97d40df0049745ceda5fa833e2d47b6913e8

SHA256
8b01b7360f6b7b7d24018850d867f238be4650901083c59e19dc65a3cf2522da

SHA512
8a98ef727b8dbf6ed17d08125f01f8288cf4003522881c1e4813d5039917e88de26162d64a4396a4534b39ced41a9469355f611b1504931a9ccee05874d5e1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talune.exe.com

Filesize
258KB

MD5
3b55c92f42bf6fdce70f1d09705a47f2

SHA1
7b2735c0acfde3b129ba63e1840b2ef1b698f5b2

SHA256
b0f5ab4c92ba686b969a8825f3b8f7af5840153e1466bab788a95747a4b20231

SHA512
3c5c80ba9ade33938370ab8f870d9f5a740cc43f45e72a0860e313136410cbcfe0ae975f0e7b49998282447cb114b0734f3c6af1897546c29caf10aa4ca567f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jn2l2wnl.xmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/408-184-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/408-101-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/408-187-0x0000000007D20000-0x0000000007D34000-memory.dmp

Filesize
80KB

Download
memory/408-186-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/408-185-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

Filesize
68KB

Download
memory/408-135-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/408-183-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/408-85-0x0000000072AC0000-0x0000000073270000-memory.dmp

Filesize
7.7MB

Download
memory/408-84-0x0000000005220000-0x0000000005256000-memory.dmp

Filesize
216KB

Download
memory/408-95-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/408-181-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/408-179-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/408-97-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/408-177-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/408-188-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/408-176-0x0000000007850000-0x00000000078F3000-memory.dmp

Filesize
652KB

Download
memory/408-162-0x000000007F630000-0x000000007F640000-memory.dmp

Filesize
64KB

Download
memory/408-174-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/408-175-0x0000000072AC0000-0x0000000073270000-memory.dmp

Filesize
7.7MB

Download
memory/408-163-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/408-161-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/408-189-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/408-192-0x0000000072AC0000-0x0000000073270000-memory.dmp

Filesize
7.7MB

Download
memory/408-137-0x0000000006330000-0x0000000006684000-memory.dmp

Filesize
3.3MB

Download
memory/408-131-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/408-114-0x0000000006030000-0x0000000006052000-memory.dmp

Filesize
136KB

Download
memory/408-140-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/768-194-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/768-144-0x00000000049B0000-0x0000000004A4D000-memory.dmp

Filesize
628KB

Download
memory/768-142-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/768-149-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/924-104-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/924-106-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/924-180-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/924-178-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/924-103-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1140-138-0x00000000080F0000-0x00000000081FA000-memory.dmp

Filesize
1.0MB

Download
memory/1140-109-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1140-133-0x0000000007370000-0x00000000073BC000-memory.dmp

Filesize
304KB

Download
memory/1140-115-0x0000000007AD0000-0x00000000080E8000-memory.dmp

Filesize
6.1MB

Download
memory/1140-195-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/1140-113-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1140-193-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/1140-116-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/1140-99-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/1140-100-0x0000000002F50000-0x0000000002F7F000-memory.dmp

Filesize
188KB

Download
memory/1140-112-0x0000000004F10000-0x0000000004F30000-memory.dmp

Filesize
128KB

Download
memory/1140-111-0x0000000007520000-0x0000000007AC4000-memory.dmp

Filesize
5.6MB

Download
memory/1140-105-0x0000000004980000-0x00000000049A2000-memory.dmp

Filesize
136KB

Download
memory/1140-110-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1140-102-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/1140-117-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/1140-132-0x0000000007510000-0x0000000007520000-memory.dmp

Filesize
64KB

Download
memory/1140-108-0x0000000072AC0000-0x0000000073270000-memory.dmp

Filesize
7.7MB

Download
memory/2472-143-0x00007FFA8AC80000-0x00007FFA8B741000-memory.dmp

Filesize
10.8MB

Download
memory/2472-96-0x00007FFA8AC80000-0x00007FFA8B741000-memory.dmp

Filesize
10.8MB

Download
memory/2472-86-0x0000000000C80000-0x0000000000CA4000-memory.dmp

Filesize
144KB

Download
memory/2472-98-0x0000000002D10000-0x0000000002D2C000-memory.dmp

Filesize
112KB

Download
memory/3588-156-0x0000000001210000-0x0000000001226000-memory.dmp

Filesize
88KB

Download
memory/4448-146-0x00007FFA8AC80000-0x00007FFA8B741000-memory.dmp

Filesize
10.8MB

Download
memory/4448-173-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/4448-73-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/4448-81-0x00007FFA8AC80000-0x00007FFA8B741000-memory.dmp

Filesize
10.8MB

Download
memory/4448-82-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/4892-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4892-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4892-120-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4892-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4892-121-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4892-118-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4892-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4892-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4892-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4892-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4892-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4892-119-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4892-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4892-53-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download