icedid | 80595d56327a6ffb7dca8f6e07f3ba6889733165ab17ed3ea092f9a5d64e66a2

Resubmissions

03-11-2021 22:18

211103-18dcpscefp 10

03-11-2021 22:11

211103-13x5xscefl 10

Analysis

max time kernel
1802s
max time network
1568s
platform
windows11_x64
resource
win11
submitted
03-11-2021 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e1159d12d2f3922c834fc67d0b4489.exe
Size

291KB
MD5

39e1159d12d2f3922c834fc67d0b4489
SHA1

e56f34ae6939c962ba439e58eab9667511cacafc
SHA256

80595d56327a6ffb7dca8f6e07f3ba6889733165ab17ed3ea092f9a5d64e66a2
SHA512

271c1028ebe49f3c3875cc02dec83c694d59d43c81a319e2d7410ae33b03eef8abe557ac13e112678519dd7aecb5cdf9c829791a9879a9e4a471085878fa726b

Score

10^/10

icedid redline smokeloader tofsee 101 superstar 3072349713 backdoor banker discovery infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

rc4.i32

Extracted

Family

icedid

Campaign

3072349713

rifyyoure.ink

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

redline

Botnet

101

185.92.73.142:52097

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3520-193-0x0000000004C20000-0x0000000004C3C000-memory.dmp	family_redline
behavioral2/memory/3520-195-0x0000000004A10000-0x0000000004A2B000-memory.dmp	family_redline
behavioral2/memory/3160-222-0x0000000003600000-0x0000000003630000-memory.dmp	family_redline
behavioral2/memory/3160-223-0x00000000036F0000-0x000000000370B000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1352 created 5076	1352	WerFault.exe	142B.exe
PID 4732 created 1540	4732	WerFault.exe	2062.exe
PID 2064 created 1016	2064	WerFault.exe	1AB4.exe
PID 5112 created 2612	5112	WerFault.exe	319B.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/3160-222-0x0000000003600000-0x0000000003630000-memory.dmp	Core1

Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

1071.exe142B.exe1071.exe1AB4.exe2062.exe25D1.exe319B.exe34B9.exe25D1.exe37C7.exe34B9.exe

pid process

4168 1071.exe
5076 142B.exe
1320 1071.exe
1016 1AB4.exe
1540 2062.exe
4180 25D1.exe
2612 319B.exe
4276 34B9.exe
3520 25D1.exe
3160 37C7.exe
3404 34B9.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2860 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4168	1071.exe
5076	142B.exe
1320	1071.exe
1016	1AB4.exe
1540	2062.exe
4180	25D1.exe
2612	319B.exe
4276	34B9.exe
3520	25D1.exe
3160	37C7.exe
3404	34B9.exe

pid	process
2860	regsvr32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

39e1159d12d2f3922c834fc67d0b4489.exe1071.exe25D1.exe34B9.exe

description	pid	process	target process
PID 2832 set thread context of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 4168 set thread context of 1320	4168	1071.exe	1071.exe
PID 4180 set thread context of 3520	4180	25D1.exe	25D1.exe
PID 4276 set thread context of 3404	4276	34B9.exe	34B9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1560 5076 WerFault.exe 142B.exe
2972 1540 WerFault.exe 2062.exe
1996 1016 WerFault.exe 1AB4.exe
4784 2612 WerFault.exe 319B.exe

pid	pid_target	process	target process
1560	5076	WerFault.exe	142B.exe
2972	1540	WerFault.exe	2062.exe
1996	1016	WerFault.exe	1AB4.exe
4784	2612	WerFault.exe	319B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1071.exe39e1159d12d2f3922c834fc67d0b4489.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1071.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1071.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1071.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39e1159d12d2f3922c834fc67d0b4489.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39e1159d12d2f3922c834fc67d0b4489.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	39e1159d12d2f3922c834fc67d0b4489.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

39e1159d12d2f3922c834fc67d0b4489.exe

pid	process
2400	39e1159d12d2f3922c834fc67d0b4489.exe
2400	39e1159d12d2f3922c834fc67d0b4489.exe
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3196
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

