amadey | 1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451

Analysis

max time kernel
151s
max time network
146s
platform
windows10_x64
resource
win10-en-20211104
submitted
07-12-2021 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
Size

320KB
MD5

a6fe288d87226f784eeaca4a4fbe8c06
SHA1

3c83d0eea596f0028f9279fa17e444dc33fa250f
SHA256

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451
SHA512

a505e3d7ff6a6e107819026cbd28183d720a05a5f50601baf0f633c05004774f4a7f58df584384c7c0d503ff9fcd1726d5a0ae4b75ef0092eb1d4cbfddc495ef

Score

10^/10

amadey arkei raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

amadey

Version

2.86

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2564-138-0x0000000000B20000-0x0000000000B89000-memory.dmp	family_redline
behavioral1/memory/1616-197-0x0000000000400000-0x00000000007C2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2832-279-0x0000000001080000-0x0000000001492000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

413.exe413.exe784A.exe7B0A.exeA6CF.exetkools.exeD9A8.exeF04E.exe29FC.exetkools.exe

pid process

3564 413.exe
1060 413.exe
1932 784A.exe
2564 7B0A.exe
1944 A6CF.exe
3616 tkools.exe
1616 D9A8.exe
904 F04E.exe
2832 29FC.exe
2828 tkools.exe

pid	process
3564	413.exe
1060	413.exe
1932	784A.exe
2564	7B0A.exe
1944	A6CF.exe
3616	tkools.exe
1616	D9A8.exe
904	F04E.exe
2832	29FC.exe
2828	tkools.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D9A8.exe29FC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D9A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D9A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	29FC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	29FC.exe

Deletes itself 1 IoCs

Processes:

pid process

3064
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exe29FC.exe

pid process

844 regsvr32.exe
2832 29FC.exe
2832 29FC.exe
2832 29FC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3064

pid	process
844	regsvr32.exe
2832	29FC.exe
2832	29FC.exe
2832	29FC.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

D9A8.exe29FC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D9A8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	29FC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

7B0A.exe29FC.exe

pid process

2564 7B0A.exe
2832 29FC.exe
2832 29FC.exe

pid	process
2564	7B0A.exe
2832	29FC.exe
2832	29FC.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe413.exe

description	pid	process	target process
PID 3708 set thread context of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3564 set thread context of 1060	3564	413.exe	413.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2404 2832 WerFault.exe 29FC.exe

pid	pid_target	process	target process
2404	2832	WerFault.exe	29FC.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe413.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	413.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	413.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	413.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2100 schtasks.exe

pid	process
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe

pid	process
2540	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
2540	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe413.exe

pid process

2540 1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
1060 413.exe

pid	process
3064

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

7B0A.exeD9A8.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	2564	7B0A.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	1616	D9A8.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeRestorePrivilege	2404	WerFault.exe
Token: SeBackupPrivilege	2404	WerFault.exe
Token: SeDebugPrivilege	2404	WerFault.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe413.exeA6CF.execmd.execmd.execmd.execmd.exetkools.exe

