amadey | f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

Analysis

max time kernel
152s
max time network
149s
platform
windows10_x64
resource
win10-en-20211104
submitted
07-12-2021 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
Size

341KB
MD5

0632c821ea5bbadb6d2103a007ee4689
SHA1

8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512

04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Score

10^/10

amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

amadey

Version

2.86

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://195.133.18.126/ZIaKfGwC3P.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/816-137-0x0000000000E50000-0x0000000000EB9000-memory.dmp	family_redline
behavioral1/memory/3596-177-0x0000000000300000-0x00000000003B2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2072-248-0x0000000000BB0000-0x0000000000F7B000-memory.dmp	family_arkei
behavioral1/memory/2072-249-0x0000000000BB0000-0x0000000000F7B000-memory.dmp	family_arkei
behavioral1/memory/2072-253-0x0000000000BB0000-0x0000000000F7B000-memory.dmp	family_arkei

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2732-238-0x0000000002890000-0x00000000028D0000-memory.dmp	BazarLoaderVar5

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

143F.exe143F.exe8B07.exe8DA8.exeiitshhhiitshhhD14A.exeE214.exetkools.exeFC15.exe3F1A.exetkools.exe

pid	process
4424	143F.exe
4584	143F.exe
648	8B07.exe
816	8DA8.exe
1488	iitshhh
2460	iitshhh
3596	D14A.exe
5112	E214.exe
720	tkools.exe
2988	FC15.exe
2072	3F1A.exe
3956	tkools.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3F1A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3F1A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3F1A.exe

Deletes itself 1 IoCs

Processes:

pid process

2236
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exe3F1A.exe

pid process

2732 regsvr32.exe
2072 3F1A.exe
2072 3F1A.exe
2072 3F1A.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

3F1A.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3F1A.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

8DA8.exeD14A.exe3F1A.exe

pid process

816 8DA8.exe
3596 D14A.exe
2072 3F1A.exe
2072 3F1A.exe

pid	process
2236

pid	process
2732	regsvr32.exe
2072	3F1A.exe
2072	3F1A.exe
2072	3F1A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3F1A.exe

pid	process
816	8DA8.exe
3596	D14A.exe
2072	3F1A.exe
2072	3F1A.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe143F.exeiitshhh

description	pid	process	target process
PID 4024 set thread context of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4424 set thread context of 4584	4424	143F.exe	143F.exe
PID 1488 set thread context of 2460	1488	iitshhh	iitshhh

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

143F.exeiitshhhf8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	143F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iitshhh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iitshhh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	143F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	143F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iitshhh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3F1A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3F1A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3F1A.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

940 schtasks.exe

pid	process
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe

pid	process
4336	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
4336	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236
2236

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2236
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe143F.exeiitshhh

pid process

4336 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
4584 143F.exe
2460 iitshhh

pid	process
2236

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

8DA8.exeD14A.exe

description	pid	process
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeDebugPrivilege	816	8DA8.exe
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeDebugPrivilege	3596	D14A.exe
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236
Token: SeShutdownPrivilege	2236
Token: SeCreatePagefilePrivilege	2236

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe143F.exeiitshhhE214.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336	4024	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe	f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 2236 wrote to memory of 4424	2236		143F.exe
PID 2236 wrote to memory of 4424	2236		143F.exe
PID 2236 wrote to memory of 4424	2236		143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 4424 wrote to memory of 4584	4424	143F.exe	143F.exe
PID 2236 wrote to memory of 648	2236		8B07.exe
PID 2236 wrote to memory of 648	2236		8B07.exe
PID 2236 wrote to memory of 648	2236		8B07.exe
PID 2236 wrote to memory of 816	2236		8DA8.exe
PID 2236 wrote to memory of 816	2236		8DA8.exe
PID 2236 wrote to memory of 816	2236		8DA8.exe
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 1488 wrote to memory of 2460	1488	iitshhh	iitshhh
PID 2236 wrote to memory of 2732	2236		regsvr32.exe
PID 2236 wrote to memory of 2732	2236		regsvr32.exe
PID 2236 wrote to memory of 3596	2236		D14A.exe
PID 2236 wrote to memory of 3596	2236		D14A.exe
PID 2236 wrote to memory of 3596	2236		D14A.exe
PID 2236 wrote to memory of 5112	2236		E214.exe
PID 2236 wrote to memory of 5112	2236		E214.exe
PID 2236 wrote to memory of 5112	2236		E214.exe
PID 5112 wrote to memory of 2340	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 2340	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 2340	5112	E214.exe	cmd.exe
PID 2340 wrote to memory of 5084	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 5084	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 5084	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 1492	2340	cmd.exe	cacls.exe
PID 2340 wrote to memory of 1492	2340	cmd.exe	cacls.exe
PID 2340 wrote to memory of 1492	2340	cmd.exe	cacls.exe
PID 5112 wrote to memory of 2292	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 2292	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 2292	5112	E214.exe	cmd.exe
PID 2292 wrote to memory of 4744	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4744	2292	cmd.exe	cacls.exe
PID 2292 wrote to memory of 4744	2292	cmd.exe	cacls.exe
PID 5112 wrote to memory of 4936	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 4936	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 4936	5112	E214.exe	cmd.exe
PID 4936 wrote to memory of 3560	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 3560	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 3560	4936	cmd.exe	cmd.exe
PID 4936 wrote to memory of 3540	4936	cmd.exe	cacls.exe
PID 4936 wrote to memory of 3540	4936	cmd.exe	cacls.exe
PID 4936 wrote to memory of 3540	4936	cmd.exe	cacls.exe
PID 5112 wrote to memory of 396	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 396	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 396	5112	E214.exe	cmd.exe
PID 5112 wrote to memory of 720	5112	E214.exe	tkools.exe
PID 5112 wrote to memory of 720	5112	E214.exe	tkools.exe

