privateloader | 589d93deb639f967f96dbf6cbe48b1b434930ad3ac24a17d8e89ff058e4ec272

Analysis

max time kernel
300s
max time network
301s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

762.0MB
MD5

9326c686071c528549c80eea2638082e
SHA1

3c31e38d81289de167d9f37fbc6697b5c9cf71bd
SHA256

59ca077c90d1d26bb9e79b44c74a0ecf04bd02a92a90146efe87c170e11ca3d2
SHA512

9af45bc59bbd42d738cbf9547d8d6121a61bd97a6b9a3a2f2fc39caf721a6a64ce7ab991e482bd13a39ac3ddf62cfc1f95613c7d805370d2cda0199f4bccc114
SSDEEP

49152:NpfTCy0d0R7ruhVrPwHStdgjGf+WAud5iqBRSLmIe59123L7W:eyN7ruHaLGf+Wzd5TSLm/23m

Score

10^/10

privateloader xmrig credential_access discovery evasion execution loader miner persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/memory/1708-441-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-443-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-445-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-444-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-442-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-451-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-455-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-453-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-452-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-454-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-448-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-440-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-439-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-446-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-458-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1708-459-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 7 IoCs

pid	Process
2956	7LElpB9o0GBihytYYfNCAQqM.exe
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
1968	mobilemediaconverter32.exe
1744	mobilemediaconverter32.exe
476	Process not Found
980	eqtpkqwqodik.exe

Loads dropped DLL 9 IoCs

pid	Process
2956	7LElpB9o0GBihytYYfNCAQqM.exe
2096	setup.exe
2096	setup.exe
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
3012	7LElpB9o0GBihytYYfNCAQqM.tmp
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
70	iplogger.org
69	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
5	api.myip.com
10	ipinfo.io
11	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2468	powercfg.exe
2172	powercfg.exe
1508	powercfg.exe
1712	powercfg.exe
1644	powercfg.exe
2412	powercfg.exe
308	powercfg.exe
1964	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 1340	980	eqtpkqwqodik.exe	58
PID 980 set thread context of 1708	980	eqtpkqwqodik.exe	61

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1736	sc.exe
1240	sc.exe
1680	sc.exe
328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobilemediaconverter32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobilemediaconverter32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7LElpB9o0GBihytYYfNCAQqM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7LElpB9o0GBihytYYfNCAQqM.tmp

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
2916	MekAEzPWsJLCrqTrgqaDlJ8S.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe
980	eqtpkqwqodik.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	2172	powercfg.exe
Token: SeShutdownPrivilege	1508	powercfg.exe
Token: SeShutdownPrivilege	1712	powercfg.exe
Token: SeShutdownPrivilege	1964	powercfg.exe
Token: SeShutdownPrivilege	308	powercfg.exe
Token: SeLockMemoryPrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeShutdownPrivilege	2412	powercfg.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2096 wrote to memory of 2956	2096	setup.exe	32
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2956 wrote to memory of 3012	2956	7LElpB9o0GBihytYYfNCAQqM.exe	33
PID 2096 wrote to memory of 2916	2096	setup.exe	34
PID 2096 wrote to memory of 2916	2096	setup.exe	34
PID 2096 wrote to memory of 2916	2096	setup.exe	34
PID 3012 wrote to memory of 1968	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	35
PID 3012 wrote to memory of 1968	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	35
PID 3012 wrote to memory of 1968	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	35
PID 3012 wrote to memory of 1968	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	35
PID 3012 wrote to memory of 1744	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	36
PID 3012 wrote to memory of 1744	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	36
PID 3012 wrote to memory of 1744	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	36
PID 3012 wrote to memory of 1744	3012	7LElpB9o0GBihytYYfNCAQqM.tmp	36
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1340	980	eqtpkqwqodik.exe	58
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61
PID 980 wrote to memory of 1708	980	eqtpkqwqodik.exe	61

