44caliber | b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57

Analysis

max time kernel
120s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
Size

5.5MB
MD5

bb03e8f97d4a17dedc001090c096ff60
SHA1

dfe5de118a5f8ef8fd38d8748b1f28a5c14f04df
SHA256

b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57
SHA512

d8fa1be73c86e03530a6b0bde7b95f0f4d62891af96d4fe905856ad6997121574ce5d9ab9c7bbc07b8245899667888028d45576f862e5593b61ac9e4dab37b9b
SSDEEP

98304:VTcW6I+2hiVK/Frlc328jTU5F4sb7nZ/BsfBi0XsPmVMqyPcWeY5X8:lcRI+2hGKBY2dF4sb7nRefB/8+mkfY5s

Score

10^/10

44caliber defense_evasion discovery evasion execution persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1216442245281087579/WdcHykTG9s553QUy8I1Ile3cHRoWrt03OHQcBjEQwILw3YwXPawFgdx__0VddKqHYPd1

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1036 powershell.exe
1356 powershell.exe
1980 powershell.exe
2336 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
1036	powershell.exe
1356	powershell.exe
1980	powershell.exe
2336	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHRAJGDI\ImagePath = "C:\\ProgramData\\nalfdgwigwyg\\lhhsgwktkatl.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 4 IoCs

Processes:

Insidious.exeWubo.exelhhsgwktkatl.exelhhsgwktkatl.exe

pid process

1724 Insidious.exe
2984 Wubo.exe
2360 lhhsgwktkatl.exe
1556 lhhsgwktkatl.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 5 IoCs

Processes:

b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exeservices.exe

pid	process
2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
476	services.exe
476	services.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
11	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
12	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
1232	powercfg.exe
276	powercfg.exe
968	powercfg.exe
1548	powercfg.exe
2204	powercfg.exe
2100	powercfg.exe
2252	powercfg.exe
2080	powercfg.exe
2288	powercfg.exe
740	powercfg.exe
2228	powercfg.exe
304	powercfg.exe

Drops file in System32 directory 7 IoCs

Processes:

lhhsgwktkatl.exepowershell.exepowershell.exelhhsgwktkatl.exepowershell.exeWubo.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Wubo.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Wubo.exelhhsgwktkatl.exelhhsgwktkatl.exe

description	pid	process	target process
PID 2984 set thread context of 1152	2984	Wubo.exe	dialer.exe
PID 2360 set thread context of 988	2360	lhhsgwktkatl.exe	dialer.exe
PID 2360 set thread context of 1372	2360	lhhsgwktkatl.exe	dialer.exe
PID 2360 set thread context of 2604	2360	lhhsgwktkatl.exe	dialer.exe
PID 1556 set thread context of 1120	1556	lhhsgwktkatl.exe	dialer.exe
PID 1556 set thread context of 2656	1556	lhhsgwktkatl.exe	dialer.exe

Drops file in Windows directory 4 IoCs

Processes:

wusa.exesvchost.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1520	sc.exe
2876	sc.exe
2160	sc.exe
1848	sc.exe
2140	sc.exe
292	sc.exe
1540	sc.exe
1512	sc.exe
3012	sc.exe
1140	sc.exe
2032	sc.exe
2400	sc.exe
1840	sc.exe
1464	sc.exe
1040	sc.exe
2812	sc.exe
552	sc.exe
2720	sc.exe
2640	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exeInsidious.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

dialer.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a053f8027415db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious.exeWubo.exepowershell.exedialer.exelhhsgwktkatl.exepowershell.exedialer.exe

