icedid | ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20211104
submitted
10-11-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
Size

191KB
MD5

d693018409e0aeacc532ff50858bf40a
SHA1

c63925aab10d8375fea6d75515985224b957dabc
SHA256

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d
SHA512

3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

icedid

Botnet

1217670233

lakogrefop.rest

hangetilin.top

follytresh.co

zojecurf.store

Attributes

auth_var
14
url_path
/posts/

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

102

185.92.73.142:52097

Extracted

Family

redline

Botnet

pub3

185.215.113.46:80

Extracted

Family

redline

Botnet

1011bankk

charirelay.xyz:80

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3248-147-0x00000000021B0000-0x00000000021CC000-memory.dmp	family_redline
behavioral1/memory/3248-149-0x00000000021E0000-0x00000000021FB000-memory.dmp	family_redline
behavioral1/memory/3592-201-0x0000000003750000-0x0000000003780000-memory.dmp	family_redline
behavioral1/memory/3592-202-0x00000000037B0000-0x00000000037CB000-memory.dmp	family_redline
behavioral1/memory/2808-216-0x00000000049C0000-0x00000000049ED000-memory.dmp	family_redline
behavioral1/memory/2808-218-0x0000000004B40000-0x0000000004B6C000-memory.dmp	family_redline
behavioral1/memory/2096-303-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2096-308-0x0000000000418EF6-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2424 created 1892	2424	WerFault.exe	B2D9.exe
PID 476 created 876	476	WerFault.exe	C028.exe
PID 2716 created 2252	2716	WerFault.exe	420A.exe

suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/3592-201-0x0000000003750000-0x0000000003780000-memory.dmp	Core1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

F9F1.exeF9F1.exe16A2.exe2549.exe2549.exe420A.exe420A.exe6785.exe767A.exe81A6.exeB2D9.exeC028.exeC7EA.exeC7EA.exe

pid	process
1892	F9F1.exe
416	F9F1.exe
2684	16A2.exe
392	2549.exe
3248	2549.exe
3636	420A.exe
2252	420A.exe
1524	6785.exe
3592	767A.exe
2808	81A6.exe
1892	B2D9.exe
876	C028.exe
3856	C7EA.exe
2592	C7EA.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B2D9.exe6785.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B2D9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B2D9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6785.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6785.exe

Deletes itself 1 IoCs

Processes:

pid process

2264
Loads dropped DLL 2 IoCs

Processes:

16A2.exeregsvr32.exe

pid process

2684 16A2.exe
2072 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2264

pid	process
2684	16A2.exe
2072	regsvr32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6785.exe	themida
behavioral1/memory/1524-187-0x0000000000940000-0x0000000000941000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6785.exeB2D9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6785.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B2D9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6785.exe

pid process

1524 6785.exe

pid	process
1524	6785.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exeF9F1.exe2549.exe420A.exeB2D9.exeC7EA.exe

description	pid	process	target process
PID 2568 set thread context of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 1892 set thread context of 416	1892	F9F1.exe	F9F1.exe
PID 392 set thread context of 3248	392	2549.exe	2549.exe
PID 3636 set thread context of 2252	3636	420A.exe	420A.exe
PID 1892 set thread context of 2096	1892	B2D9.exe	AppLaunch.exe
PID 3856 set thread context of 2592	3856	C7EA.exe	C7EA.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2424 1892 WerFault.exe B2D9.exe
476 876 WerFault.exe C028.exe
2716 2252 WerFault.exe 420A.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2424	1892	WerFault.exe	B2D9.exe
476	876	WerFault.exe	C028.exe
2716	2252	WerFault.exe	420A.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exeF9F1.exe16A2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9F1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16A2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16A2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16A2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9F1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F9F1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe

pid	process
2624	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
2624	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2264
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exeF9F1.exe16A2.exe

pid process

2624 ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
416 F9F1.exe
2684 16A2.exe

pid	process
2264

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

81A6.exe6785.exe767A.exeWerFault.exeWerFault.exeC7EA.exeAppLaunch.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	2808	81A6.exe
Token: SeDebugPrivilege	1524	6785.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	3592	767A.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeRestorePrivilege	2424	WerFault.exe
Token: SeBackupPrivilege	2424	WerFault.exe
Token: SeRestorePrivilege	476	WerFault.exe
Token: SeBackupPrivilege	476	WerFault.exe
Token: SeBackupPrivilege	476	WerFault.exe
Token: SeDebugPrivilege	3856	C7EA.exe
Token: SeDebugPrivilege	476	WerFault.exe
Token: SeDebugPrivilege	2424	WerFault.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	2096	AppLaunch.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	2716	WerFault.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exeF9F1.exe2549.exe420A.exeB2D9.exe