39e1159d12d2f3922c834fc67d0b4489.exe1071.exe

pid process

2400 39e1159d12d2f3922c834fc67d0b4489.exe
1320 1071.exe

pid	process
3196

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe34B9.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeRestorePrivilege	1560	WerFault.exe
Token: SeBackupPrivilege	1560	WerFault.exe
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeDebugPrivilege	4276	34B9.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeIncreaseQuotaPrivilege	2640	powershell.exe
Token: SeSecurityPrivilege	2640	powershell.exe
Token: SeTakeOwnershipPrivilege	2640	powershell.exe
Token: SeLoadDriverPrivilege	2640	powershell.exe
Token: SeSystemProfilePrivilege	2640	powershell.exe
Token: SeSystemtimePrivilege	2640	powershell.exe
Token: SeProfSingleProcessPrivilege	2640	powershell.exe
Token: SeIncBasePriorityPrivilege	2640	powershell.exe
Token: SeCreatePagefilePrivilege	2640	powershell.exe
Token: SeBackupPrivilege	2640	powershell.exe
Token: SeRestorePrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeSystemEnvironmentPrivilege	2640	powershell.exe
Token: SeRemoteShutdownPrivilege	2640	powershell.exe
Token: SeUndockPrivilege	2640	powershell.exe
Token: SeManageVolumePrivilege	2640	powershell.exe
Token: 33	2640	powershell.exe
Token: 34	2640	powershell.exe
Token: 35	2640	powershell.exe
Token: 36	2640	powershell.exe
Token: SeIncreaseQuotaPrivilege	2640	powershell.exe
Token: SeSecurityPrivilege	2640	powershell.exe
Token: SeTakeOwnershipPrivilege	2640	powershell.exe
Token: SeLoadDriverPrivilege	2640	powershell.exe
Token: SeSystemProfilePrivilege	2640	powershell.exe
Token: SeSystemtimePrivilege	2640	powershell.exe
Token: SeProfSingleProcessPrivilege	2640	powershell.exe
Token: SeIncBasePriorityPrivilege	2640	powershell.exe
Token: SeCreatePagefilePrivilege	2640	powershell.exe
Token: SeBackupPrivilege	2640	powershell.exe
Token: SeRestorePrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeSystemEnvironmentPrivilege	2640	powershell.exe
Token: SeRemoteShutdownPrivilege	2640	powershell.exe
Token: SeUndockPrivilege	2640	powershell.exe
Token: SeManageVolumePrivilege	2640	powershell.exe
Token: 33	2640	powershell.exe
Token: 34	2640	powershell.exe
Token: 35	2640	powershell.exe
Token: 36	2640	powershell.exe
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeIncreaseQuotaPrivilege	1160	powershell.exe
Token: SeSecurityPrivilege	1160	powershell.exe
Token: SeTakeOwnershipPrivilege	1160	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3196

pid	process
3196

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39e1159d12d2f3922c834fc67d0b4489.exe1071.exeWerFault.exeWerFault.exeWerFault.exe25D1.exe34B9.exeWerFault.exe

description	pid	process	target process
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 2832 wrote to memory of 2400	2832	39e1159d12d2f3922c834fc67d0b4489.exe	39e1159d12d2f3922c834fc67d0b4489.exe
PID 3196 wrote to memory of 4168	3196		1071.exe
PID 3196 wrote to memory of 4168	3196		1071.exe
PID 3196 wrote to memory of 4168	3196		1071.exe
PID 3196 wrote to memory of 5076	3196		142B.exe
PID 3196 wrote to memory of 5076	3196		142B.exe
PID 3196 wrote to memory of 5076	3196		142B.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 4168 wrote to memory of 1320	4168	1071.exe	1071.exe
PID 3196 wrote to memory of 1016	3196		1AB4.exe
PID 3196 wrote to memory of 1016	3196		1AB4.exe
PID 3196 wrote to memory of 1016	3196		1AB4.exe
PID 1352 wrote to memory of 5076	1352	WerFault.exe	142B.exe
PID 1352 wrote to memory of 5076	1352	WerFault.exe	142B.exe
PID 3196 wrote to memory of 1540	3196		2062.exe
PID 3196 wrote to memory of 1540	3196		2062.exe
PID 3196 wrote to memory of 1540	3196		2062.exe
PID 4732 wrote to memory of 1540	4732	WerFault.exe	2062.exe
PID 4732 wrote to memory of 1540	4732	WerFault.exe	2062.exe
PID 3196 wrote to memory of 4180	3196		25D1.exe
PID 3196 wrote to memory of 4180	3196		25D1.exe
PID 3196 wrote to memory of 4180	3196		25D1.exe
PID 2064 wrote to memory of 1016	2064	WerFault.exe	1AB4.exe
PID 2064 wrote to memory of 1016	2064	WerFault.exe	1AB4.exe
PID 3196 wrote to memory of 2860	3196		regsvr32.exe
PID 3196 wrote to memory of 2860	3196		regsvr32.exe
PID 3196 wrote to memory of 2612	3196		319B.exe
PID 3196 wrote to memory of 2612	3196		319B.exe
PID 3196 wrote to memory of 2612	3196		319B.exe
PID 3196 wrote to memory of 4276	3196		34B9.exe
PID 3196 wrote to memory of 4276	3196		34B9.exe
PID 3196 wrote to memory of 4276	3196		34B9.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 4180 wrote to memory of 3520	4180	25D1.exe	25D1.exe
PID 3196 wrote to memory of 3160	3196		37C7.exe
PID 3196 wrote to memory of 3160	3196		37C7.exe
PID 4276 wrote to memory of 2640	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 2640	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 2640	4276	34B9.exe	powershell.exe
PID 5112 wrote to memory of 2612	5112	WerFault.exe	319B.exe
PID 5112 wrote to memory of 2612	5112	WerFault.exe	319B.exe
PID 4276 wrote to memory of 1160	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 1160	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 1160	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 4728	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 4728	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 4728	4276	34B9.exe	powershell.exe
PID 4276 wrote to memory of 3404	4276	34B9.exe	34B9.exe