pid	process
1724	Insidious.exe
1724	Insidious.exe
1724	Insidious.exe
1724	Insidious.exe
2984	Wubo.exe
1356	powershell.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
2984	Wubo.exe
2984	Wubo.exe
2984	Wubo.exe
1152	dialer.exe
1152	dialer.exe
2360	lhhsgwktkatl.exe
1152	dialer.exe
1152	dialer.exe
1980	powershell.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
1152	dialer.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
2360	lhhsgwktkatl.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe
988	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Insidious.exepowershell.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	1724	Insidious.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeDebugPrivilege	1152	dialer.exe
Token: SeShutdownPrivilege	276	powercfg.exe
Token: SeShutdownPrivilege	2100	powercfg.exe
Token: SeShutdownPrivilege	968	powercfg.exe
Token: SeAuditPrivilege	820	svchost.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	988	dialer.exe
Token: SeShutdownPrivilege	740	powercfg.exe
Token: SeShutdownPrivilege	2080	powercfg.exe
Token: SeShutdownPrivilege	2252	powercfg.exe
Token: SeShutdownPrivilege	2288	powercfg.exe
Token: SeAuditPrivilege	820	svchost.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeAuditPrivilege	820	svchost.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeDebugPrivilege	1120	dialer.exe
Token: SeShutdownPrivilege	2204	powercfg.exe
Token: SeShutdownPrivilege	304	powercfg.exe
Token: SeShutdownPrivilege	1548	powercfg.exe
Token: SeLockMemoryPrivilege	2656	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	820	svchost.exe
Token: SeIncreaseQuotaPrivilege	820	svchost.exe
Token: SeSecurityPrivilege	820	svchost.exe
Token: SeTakeOwnershipPrivilege	820	svchost.exe
Token: SeLoadDriverPrivilege	820	svchost.exe
Token: SeSystemtimePrivilege	820	svchost.exe
Token: SeBackupPrivilege	820	svchost.exe
Token: SeRestorePrivilege	820	svchost.exe
Token: SeShutdownPrivilege	820	svchost.exe
Token: SeSystemEnvironmentPrivilege	820	svchost.exe
Token: SeUndockPrivilege	820	svchost.exe
Token: SeManageVolumePrivilege	820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	820	svchost.exe
Token: SeIncreaseQuotaPrivilege	820	svchost.exe
Token: SeSecurityPrivilege	820	svchost.exe
Token: SeTakeOwnershipPrivilege	820	svchost.exe
Token: SeLoadDriverPrivilege	820	svchost.exe
Token: SeSystemtimePrivilege	820	svchost.exe
Token: SeBackupPrivilege	820	svchost.exe
Token: SeRestorePrivilege	820	svchost.exe
Token: SeShutdownPrivilege	820	svchost.exe
Token: SeSystemEnvironmentPrivilege	820	svchost.exe
Token: SeUndockPrivilege	820	svchost.exe
Token: SeManageVolumePrivilege	820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	820	svchost.exe
Token: SeIncreaseQuotaPrivilege	820	svchost.exe
Token: SeSecurityPrivilege	820	svchost.exe
Token: SeTakeOwnershipPrivilege	820	svchost.exe
Token: SeLoadDriverPrivilege	820	svchost.exe
Token: SeSystemtimePrivilege	820	svchost.exe
Token: SeBackupPrivilege	820	svchost.exe
Token: SeRestorePrivilege	820	svchost.exe
Token: SeShutdownPrivilege	820	svchost.exe
Token: SeSystemEnvironmentPrivilege	820	svchost.exe
Token: SeUndockPrivilege	820	svchost.exe
Token: SeManageVolumePrivilege	820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	820	svchost.exe
Token: SeIncreaseQuotaPrivilege	820	svchost.exe
Token: SeSecurityPrivilege	820	svchost.exe
Token: SeTakeOwnershipPrivilege	820	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.execmd.exeWubo.exedialer.exeservices.execmd.exe