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\Documents\piratemamm\7LElpB9o0GBihytYYfNCAQqM.exe
  C:\Users\Admin\Documents\piratemamm\7LElpB9o0GBihytYYfNCAQqM.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\is-LMQ9E.tmp\7LElpB9o0GBihytYYfNCAQqM.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LMQ9E.tmp\7LElpB9o0GBihytYYfNCAQqM.tmp" /SL5="$700E0,4712415,54272,C:\Users\Admin\Documents\piratemamm\7LElpB9o0GBihytYYfNCAQqM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Mobile Media Converter\mobilemediaconverter32.exe
      "C:\Users\Admin\AppData\Local\Mobile Media Converter\mobilemediaconverter32.exe" -i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1968
  - - C:\Users\Admin\AppData\Local\Mobile Media Converter\mobilemediaconverter32.exe
      "C:\Users\Admin\AppData\Local\Mobile Media Converter\mobilemediaconverter32.exe" -s
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1744
- C:\Users\Admin\Documents\piratemamm\MekAEzPWsJLCrqTrgqaDlJ8S.exe
  C:\Users\Admin\Documents\piratemamm\MekAEzPWsJLCrqTrgqaDlJ8S.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:1736
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:328
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:1680

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1340
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
25db0c16edba1f61d4cc49fd4771da1b

SHA1
eceb8a4c3b8578ebad6f5d38b523ed72c085762b

SHA256
11684da2bb2244f732bfac915739cf25c9281b5206979c81612b4646a37b7d08

SHA512
d0dd804091be661469bc4d0df7940fb3805eba8df379f2f042978934928813122411d7bbf950432f1053f04c631a6213e39b4b715148614cd4681a5b7f9d3fd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
128b67c983ce3165156570f9a3ca117c

SHA1
edb69ab868ec35f9cc984e05cd7cba957a2278d9

SHA256
d87356d997014f135f14705f6d0c2ae5da08e6e7dbd4bd73cfc257128da4805c

SHA512
e4bea8ad265ac030f272f2f82b3f3f97d0d030f0ef99686b208895916eba49a228090ebb0884db00aab77837033f209e22004803df0cd5b352fa5efec9ea9635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
caffc06eb64b3c7ff71901764f5d2ee3

SHA1
05dabb6c9685056abbf71d03f1ed85fdf563d843

SHA256
f6d362c697243c8362698411bb0d972147b83396a8a05fe1c43ccbd1142f2eb7

SHA512
21c06aa3abd3065d3d640d5a087646e8ecbcdc2e6042a951487e3d758bc6056a933eb4f9d5d3bed0bdbf4970a120f27afe6b2ed331aca2847b4b7b45caac77f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4a7ce4e40f6d4e9beef57892df050269

SHA1
d97a6bd7bf64e48567334a2ab3b9999034b7eb97

SHA256
3a175656dab11931ca1e25263788e9b3ad31abf77e62c9da3f8719886d87fd04

SHA512
c9d4fa75ef41294b19df43caed166d33e61ebf296c8f40477b0c19febd90465390433e01ef20183cbb7723a6a04c81648d3be6dded5a3af5013297f809f11adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2fd378aa19bb995bc80287cc4618d6e4

SHA1
238f3aea18df5856e4ce2295e5885b2d12091e40

SHA256
a9814e81766a281e8fb28a86208de49f1c3813b5b78857d5eb573a77d6555144

SHA512
51efd86424995c7a1d1253d1b4d6188b53dc1420c1c9c706461dc398cbf84c3ac61baf5bd5f1c4ce1ba4dc4d537610dca16ef9e46582d0bf5a76e267410ef458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
272d5700f7f1c3042085fdc0b3272af8

SHA1
9caf5b0ac4c1557ba1ac4d845d7707ea05532f3d

SHA256
f3c5c969a2efe85dff3cad06f8f0ad2a247088ca5d08f80dcd93e3eb323bd047

SHA512
e3e63037779705b0da8e8d7aa5c9a9d1086814427feb1729f5566837a61cc4f5cbfcc292263d61bf1e50a55329d463ef0856c4aee2ac8b020947e8c8d56ee067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b7eb3723b4dfd8139e0f96174d50cb87