C:\Users\Admin\AppData\Local\Temp\39e1159d12d2f3922c834fc67d0b4489.exe
"C:\Users\Admin\AppData\Local\Temp\39e1159d12d2f3922c834fc67d0b4489.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\39e1159d12d2f3922c834fc67d0b4489.exe
"C:\Users\Admin\AppData\Local\Temp\39e1159d12d2f3922c834fc67d0b4489.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2400

C:\Users\Admin\AppData\Local\Temp\1071.exe
C:\Users\Admin\AppData\Local\Temp\1071.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\1071.exe
C:\Users\Admin\AppData\Local\Temp\1071.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1320

C:\Users\Admin\AppData\Local\Temp\142B.exe
C:\Users\Admin\AppData\Local\Temp\142B.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\1AB4.exe
C:\Users\Admin\AppData\Local\Temp\1AB4.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5076 -ip 5076
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\2062.exe
C:\Users\Admin\AppData\Local\Temp\2062.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 280
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1540 -ip 1540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\25D1.exe
C:\Users\Admin\AppData\Local\Temp\25D1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\25D1.exe
C:\Users\Admin\AppData\Local\Temp\25D1.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1016 -ip 1016
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3023.dll
1⤵
- Loads dropped DLL
PID:2860

C:\Users\Admin\AppData\Local\Temp\319B.exe
C:\Users\Admin\AppData\Local\Temp\319B.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 292
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4784

C:\Users\Admin\AppData\Local\Temp\34B9.exe
C:\Users\Admin\AppData\Local\Temp\34B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\34B9.exe
C:\Users\Admin\AppData\Local\Temp\34B9.exe
2⤵
- Executes dropped EXE
PID:3404

C:\Users\Admin\AppData\Local\Temp\37C7.exe
C:\Users\Admin\AppData\Local\Temp\37C7.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2612 -ip 2612
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\34B9.exe.log
MD5
e3f5e106556e7b7a35a2ad38b1d340d1

SHA1
ff2ae660223a05b2249e2be1ca8acda8cecca270

SHA256
606cea503b47200ab760e8e2355963047e04925c54250ce24cd6291a5b7fc24b

SHA512
8f9db377e6375ca8077dbff26b3dbd00feed5bd5a3281e723e818394b4c3b86ac481c48909c580850ddcffa8e6bf546790ea520b1319c76e3b280ca0488c1459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
824cf8e8bed7f69f380617963bbbec50

SHA1
f54aa32e1113cb9c815b38670ae2f5880410afd6

SHA256
7faf409894ae9afb2955b867cf4c35b3fb1573d06f79de2bdb974a2d5b8053ed

SHA512
bd44e015ce01b08e867529da89e492ea7a673fe4d1786340e573f715d8f188b6a4cc02778e60c7332dc622586ae8f169a491760692d651b9b9e9f314d77ce194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f9bdb41a07a376958a3a9b5489080589

SHA1
4f41f61df851d31c621ae3e50499da8dace8ca4a

SHA256
e681cf2fa133784e33c00f80ea4b6421441f04f296fa1bf5bb961e939b1abef6

SHA512
5a911aff6f72b3faf6ad52f3652199ae346f101bc07829525fb0a46ede23ddd6ca96d015e31bbe3a7b696e98716c2703cdf38744eab8210779dfb94a5a94f218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
07e57da302d4899cb242927bd63f95ed