description	pid	process	target process
PID 2300 wrote to memory of 1724	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Insidious.exe
PID 2300 wrote to memory of 1724	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Insidious.exe
PID 2300 wrote to memory of 1724	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Insidious.exe
PID 2300 wrote to memory of 1724	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Insidious.exe
PID 2300 wrote to memory of 2984	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Wubo.exe
PID 2300 wrote to memory of 2984	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Wubo.exe
PID 2300 wrote to memory of 2984	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Wubo.exe
PID 2300 wrote to memory of 2984	2300	b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe	Wubo.exe
PID 628 wrote to memory of 2896	628	cmd.exe	wusa.exe
PID 628 wrote to memory of 2896	628	cmd.exe	wusa.exe
PID 628 wrote to memory of 2896	628	cmd.exe	wusa.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 2984 wrote to memory of 1152	2984	Wubo.exe	dialer.exe
PID 1152 wrote to memory of 424	1152	dialer.exe	winlogon.exe
PID 1152 wrote to memory of 476	1152	dialer.exe	services.exe
PID 1152 wrote to memory of 492	1152	dialer.exe	lsass.exe
PID 1152 wrote to memory of 500	1152	dialer.exe	lsm.exe
PID 1152 wrote to memory of 596	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 672	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 756	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 792	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 820	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 956	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 1020	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 316	1152	dialer.exe	spoolsv.exe
PID 1152 wrote to memory of 1000	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 1244	1152	dialer.exe	taskhost.exe
PID 1152 wrote to memory of 1340	1152	dialer.exe	Dwm.exe
PID 1152 wrote to memory of 1396	1152	dialer.exe	Explorer.EXE
PID 1152 wrote to memory of 1700	1152	dialer.exe	OSPPSVC.EXE
PID 1152 wrote to memory of 564	1152	dialer.exe	wmiprvse.exe
PID 1152 wrote to memory of 1188	1152	dialer.exe	DllHost.exe
PID 1152 wrote to memory of 2512	1152	dialer.exe	svchost.exe
PID 1152 wrote to memory of 2540	1152	dialer.exe	sppsvc.exe
PID 1152 wrote to memory of 2984	1152	dialer.exe	Wubo.exe
PID 1152 wrote to memory of 2232	1152	dialer.exe	wmiprvse.exe
PID 1152 wrote to memory of 1232	1152	dialer.exe	powercfg.exe
PID 1152 wrote to memory of 276	1152	dialer.exe	powercfg.exe
PID 1152 wrote to memory of 2100	1152	dialer.exe	powercfg.exe
PID 1152 wrote to memory of 968	1152	dialer.exe	powercfg.exe
PID 1152 wrote to memory of 1168	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 1648	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 1508	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 2220	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 2140	1152	dialer.exe	sc.exe
PID 1152 wrote to memory of 2040	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 1140	1152	dialer.exe	sc.exe
PID 1152 wrote to memory of 1464	1152	dialer.exe	sc.exe
PID 1152 wrote to memory of 808	1152	dialer.exe	conhost.exe
PID 476 wrote to memory of 2360	476	services.exe	conhost.exe
PID 476 wrote to memory of 2360	476	services.exe	conhost.exe
PID 476 wrote to memory of 2360	476	services.exe	conhost.exe
PID 1152 wrote to memory of 2360	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 2360	1152	dialer.exe	conhost.exe
PID 1152 wrote to memory of 1980	1152	dialer.exe	powershell.exe
PID 1152 wrote to memory of 2480	1152	dialer.exe	conhost.exe
PID 844 wrote to memory of 2192	844	cmd.exe	wusa.exe
PID 844 wrote to memory of 2192	844	cmd.exe	wusa.exe
PID 844 wrote to memory of 2192	844	cmd.exe	wusa.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:564
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1188
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2232
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:956
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:1020
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:316
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1000
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1244
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1700
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2512
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2540
- C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
  C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2192
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:292
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2160
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
      "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      PID:1556
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1228
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2916
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2032
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2812
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1540
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:552
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2400
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\system32\dialer.exe
        
        dialer.exe
        5⤵
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2604

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe
  "C:\Users\Admin\AppData\Local\Temp\b2f98951d0741d0426517fabaaa6e215ec4aa4622a0badb8c8df34e414983e57N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\Wubo.exe
    "C:\Users\Admin\AppData\Local\Temp\Wubo.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2896
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2720
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2876
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1512
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3012
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1848
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:276
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:968
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "QHRAJGDI"
      4⤵
      Launches sc.exe
      PID:2140
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1840
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1140
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "QHRAJGDI"
      4⤵
      Launches sc.exe
      PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1570450323258727314-15443257601778391959-1300631555-1388805083-12658505021171234592"
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9400579931885651341406501582012991258362302045877641304-1672118250-773726196"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-522021324-1940345535935568101-1591565827-1658622688-18539351-455313225-200462350"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5426935606342423371160707345-269932337-348493533624560473-252607252-354128486"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-112086606-1240579222325872177-3308115111969393853-241126641776054600653605188"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1196560038-10496399708290468-403338189-155590711618351166561111449081623205777"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "179756739514492896663786526611406527907118289053089966621517372263921931679617"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1266033870-1921969293-2302488331111029490181239521218179247321944522556354937877"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15856675661636870774-40843576116030867101764910077-1029385602-11641417171259276676"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3367058251317712382314616356-437849463-386221319-1186369956611093617918230115"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-947528091-2001746626-1385135482329633264-146848182014103220323040334-2144454745"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2088882916854563208-316032878-587541055-538688876-1489407137-1595806271-808671095"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-133970883017092785761298155539125221471617947022-1032005393-1356229259-1271592236"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2047863329-1337230810-939705755-1392268708-1318318427-79431710215894632057893156"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1344620939-545154909713314393-32656516618216367341657446314-1581774067520457589"
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1827863452-5016927482864896751516915418450762484-101846905-1630069656376820142"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2091827111-764773168-19371826541538895270-1004661312103646332-1560512631692657570"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17498961881456946710-1271407409174718541715846943-154265432811354160-1190033483"
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
2598ab3884bdd09aefb26cb0e930b936