C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4336

C:\Users\Admin\AppData\Local\Temp\143F.exe
C:\Users\Admin\AppData\Local\Temp\143F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\143F.exe
C:\Users\Admin\AppData\Local\Temp\143F.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4584

C:\Users\Admin\AppData\Local\Temp\8B07.exe
C:\Users\Admin\AppData\Local\Temp\8B07.exe
1⤵
- Executes dropped EXE
PID:648

C:\Users\Admin\AppData\Local\Temp\8DA8.exe
C:\Users\Admin\AppData\Local\Temp\8DA8.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Users\Admin\AppData\Roaming\iitshhh
C:\Users\Admin\AppData\Roaming\iitshhh
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Roaming\iitshhh
C:\Users\Admin\AppData\Roaming\iitshhh
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2460

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CDA0.dll
1⤵
- Loads dropped DLL
PID:2732

C:\Users\Admin\AppData\Local\Temp\D14A.exe
C:\Users\Admin\AppData\Local\Temp\D14A.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Users\Admin\AppData\Local\Temp\E214.exe
C:\Users\Admin\AppData\Local\Temp\E214.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:5084

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
3⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
3⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3560

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
3⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
2⤵
PID:396

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
3⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
2⤵
- Executes dropped EXE
PID:720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
3⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
4⤵
PID:1584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
3⤵
- Creates scheduled task(s)
PID:940

C:\Users\Admin\AppData\Local\Temp\FC15.exe
C:\Users\Admin\AppData\Local\Temp\FC15.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\3F1A.exe
C:\Users\Admin\AppData\Local\Temp\3F1A.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2072

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
1⤵
- Executes dropped EXE
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\143F.exe
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\143F.exe
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\143F.exe
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F1A.exe
MD5
dae9362b118838d3781ed2521e9a4b08

SHA1
cc5cb0931066b81ce1c07291262e95826bd1b515

SHA256
bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d

SHA512
d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F1A.exe
MD5
dae9362b118838d3781ed2521e9a4b08

SHA1
cc5cb0931066b81ce1c07291262e95826bd1b515

SHA256
bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d

SHA512
d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\88340284281526874389
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\88340284281526874389
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B07.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B07.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DA8.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DA8.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDA0.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D14A.exe
MD5
6beb00521639f19ea32c64a0799c79b4

SHA1
2d1993a460759b547655480c6aa1f709ca398f34

SHA256
7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b

SHA512
6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D14A.exe
MD5
6beb00521639f19ea32c64a0799c79b4

SHA1
2d1993a460759b547655480c6aa1f709ca398f34

SHA256
7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b

SHA512
6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E214.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E214.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC15.exe
MD5
17d7d479f8344ca0f015eb789155334c

SHA1
ab3075bae5babff2f0c513479a9a7dee2c5244dd

SHA256
dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec

SHA512
cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC15.exe
MD5
17d7d479f8344ca0f015eb789155334c

SHA1
ab3075bae5babff2f0c513479a9a7dee2c5244dd

SHA256
dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec

SHA512
cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

Download Submit
C:\Users\Admin\AppData\Roaming\iitshhh
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
C:\Users\Admin\AppData\Roaming\iitshhh
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
C:\Users\Admin\AppData\Roaming\iitshhh
MD5
0632c821ea5bbadb6d2103a007ee4689

SHA1
8216bc0a376f467bf7b071648a13cbe7003d4569

SHA256
f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

SHA512
04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\CDA0.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
memory/396-217-0x0000000000000000-mapping.dmp

Download
memory/648-131-0x0000000000000000-mapping.dmp

Download
memory/648-140-0x0000000001F80000-0x000000000200F000-memory.dmp

Filesize
572KB

Download
memory/648-153-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/720-218-0x0000000000000000-mapping.dmp

Download
memory/720-223-0x0000000000628000-0x0000000000646000-memory.dmp

Filesize
120KB

Download
memory/720-228-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/816-150-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/816-154-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/816-155-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/816-159-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/816-160-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/816-161-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/816-162-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/816-163-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/816-165-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/816-166-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/816-134-0x0000000000000000-mapping.dmp