description	pid	process	target process
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2568 wrote to memory of 2624	2568	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe	ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
PID 2264 wrote to memory of 1892	2264		F9F1.exe
PID 2264 wrote to memory of 1892	2264		F9F1.exe
PID 2264 wrote to memory of 1892	2264		F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 1892 wrote to memory of 416	1892	F9F1.exe	F9F1.exe
PID 2264 wrote to memory of 2684	2264		16A2.exe
PID 2264 wrote to memory of 2684	2264		16A2.exe
PID 2264 wrote to memory of 2684	2264		16A2.exe
PID 2264 wrote to memory of 392	2264		2549.exe
PID 2264 wrote to memory of 392	2264		2549.exe
PID 2264 wrote to memory of 392	2264		2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 392 wrote to memory of 3248	392	2549.exe	2549.exe
PID 2264 wrote to memory of 2072	2264		regsvr32.exe
PID 2264 wrote to memory of 2072	2264		regsvr32.exe
PID 2264 wrote to memory of 3636	2264		420A.exe
PID 2264 wrote to memory of 3636	2264		420A.exe
PID 2264 wrote to memory of 3636	2264		420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 3636 wrote to memory of 2252	3636	420A.exe	420A.exe
PID 2264 wrote to memory of 1524	2264		6785.exe
PID 2264 wrote to memory of 1524	2264		6785.exe
PID 2264 wrote to memory of 1524	2264		6785.exe
PID 2264 wrote to memory of 3592	2264		767A.exe
PID 2264 wrote to memory of 3592	2264		767A.exe
PID 2264 wrote to memory of 2808	2264		81A6.exe
PID 2264 wrote to memory of 2808	2264		81A6.exe
PID 2264 wrote to memory of 2808	2264		81A6.exe
PID 2264 wrote to memory of 1892	2264		B2D9.exe
PID 2264 wrote to memory of 1892	2264		B2D9.exe
PID 2264 wrote to memory of 1892	2264		B2D9.exe
PID 2264 wrote to memory of 876	2264		C028.exe
PID 2264 wrote to memory of 876	2264		C028.exe
PID 2264 wrote to memory of 876	2264		C028.exe
PID 1892 wrote to memory of 2096	1892	B2D9.exe	AppLaunch.exe
PID 1892 wrote to memory of 2096	1892	B2D9.exe	AppLaunch.exe
PID 1892 wrote to memory of 2096	1892	B2D9.exe	AppLaunch.exe
PID 1892 wrote to memory of 2096	1892	B2D9.exe	AppLaunch.exe
PID 1892 wrote to memory of 2096	1892	B2D9.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
"C:\Users\Admin\AppData\Local\Temp\ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe
"C:\Users\Admin\AppData\Local\Temp\ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2624

C:\Users\Admin\AppData\Local\Temp\F9F1.exe
C:\Users\Admin\AppData\Local\Temp\F9F1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\F9F1.exe
C:\Users\Admin\AppData\Local\Temp\F9F1.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:416

C:\Users\Admin\AppData\Local\Temp\16A2.exe
C:\Users\Admin\AppData\Local\Temp\16A2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2684

C:\Users\Admin\AppData\Local\Temp\2549.exe
C:\Users\Admin\AppData\Local\Temp\2549.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\2549.exe
C:\Users\Admin\AppData\Local\Temp\2549.exe
2⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\33A2.dll
1⤵
- Loads dropped DLL
PID:2072

C:\Users\Admin\AppData\Local\Temp\420A.exe
C:\Users\Admin\AppData\Local\Temp\420A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\420A.exe
C:\Users\Admin\AppData\Local\Temp\420A.exe
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1252
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\AppData\Local\Temp\6785.exe
C:\Users\Admin\AppData\Local\Temp\6785.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Users\Admin\AppData\Local\Temp\767A.exe
C:\Users\Admin\AppData\Local\Temp\767A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Local\Temp\81A6.exe
C:\Users\Admin\AppData\Local\Temp\81A6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\AppData\Local\Temp\B2D9.exe
C:\Users\Admin\AppData\Local\Temp\B2D9.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 556
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Users\Admin\AppData\Local\Temp\C028.exe
C:\Users\Admin\AppData\Local\Temp\C028.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 904
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Users\Admin\AppData\Local\Temp\C7EA.exe
C:\Users\Admin\AppData\Local\Temp\C7EA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\C7EA.exe
"C:\Users\Admin\AppData\Local\Temp\C7EA.exe"
2⤵
- Executes dropped EXE
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16A2.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\16A2.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\2549.exe
MD5
00ecc4bfe53209cd05c2db9037d784bf