SHA1
3eab1b91bf990b0e9e4d56631b46e47fc9aca60a

SHA256
fe53d674f513f362a57745d2e02de4cc5e94f33adddf7240e2a8e877bc62e4e8

SHA512
4c22ea2a03f8a39ecd8af5e090fbdbd31abf14018faf0823f5cfe9e2cdd0673e6e006e32c170748f0ccb3232109e89249bd2a9b90f494c515ec626bd6a18ce9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1071.exe
MD5
af943f109b7fd38e6a71ab01f989fdd3

SHA1
e5bf33aae98adf6f0d8d601a00752e76b3f75042

SHA256
9a29b1d31cf7fc6df101e7e4c8a0c40cbb0f8789c0cb8fbe13034410a3dec160

SHA512
32cb2598b24857fbd9c43372c2dc6ae593cea071b6d24c294168509955cf2552ce25f72c6dbae80fb2a404c66f0e32a6220a51830a0c87706357c0bb081e94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1071.exe
MD5
af943f109b7fd38e6a71ab01f989fdd3

SHA1
e5bf33aae98adf6f0d8d601a00752e76b3f75042

SHA256
9a29b1d31cf7fc6df101e7e4c8a0c40cbb0f8789c0cb8fbe13034410a3dec160

SHA512
32cb2598b24857fbd9c43372c2dc6ae593cea071b6d24c294168509955cf2552ce25f72c6dbae80fb2a404c66f0e32a6220a51830a0c87706357c0bb081e94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1071.exe
MD5
af943f109b7fd38e6a71ab01f989fdd3

SHA1
e5bf33aae98adf6f0d8d601a00752e76b3f75042

SHA256
9a29b1d31cf7fc6df101e7e4c8a0c40cbb0f8789c0cb8fbe13034410a3dec160

SHA512
32cb2598b24857fbd9c43372c2dc6ae593cea071b6d24c294168509955cf2552ce25f72c6dbae80fb2a404c66f0e32a6220a51830a0c87706357c0bb081e94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\142B.exe
MD5
75e6c2aff85d117e67665bbdb65135c2

SHA1
18a7e734c143851fe75be433ed801e0f723a069e

SHA256
ee5aa1555ccc472a4d5e8e6f34d9b527cd87db85f7c6c2f37148cf3ea422870a

SHA512
5c4966f063af976a7c844b1c161bca833737d2ef8bf5608e899ef774652f92e922097dda0a5713e37b8be37cf6b0ca238117c99b8e37fecab1bd6f2a91472ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\142B.exe
MD5
75e6c2aff85d117e67665bbdb65135c2

SHA1
18a7e734c143851fe75be433ed801e0f723a069e

SHA256
ee5aa1555ccc472a4d5e8e6f34d9b527cd87db85f7c6c2f37148cf3ea422870a

SHA512
5c4966f063af976a7c844b1c161bca833737d2ef8bf5608e899ef774652f92e922097dda0a5713e37b8be37cf6b0ca238117c99b8e37fecab1bd6f2a91472ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AB4.exe
MD5
cd9451e417835fa1447aff560ee9da73

SHA1
51e2c4483795c7717f342556f6f23d1567b614a2

SHA256
70616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7

SHA512
bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AB4.exe
MD5
cd9451e417835fa1447aff560ee9da73

SHA1
51e2c4483795c7717f342556f6f23d1567b614a2

SHA256
70616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7

SHA512
bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\2062.exe
MD5
aa274b420a15cdb8384906a3c45a6d22

SHA1
99bc08e28683f4b07f0c168facce2d529a08d0fa

SHA256
b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754

SHA512
1012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2062.exe
MD5
aa274b420a15cdb8384906a3c45a6d22

SHA1
99bc08e28683f4b07f0c168facce2d529a08d0fa

SHA256
b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754

SHA512
1012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25D1.exe
MD5
8391e1da41407e897ca7c845276fc008

SHA1
aec6b9fcc87c86c816ed4293bc0934a35ca876df

SHA256
e6fa6b1e941d41bce0b6329e2964ef92a68691af5c03aa5f42b604aa7cd3b633

SHA512
b20015132bac8eab66a92ea23d87bef31647a96cdb3f60c8a27ba82fa23aa7bf640943cfd79006764e813175bfa4287c6c3d6cf9705e4dd0a8eef4598783d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\25D1.exe
MD5
8391e1da41407e897ca7c845276fc008