SHA1
8a7e4105fded7484ac643bb3ef5347e54ee2065e

SHA256
9f2384217d21f19566c3def777d2eeed2242f0b552bb29d465f0e3af3f6f70e7

SHA512
0abcc77daed183336127d6c6136fd1a1abf26e738e6b48dd4e87edaeea7ca55a3c4e617e38c6b383c461d478ee38bd0db58af12b53bc5733fc8cb1fe44e31228

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
117B

MD5
12a6f41ce157d212b48e2b7c15f1aa1a

SHA1
c2bcd0ec3ace14a89d05ce81fd8d6ce567c8f637

SHA256
b3f040435ddcf7e3916ff7fadeebfd4831e0b433623b9cd8905ff709e1e4b21b

SHA512
032501ec94d6e696e3af8ff07e24b19eeacc4000130f4762b76668ca7c0d97e8d14d7f67e3e1128aa85b47d949044994f69f3f3bd98b2112ad3d13909f06681c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
432B

MD5
03ac2095488695db60d2db58e6c8d9a8

SHA1
f70af11342c7d20096a33aab9f7e7c6fa60be3bb

SHA256
6204b8f249741db3d22be52a980cc5ed2102304307ec82a2df4580396e0ec30f

SHA512
3df3623235f6161eb452af721053612697423ea69ff35c0eb9fa32248f40742452d9a1e6ec149f84ef73f47bf27f79aed41fde3e87e142bce1f7e5086682e0a2

Download Submit
C:\Windows\TEMP\mlibtefxlefm.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Wubo.exe

Filesize
5.2MB

MD5
985c69365ae651836f74cc59c3fc8366

SHA1
c731355d6a6cc7b46f6d816dba0e4542e47b6942

SHA256
2856e69e2051ae44379a027b0789d25a553b42a543e1d58ec049e44f529543ed

SHA512
6a7e94cf836cd2568644fa4c069a2bd01237464d7d0f8a42743bb2350d928c5922eb803dd37bb67c5acf7989e90f8db5e494662c9c32e83a0e6f3d1bcac73ead

Download Submit
memory/424-85-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

Filesize
172KB

Download
memory/424-84-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/424-87-0x0000000036FA0000-0x0000000036FB0000-memory.dmp

Filesize
64KB

Download
memory/424-86-0x000007FEBD680000-0x000007FEBD690000-memory.dmp

Filesize
64KB

Download
memory/424-82-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/476-92-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/476-94-0x000007FEBD680000-0x000007FEBD690000-memory.dmp

Filesize
64KB

Download
memory/476-95-0x0000000036FA0000-0x0000000036FB0000-memory.dmp

Filesize
64KB

Download
memory/492-101-0x000007FEBD680000-0x000007FEBD690000-memory.dmp

Filesize
64KB

Download
memory/492-99-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/492-102-0x0000000036FA0000-0x0000000036FB0000-memory.dmp

Filesize
64KB

Download
memory/1152-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1152-78-0x0000000076E40000-0x0000000076F5F000-memory.dmp

Filesize
1.1MB

Download
memory/1152-73-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1152-71-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1152-74-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1152-72-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1152-77-0x0000000076F60000-0x0000000077109000-memory.dmp

Filesize
1.7MB

Download
memory/1152-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1356-69-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1356-70-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/1724-15-0x0000000000AD0000-0x0000000000B1A000-memory.dmp

Filesize
296KB

Download
memory/1980-378-0x000000001A020000-0x000000001A302000-memory.dmp

Filesize
2.9MB

Download
memory/1980-379-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/2300-14-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download