SHA1
39facc3449bb099e01994063660d20cbe9438fa2

SHA256
695c2f3db87b26ccc6fe7c9df7291f6f8b5190df0f814959b6565e3a40c9974b

SHA512
9cdc9d4cb199650c7f860ea2274fc2c6257c08d0fdc3dad513cadce00a2d4268d82ff0b6063fdcc3bedcd98f7112a09d59575bef4c269a3ac6eab6070f31e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2549.exe
MD5
00ecc4bfe53209cd05c2db9037d784bf

SHA1
39facc3449bb099e01994063660d20cbe9438fa2

SHA256
695c2f3db87b26ccc6fe7c9df7291f6f8b5190df0f814959b6565e3a40c9974b

SHA512
9cdc9d4cb199650c7f860ea2274fc2c6257c08d0fdc3dad513cadce00a2d4268d82ff0b6063fdcc3bedcd98f7112a09d59575bef4c269a3ac6eab6070f31e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2549.exe
MD5
00ecc4bfe53209cd05c2db9037d784bf

SHA1
39facc3449bb099e01994063660d20cbe9438fa2

SHA256
695c2f3db87b26ccc6fe7c9df7291f6f8b5190df0f814959b6565e3a40c9974b

SHA512
9cdc9d4cb199650c7f860ea2274fc2c6257c08d0fdc3dad513cadce00a2d4268d82ff0b6063fdcc3bedcd98f7112a09d59575bef4c269a3ac6eab6070f31e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\33A2.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\420A.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\420A.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\420A.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6785.exe
MD5
44121e8776e8b46c5bb42fac373c2b7b

SHA1
0592f7a81a7cc3e05a4422c2a55ca9e54605f09d

SHA256
b3ef01f2d73a4499b93cc2ab7d6cb1b95c0b8e3ecd070d41314800c90c331cf5

SHA512
c3d287454954dfd61e6509fa77a04e0aa189a5220557a29d2ef44d9881f0310041c2b8c38886eadb315b00460b236581d7c1d82503680bca671e29115364db60

Download Submit
C:\Users\Admin\AppData\Local\Temp\767A.exe
MD5
df90b2e12b0377db82d6a1cdcf3b8ad8

SHA1
84c9316a004ec33e5a049583091c1ec1c31b76fb

SHA256
f071bb54ef89464b10aec76d59532d8eb0087b32508a584fbf7a9e3f78cff9d0

SHA512
c9eebed9300fc5598ab3cd90689f0ab43bba5b30b84477e00b18ff47cef157fe10aa3b8f669699f58e50f9fd84e68c0b8b239d2609cce2f3687becca5050d6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\767A.exe
MD5
df90b2e12b0377db82d6a1cdcf3b8ad8

SHA1
84c9316a004ec33e5a049583091c1ec1c31b76fb

SHA256
f071bb54ef89464b10aec76d59532d8eb0087b32508a584fbf7a9e3f78cff9d0

SHA512
c9eebed9300fc5598ab3cd90689f0ab43bba5b30b84477e00b18ff47cef157fe10aa3b8f669699f58e50f9fd84e68c0b8b239d2609cce2f3687becca5050d6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A6.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\81A6.exe
MD5
ff5f9201e8bca81a126ea15a536e5eed

SHA1
9c009acb34a16c0a185df24d362da1b690003978

SHA256
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c

SHA512
1b3c7e2cad142bbfe8529633b4a8e53f68a3319579a94cfa4e8019628113ea4b341ea397cb5c2e64eda971c5fd07d88f1d3af4f673385f262b5f6a67a2e2f4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2D9.exe
MD5
b73c34e7b239cf0d14810c17fecefbe7

SHA1
9cbc5fb855aa90249a721f8277b88ea84bea00b6

SHA256
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

SHA512
35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2D9.exe
MD5
b73c34e7b239cf0d14810c17fecefbe7

SHA1
9cbc5fb855aa90249a721f8277b88ea84bea00b6

SHA256
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

SHA512
35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C028.exe
MD5
8f508f6039de9e9541bae5fbc0c37671