SHA1
aec6b9fcc87c86c816ed4293bc0934a35ca876df

SHA256
e6fa6b1e941d41bce0b6329e2964ef92a68691af5c03aa5f42b604aa7cd3b633

SHA512
b20015132bac8eab66a92ea23d87bef31647a96cdb3f60c8a27ba82fa23aa7bf640943cfd79006764e813175bfa4287c6c3d6cf9705e4dd0a8eef4598783d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\25D1.exe
MD5
8391e1da41407e897ca7c845276fc008

SHA1
aec6b9fcc87c86c816ed4293bc0934a35ca876df

SHA256
e6fa6b1e941d41bce0b6329e2964ef92a68691af5c03aa5f42b604aa7cd3b633

SHA512
b20015132bac8eab66a92ea23d87bef31647a96cdb3f60c8a27ba82fa23aa7bf640943cfd79006764e813175bfa4287c6c3d6cf9705e4dd0a8eef4598783d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3023.dll
MD5
0417ef8ac85d5dd6225de0506256411b

SHA1
c104d62917371cedd7fe0254ba77bbaf8d12031d

SHA256
b5bf37a69867d4e75f4c2dd4c1e942b8ee9fa65e5c71ae6a990537c98a0f30c4

SHA512
5185d59a94cf2eb070e588008825537631a1993732ffa515843a5a64149d82df76aa1d92fdfb5e9c08bdfcf28c1163380053e5bb27ef568b398090e450a9cfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3023.dll
MD5
0417ef8ac85d5dd6225de0506256411b

SHA1
c104d62917371cedd7fe0254ba77bbaf8d12031d

SHA256
b5bf37a69867d4e75f4c2dd4c1e942b8ee9fa65e5c71ae6a990537c98a0f30c4

SHA512
5185d59a94cf2eb070e588008825537631a1993732ffa515843a5a64149d82df76aa1d92fdfb5e9c08bdfcf28c1163380053e5bb27ef568b398090e450a9cfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\319B.exe
MD5
738f696f228f13c18454c013926b38b2

SHA1
04c1ea711ed7077cee2b67c33577caadc24b97e8

SHA256
0fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f

SHA512
dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038

Download Submit
C:\Users\Admin\AppData\Local\Temp\319B.exe
MD5
738f696f228f13c18454c013926b38b2

SHA1
04c1ea711ed7077cee2b67c33577caadc24b97e8

SHA256
0fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f

SHA512
dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B9.exe
MD5
036f4601b88c52668d279cf3fcce2a97

SHA1
9d67601c7e37e1d7e7c36820ad360169c16628df

SHA256
aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

SHA512
08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B9.exe
MD5
036f4601b88c52668d279cf3fcce2a97

SHA1
9d67601c7e37e1d7e7c36820ad360169c16628df

SHA256
aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

SHA512
08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B9.exe
MD5
036f4601b88c52668d279cf3fcce2a97

SHA1
9d67601c7e37e1d7e7c36820ad360169c16628df

SHA256
aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

SHA512
08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\37C7.exe
MD5
1bef6a1a0d0cdcb868aaa9fffd513f25

SHA1
769fce57adacbfca686118f9a45fce099abf2a20

SHA256
a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

SHA512
9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\37C7.exe
MD5
1bef6a1a0d0cdcb868aaa9fffd513f25

SHA1
769fce57adacbfca686118f9a45fce099abf2a20

SHA256
a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

SHA512
9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

Download Submit
memory/1016-175-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/1016-174-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1016-161-0x0000000000000000-mapping.dmp

Download
memory/1160-259-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1160-272-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/1160-256-0x0000000000000000-mapping.dmp

Download
memory/1160-258-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1160-273-0x0000000006AD2000-0x0000000006AD3000-memory.dmp

Filesize
4KB

Download
memory/1320-158-0x0000000000000000-mapping.dmp

Download
memory/1540-169-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/1540-170-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/1540-165-0x0000000000000000-mapping.dmp

Download
memory/2400-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2400-148-0x0000000000000000-mapping.dmp