Download
memory/816-152-0x0000000076520000-0x0000000077868000-memory.dmp

Filesize
19.3MB

Download
memory/816-137-0x0000000000E50000-0x0000000000EB9000-memory.dmp

Filesize
420KB

Download
memory/816-156-0x00000000730D0000-0x000000007311B000-memory.dmp

Filesize
300KB

Download
memory/816-151-0x0000000075620000-0x0000000075BA4000-memory.dmp

Filesize
5.5MB

Download
memory/816-149-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/816-148-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/816-147-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/816-146-0x0000000073530000-0x00000000735B0000-memory.dmp

Filesize
512KB

Download
memory/816-144-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/816-143-0x0000000074AB0000-0x0000000074BA1000-memory.dmp

Filesize
964KB

Download
memory/816-142-0x0000000074D30000-0x0000000074EF2000-memory.dmp

Filesize
1.8MB

Download
memory/816-141-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/816-139-0x0000000002E40000-0x0000000002E85000-memory.dmp

Filesize
276KB

Download
memory/940-227-0x0000000000000000-mapping.dmp

Download
memory/1348-226-0x0000000000000000-mapping.dmp

Download
memory/1492-202-0x0000000000000000-mapping.dmp

Download
memory/1584-229-0x0000000000000000-mapping.dmp

Download
memory/2072-248-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-239-0x0000000001420000-0x000000000156A000-memory.dmp

Filesize
1.3MB

Download
memory/2072-235-0x0000000000000000-mapping.dmp

Download
memory/2072-251-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-252-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-250-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-247-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-249-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-253-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-240-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-245-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-246-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-241-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2072-244-0x0000000074D30000-0x0000000074EF2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-243-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2072-242-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

Filesize
3.8MB

Download
memory/2236-130-0x0000000002B90000-0x0000000002BA6000-memory.dmp

Filesize
88KB

Download
memory/2236-122-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/2236-173-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

Filesize
88KB

Download
memory/2292-209-0x0000000000000000-mapping.dmp

Download
memory/2340-198-0x0000000000000000-mapping.dmp

Download
memory/2460-168-0x0000000000402F47-mapping.dmp

Download
memory/2732-238-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2732-233-0x00000000022D0000-0x00000000022D2000-memory.dmp

Filesize
8KB

Download
memory/2732-234-0x00000000022D0000-0x00000000022D2000-memory.dmp

Filesize
8KB

Download
memory/2732-170-0x0000000000000000-mapping.dmp

Download
memory/2988-231-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2988-232-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2988-220-0x0000000000000000-mapping.dmp

Download
memory/3540-213-0x0000000000000000-mapping.dmp

Download
memory/3560-212-0x0000000000000000-mapping.dmp

Download
memory/3596-190-0x0000000076520000-0x0000000077868000-memory.dmp

Filesize
19.3MB

Download
memory/3596-193-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3596-177-0x0000000000300000-0x00000000003B2000-memory.dmp

Filesize
712KB

Download
memory/3596-178-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3596-179-0x0000000074D30000-0x0000000074EF2000-memory.dmp

Filesize
1.8MB

Download
memory/3596-192-0x0000000073720000-0x000000007376B000-memory.dmp

Filesize
300KB

Download
memory/3596-191-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/3596-180-0x0000000074AB0000-0x0000000074BA1000-memory.dmp

Filesize
964KB

Download
memory/3596-181-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3596-216-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/3596-189-0x0000000075620000-0x0000000075BA4000-memory.dmp

Filesize
5.5MB

Download
memory/3596-174-0x0000000000000000-mapping.dmp

Download
memory/3596-184-0x0000000074390000-0x0000000074410000-memory.dmp

Filesize
512KB

Download
memory/3596-183-0x0000000002720000-0x0000000002765000-memory.dmp

Filesize
276KB

Download
memory/3956-261-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3956-260-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/3956-258-0x000000000063E000-0x000000000065C000-memory.dmp

Filesize
120KB

Download
memory/4024-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4024-118-0x0000000000861000-0x0000000000872000-memory.dmp

Filesize
68KB

Download
memory/4336-121-0x0000000000402F47-mapping.dmp

Download
memory/4336-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4424-126-0x0000000000581000-0x0000000000592000-memory.dmp

Filesize
68KB

Download
memory/4424-123-0x0000000000000000-mapping.dmp

Download
memory/4584-128-0x0000000000402F47-mapping.dmp

Download
memory/4744-210-0x0000000000000000-mapping.dmp

Download
memory/4852-225-0x0000000000000000-mapping.dmp

Download
memory/4936-211-0x0000000000000000-mapping.dmp

Download
memory/5084-201-0x0000000000000000-mapping.dmp

Download
memory/5112-194-0x0000000000000000-mapping.dmp

Download
memory/5112-199-0x0000000002070000-0x00000000020A9000-memory.dmp

Filesize
228KB

Download
memory/5112-200-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download