SHA1
1fc82db9f4e7507c3aa48422a8b52feee480cca7

SHA256
7c109ffd0679b1db5638e0f481fd05cd58e4c230b4f56552ae4f57ac7397a9c7

SHA512
9e4a295e9356a72f44bfc220be0e7b40c9758f902ceba97c88517a711ecb296a167bac77a356ccb0ddfa22853e66cf89e24529cb69361960f7d767371c41c446

Download Submit
C:\Users\Admin\AppData\Local\Temp\C028.exe
MD5
8f508f6039de9e9541bae5fbc0c37671

SHA1
1fc82db9f4e7507c3aa48422a8b52feee480cca7

SHA256
7c109ffd0679b1db5638e0f481fd05cd58e4c230b4f56552ae4f57ac7397a9c7

SHA512
9e4a295e9356a72f44bfc220be0e7b40c9758f902ceba97c88517a711ecb296a167bac77a356ccb0ddfa22853e66cf89e24529cb69361960f7d767371c41c446

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7EA.exe
MD5
e3a09969194309cfee0dc7129e80d005

SHA1
e90a7adca20f5bdc6650600af144f8a160daa28f

SHA256
7924ab50084e33902ddc1cf3eda4ad2ede752ece4e6c113fff01ca1633f77a5e

SHA512
a87db6bbe49b727e55fb2c0cd50cfcf1268a968580cfe5a784fd6c5ff3b97190ea597f5a0577c5d7e4331a2065d80ac40aebc9964ab45d50c6e6a4b8343cce4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7EA.exe
MD5
e3a09969194309cfee0dc7129e80d005

SHA1
e90a7adca20f5bdc6650600af144f8a160daa28f

SHA256
7924ab50084e33902ddc1cf3eda4ad2ede752ece4e6c113fff01ca1633f77a5e

SHA512
a87db6bbe49b727e55fb2c0cd50cfcf1268a968580cfe5a784fd6c5ff3b97190ea597f5a0577c5d7e4331a2065d80ac40aebc9964ab45d50c6e6a4b8343cce4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7EA.exe
MD5
e3a09969194309cfee0dc7129e80d005

SHA1
e90a7adca20f5bdc6650600af144f8a160daa28f

SHA256
7924ab50084e33902ddc1cf3eda4ad2ede752ece4e6c113fff01ca1633f77a5e

SHA512
a87db6bbe49b727e55fb2c0cd50cfcf1268a968580cfe5a784fd6c5ff3b97190ea597f5a0577c5d7e4331a2065d80ac40aebc9964ab45d50c6e6a4b8343cce4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F1.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F1.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F1.exe
MD5
d693018409e0aeacc532ff50858bf40a

SHA1
c63925aab10d8375fea6d75515985224b957dabc

SHA256
ef6ec2c79daca2d7a0e57a15a1a1705c0705d615805867a93d9db166f764a79d

SHA512
3552e9ac2f470e4b9dda378a1373afb14f63b7e82284de0ac50317e49c4af695cf9379ab9c9440d7f6b0ec61efce9bc5f4e21f18d0c61aa81439c7dced20a8c6

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\33A2.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
memory/392-139-0x0000000000000000-mapping.dmp

Download
memory/392-145-0x0000000000470000-0x0000000000492000-memory.dmp

Filesize
136KB

Download
memory/392-146-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/416-127-0x0000000000402DC6-mapping.dmp

Download
memory/876-300-0x0000000000000000-mapping.dmp

Download
memory/1524-210-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/1524-181-0x0000000000000000-mapping.dmp

Download
memory/1524-234-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1524-233-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/1524-232-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/1524-214-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1524-213-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/1524-212-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1524-194-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/1524-187-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1524-183-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/1892-258-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1892-276-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1892-251-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1892-274-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1892-272-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1892-250-0x0000000002410000-0x0000000002470000-memory.dmp

Filesize
384KB

Download
memory/1892-249-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/1892-271-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1892-270-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1892-268-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1892-248-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/1892-247-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/1892-244-0x0000000000000000-mapping.dmp

Download
memory/1892-269-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1892-254-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1892-253-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1892-255-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1892-256-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1892-277-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1892-252-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1892-259-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/1892-129-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1892-257-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1892-273-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1892-275-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1892-267-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1892-130-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1892-123-0x0000000000000000-mapping.dmp

Download
memory/1892-260-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1892-262-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1892-266-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1892-265-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1892-264-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1892-263-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1892-261-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2072-161-0x0000000000000000-mapping.dmp