Download
memory/2612-180-0x0000000000000000-mapping.dmp

Download
memory/2612-239-0x00000000009DC000-0x0000000000A13000-memory.dmp

Filesize
220KB

Download
memory/2612-240-0x00000000024E0000-0x000000000252F000-memory.dmp

Filesize
316KB

Download
memory/2640-242-0x0000000009040000-0x0000000009041000-memory.dmp

Filesize
4KB

Download
memory/2640-231-0x0000000004FF2000-0x0000000004FF3000-memory.dmp

Filesize
4KB

Download
memory/2640-243-0x0000000009130000-0x0000000009131000-memory.dmp

Filesize
4KB

Download
memory/2640-241-0x0000000009E30000-0x0000000009E31000-memory.dmp

Filesize
4KB

Download
memory/2640-245-0x000000000B0B0000-0x000000000B0B1000-memory.dmp

Filesize
4KB

Download
memory/2640-255-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2640-237-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/2640-234-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2640-233-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/2640-213-0x0000000000000000-mapping.dmp

Download
memory/2640-232-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/2640-224-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/2640-225-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2640-217-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2640-226-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/2640-221-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/2640-220-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2640-219-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2832-146-0x0000000000A0D000-0x0000000000A1E000-memory.dmp

Filesize
68KB

Download
memory/2832-147-0x00000000026F0000-0x00000000026F9000-memory.dmp

Filesize
36KB

Download
memory/2860-177-0x0000000000000000-mapping.dmp

Download
memory/2860-183-0x0000000002140000-0x00000000021A3000-memory.dmp

Filesize
396KB

Download
memory/3160-235-0x000000001E7B0000-0x000000001E7B1000-memory.dmp

Filesize
4KB

Download
memory/3160-223-0x00000000036F0000-0x000000000370B000-memory.dmp

Filesize
108KB

Download
memory/3160-201-0x0000000000000000-mapping.dmp

Download
memory/3160-229-0x0000000003760000-0x0000000003762000-memory.dmp

Filesize
8KB

Download
memory/3160-227-0x000000001E8C0000-0x000000001E8C1000-memory.dmp

Filesize
4KB

Download
memory/3160-218-0x0000000003640000-0x0000000003680000-memory.dmp

Filesize
256KB

Download
memory/3160-214-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3160-253-0x000000001F3D0000-0x000000001F3D1000-memory.dmp

Filesize
4KB

Download
memory/3160-230-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/3160-222-0x0000000003600000-0x0000000003630000-memory.dmp

Filesize
192KB

Download
memory/3160-254-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3196-176-0x0000000006220000-0x0000000006236000-memory.dmp

Filesize
88KB

Download
memory/3196-150-0x0000000002770000-0x0000000002786000-memory.dmp

Filesize
88KB

Download
memory/3404-326-0x0000000004FA0000-0x00000000055B8000-memory.dmp

Filesize
6.1MB

Download
memory/3404-312-0x0000000000000000-mapping.dmp

Download
memory/3520-193-0x0000000004C20000-0x0000000004C3C000-memory.dmp

Filesize
112KB

Download
memory/3520-252-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3520-203-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3520-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-198-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3520-197-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3520-204-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3520-196-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3520-195-0x0000000004A10000-0x0000000004A2B000-memory.dmp

Filesize
108KB

Download
memory/3520-194-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3520-206-0x00000000020E4000-0x00000000020E6000-memory.dmp

Filesize
8KB

Download
memory/3520-216-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3520-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-187-0x0000000000000000-mapping.dmp

Download
memory/3520-247-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/3520-248-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/3520-249-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3520-250-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/3520-251-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/3520-202-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3520-209-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3520-208-0x00000000020E2000-0x00000000020E3000-memory.dmp

Filesize
4KB

Download
memory/3520-210-0x00000000020E3000-0x00000000020E4000-memory.dmp

Filesize
4KB

Download
memory/3520-211-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4168-157-0x0000000000BAC000-0x0000000000BBC000-memory.dmp

Filesize
64KB

Download
memory/4168-151-0x0000000000000000-mapping.dmp

Download
memory/4180-184-0x0000000000BCC000-0x0000000000BEF000-memory.dmp

Filesize
140KB

Download
memory/4180-171-0x0000000000000000-mapping.dmp

Download
memory/4180-199-0x0000000000A00000-0x0000000000A30000-memory.dmp

Filesize
192KB

Download
memory/4276-185-0x0000000000000000-mapping.dmp

Download
memory/4276-212-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4276-191-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4728-299-0x0000000004E22000-0x0000000004E23000-memory.dmp

Filesize
4KB

Download
memory/4728-298-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4728-283-0x0000000000000000-mapping.dmp

Download
memory/5076-154-0x0000000000000000-mapping.dmp

Download
memory/5076-164-0x00000000009DC000-0x00000000009EC000-memory.dmp

Filesize
64KB

Download
memory/5076-168-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download