SHA1
393c7803ea4ccf9da606ef624cf200a87de1528f

SHA256
d566d162aff9b13302fc9771147c12cdcb0e31de6ef39f7fc0032ff437ac43ab

SHA512
6d66e28a98e96dc7bf36d83d1f15cde83ec8974fca858f753a93c803d25535f74dc506c3e3e7abe3d694e1502d3adfb1fe23d0243123ad80c49b2c3e00569630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0d250369c837fecee40d12b71cde71c4

SHA1
325e1462a684e345f29625b22863bf0f2e57c1f4

SHA256
6556b22faf9bdf81c7b827f896b685d2acd0a1e374c1cd15f0047a90c5d6bc62

SHA512
4093c12522a40834a4b3b0af58dac11fc510535afc89f8ecad14c428e1cc8f80b0a0e510c47b01b83169b006171f2b587b1f88a859e9d9bda30b22f475d9d18f

Download Submit
C:\Users\Admin\AppData\Local\Mobile Media Converter\mobilemediaconverter32.exe

Filesize
3.7MB

MD5
65404e90386159bf151f79b9da582d3b

SHA1
2c3ff7859fa1c4b838e6667b21f2bd4790a346a3

SHA256
c4d37939210a996bdb197cf1c485a2801b333862e2753f01a7d805ee5b83287c

SHA512
ae76172ff8eafc0e8e89fe3831733a2a395d8455502ad16aec75eabbe3dc89ac6b99d506c906affb1a2172663f0211d36c4ba54370b8155e9127dab05a449c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9246.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\piratemamm\7LElpB9o0GBihytYYfNCAQqM.exe

Filesize
4.7MB

MD5
506fd166ad693a874c81fc1af23104f3

SHA1
1828f8c505c06d51713b7dd141011fdf94b1348a

SHA256
0dcee77127bc5e5b3bbb9809db3cdcd12db1eb82860467b6b1af6bf27f7d4218

SHA512
c0443ce94feff899e430eddaefb50776bf94478050880b61a8baeb86db6ee25522a1aaba844771dcd0a68bd40a5c4868c6a96749b4a728b7ab68d3b8a73fffff

Download Submit
C:\Users\Admin\Documents\piratemamm\MekAEzPWsJLCrqTrgqaDlJ8S.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\is-E4ENK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-E4ENK.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-E4ENK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LMQ9E.tmp\7LElpB9o0GBihytYYfNCAQqM.tmp

Filesize
680KB

MD5
a5d28160c73e3ce84e3ae5eedf204b1b

SHA1
8f1ed887af6e0038e29d13461207812db2cf4481

SHA256
8c2c2b0dc057eff4186f869af75744e8f652ff31631a5fe84f707446d5175c67

SHA512
1b6d6bb5f3697c7ecf249f62c1dabb9665d0b7cf2d5deae73f5f710e09fd51fd3113b074e96514938f38b753adef5f24f24407305d04cc6175e015dce0338210

Download Submit
memory/980-429-0x0000000140000000-0x0000000141919000-memory.dmp

Filesize
25.1MB

Download
memory/1340-433-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1340-432-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1340-431-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1340-434-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1340-435-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1340-449-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1708-459-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-453-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-458-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-442-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-438-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-446-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-450-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1708-439-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-441-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-443-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-445-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-444-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-440-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-451-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-455-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-448-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-452-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-454-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1744-464-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1744-412-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1744-418-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1744-470-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1744-460-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1744-467-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1968-406-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1968-400-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/1968-410-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2096-0-0x000000013FE00000-0x0000000140218000-memory.dmp

Filesize
4.1MB

Download
memory/2916-403-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/2916-405-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/2916-413-0x0000000140000000-0x0000000141919000-memory.dmp

Filesize
25.1MB

Download
memory/2916-401-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/2956-337-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2956-416-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2956-333-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-417-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-461-0x00000000037A0000-0x0000000003B4F000-memory.dmp

Filesize
3.7MB

Download
memory/3012-399-0x00000000037A0000-0x0000000003B4F000-memory.dmp

Filesize
3.7MB

Download