Download
memory/2072-164-0x0000000000B30000-0x0000000000B67000-memory.dmp

Filesize
220KB

Download
memory/2096-303-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2096-308-0x0000000000418EF6-mapping.dmp

Download
memory/2252-179-0x0000000000630000-0x00000000006BE000-memory.dmp

Filesize
568KB

Download
memory/2252-180-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2252-172-0x0000000000402998-mapping.dmp

Download
memory/2252-171-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2252-176-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2252-177-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2252-178-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/2264-122-0x0000000001260000-0x0000000001276000-memory.dmp

Filesize
88KB

Download
memory/2264-131-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/2264-160-0x0000000003340000-0x0000000003356000-memory.dmp

Filesize
88KB

Download
memory/2568-121-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2568-120-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2592-603-0x000000000043F176-mapping.dmp

Download
memory/2624-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2624-119-0x0000000000402DC6-mapping.dmp

Download
memory/2684-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2684-132-0x0000000000000000-mapping.dmp

Download
memory/2684-136-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2684-137-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/2808-228-0x00000000072D2000-0x00000000072D3000-memory.dmp

Filesize
4KB

Download
memory/2808-215-0x0000000002D26000-0x0000000002D52000-memory.dmp

Filesize
176KB

Download
memory/2808-229-0x00000000072D3000-0x00000000072D4000-memory.dmp

Filesize
4KB

Download
memory/2808-224-0x0000000002BF0000-0x0000000002D3A000-memory.dmp

Filesize
1.3MB

Download
memory/2808-227-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2808-225-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/2808-208-0x0000000000000000-mapping.dmp

Download
memory/2808-216-0x00000000049C0000-0x00000000049ED000-memory.dmp

Filesize
180KB

Download
memory/2808-230-0x00000000072D4000-0x00000000072D6000-memory.dmp

Filesize
8KB

Download
memory/2808-218-0x0000000004B40000-0x0000000004B6C000-memory.dmp

Filesize
176KB

Download
memory/3248-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-159-0x0000000004AC4000-0x0000000004AC6000-memory.dmp

Filesize
8KB

Download
memory/3248-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-143-0x000000000040CD2F-mapping.dmp

Download
memory/3248-147-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/3248-148-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3248-149-0x00000000021E0000-0x00000000021FB000-memory.dmp

Filesize
108KB

Download
memory/3248-150-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3248-151-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3248-152-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3248-153-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3248-154-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3248-156-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3248-158-0x0000000004AC3000-0x0000000004AC4000-memory.dmp

Filesize
4KB

Download
memory/3248-157-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

Filesize
4KB

Download
memory/3592-203-0x000000001FDB0000-0x000000001FDB1000-memory.dmp

Filesize
4KB

Download
memory/3592-195-0x0000000000000000-mapping.dmp

Download
memory/3592-236-0x0000000020B30000-0x0000000020B31000-memory.dmp

Filesize
4KB

Download
memory/3592-235-0x000000001FD30000-0x000000001FD31000-memory.dmp

Filesize
4KB

Download
memory/3592-231-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/3592-226-0x000000001FEC0000-0x000000001FEC1000-memory.dmp

Filesize
4KB

Download
memory/3592-206-0x00000000036C0000-0x00000000036C2000-memory.dmp

Filesize
8KB

Download
memory/3592-205-0x000000001FCA0000-0x000000001FCA1000-memory.dmp

Filesize
4KB

Download
memory/3592-198-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3592-200-0x0000000003680000-0x00000000036C0000-memory.dmp

Filesize
256KB

Download
memory/3592-201-0x0000000003750000-0x0000000003780000-memory.dmp

Filesize
192KB

Download
memory/3592-202-0x00000000037B0000-0x00000000037CB000-memory.dmp

Filesize
108KB

Download
memory/3592-237-0x0000000021660000-0x0000000021661000-memory.dmp

Filesize
4KB

Download
memory/3592-204-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/3636-175-0x00000000022D0000-0x0000000002340000-memory.dmp

Filesize
448KB

Download
memory/3636-174-0x0000000002260000-0x00000000022C3000-memory.dmp

Filesize
396KB

Download
memory/3636-165-0x0000000000000000-mapping.dmp

Download
memory/3636-168-0x00000000020C0000-0x0000000002137000-memory.dmp

Filesize
476KB

Download
memory/3636-169-0x0000000002140000-0x00000000021C3000-memory.dmp

Filesize
524KB

Download
memory/3636-170-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3856-320-0x0000000000000000-mapping.dmp

Download