description	pid	process	target process
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3708 wrote to memory of 2540	3708	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe	1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
PID 3064 wrote to memory of 3564	3064		413.exe
PID 3064 wrote to memory of 3564	3064		413.exe
PID 3064 wrote to memory of 3564	3064		413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3564 wrote to memory of 1060	3564	413.exe	413.exe
PID 3064 wrote to memory of 1932	3064		784A.exe
PID 3064 wrote to memory of 1932	3064		784A.exe
PID 3064 wrote to memory of 1932	3064		784A.exe
PID 3064 wrote to memory of 2564	3064		7B0A.exe
PID 3064 wrote to memory of 2564	3064		7B0A.exe
PID 3064 wrote to memory of 2564	3064		7B0A.exe
PID 3064 wrote to memory of 844	3064		regsvr32.exe
PID 3064 wrote to memory of 844	3064		regsvr32.exe
PID 3064 wrote to memory of 1944	3064		A6CF.exe
PID 3064 wrote to memory of 1944	3064		A6CF.exe
PID 3064 wrote to memory of 1944	3064		A6CF.exe
PID 1944 wrote to memory of 2420	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 2420	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 2420	1944	A6CF.exe	cmd.exe
PID 2420 wrote to memory of 3056	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 3056	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 3056	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2912	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 2912	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 2912	2420	cmd.exe	cacls.exe
PID 1944 wrote to memory of 2884	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 2884	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 2884	1944	A6CF.exe	cmd.exe
PID 2884 wrote to memory of 3388	2884	cmd.exe	cacls.exe
PID 2884 wrote to memory of 3388	2884	cmd.exe	cacls.exe
PID 2884 wrote to memory of 3388	2884	cmd.exe	cacls.exe
PID 1944 wrote to memory of 964	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 964	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 964	1944	A6CF.exe	cmd.exe
PID 964 wrote to memory of 2244	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 2244	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 2244	964	cmd.exe	cmd.exe
PID 964 wrote to memory of 2404	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 2404	964	cmd.exe	cacls.exe
PID 964 wrote to memory of 2404	964	cmd.exe	cacls.exe
PID 1944 wrote to memory of 3512	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 3512	1944	A6CF.exe	cmd.exe
PID 1944 wrote to memory of 3512	1944	A6CF.exe	cmd.exe
PID 3512 wrote to memory of 4008	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 4008	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 4008	3512	cmd.exe	cacls.exe
PID 1944 wrote to memory of 3616	1944	A6CF.exe	tkools.exe
PID 1944 wrote to memory of 3616	1944	A6CF.exe	tkools.exe
PID 1944 wrote to memory of 3616	1944	A6CF.exe	tkools.exe
PID 3616 wrote to memory of 3640	3616	tkools.exe	cmd.exe
PID 3616 wrote to memory of 3640	3616	tkools.exe	cmd.exe
PID 3616 wrote to memory of 3640	3616	tkools.exe	cmd.exe
PID 3616 wrote to memory of 2100	3616	tkools.exe	schtasks.exe
PID 3616 wrote to memory of 2100	3616	tkools.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
"C:\Users\Admin\AppData\Local\Temp\1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe
"C:\Users\Admin\AppData\Local\Temp\1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2540

C:\Users\Admin\AppData\Local\Temp\413.exe
C:\Users\Admin\AppData\Local\Temp\413.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\413.exe
C:\Users\Admin\AppData\Local\Temp\413.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\784A.exe
C:\Users\Admin\AppData\Local\Temp\784A.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\7B0A.exe
C:\Users\Admin\AppData\Local\Temp\7B0A.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9BB2.dll
1⤵
- Loads dropped DLL
PID:844

C:\Users\Admin\AppData\Local\Temp\A6CF.exe
C:\Users\Admin\AppData\Local\Temp\A6CF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3056

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
3⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
3⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2244

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
3⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
3⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
3⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
4⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
3⤵
- Creates scheduled task(s)
PID:2100

C:\Users\Admin\AppData\Local\Temp\D9A8.exe
C:\Users\Admin\AppData\Local\Temp\D9A8.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Local\Temp\F04E.exe
C:\Users\Admin\AppData\Local\Temp\F04E.exe
1⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Local\Temp\29FC.exe
C:\Users\Admin\AppData\Local\Temp\29FC.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1328
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
1⤵
- Executes dropped EXE
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29FC.exe
MD5
0c1da4264ad1c6f7412002e74e6e55d9

SHA1
d7216c84647464b886ba7186fd00b5c0a572dc1b

SHA256
6041f198fd6128b1e7cf23046b146a4f77053aa8d24039c1d495be51be29f0d7

SHA512
081f1c15870cc0f1609095ec5070bba001852c34f73c414e16287955b42e9c4d900ea14e79585e9725cfa47be661b18fb4bed02483f4919634889ed390c437f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\29FC.exe
MD5
0c1da4264ad1c6f7412002e74e6e55d9

SHA1
d7216c84647464b886ba7186fd00b5c0a572dc1b

SHA256
6041f198fd6128b1e7cf23046b146a4f77053aa8d24039c1d495be51be29f0d7

SHA512
081f1c15870cc0f1609095ec5070bba001852c34f73c414e16287955b42e9c4d900ea14e79585e9725cfa47be661b18fb4bed02483f4919634889ed390c437f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\413.exe
MD5
a6fe288d87226f784eeaca4a4fbe8c06

SHA1
3c83d0eea596f0028f9279fa17e444dc33fa250f

SHA256
1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451

SHA512
a505e3d7ff6a6e107819026cbd28183d720a05a5f50601baf0f633c05004774f4a7f58df584384c7c0d503ff9fcd1726d5a0ae4b75ef0092eb1d4cbfddc495ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\413.exe
MD5
a6fe288d87226f784eeaca4a4fbe8c06

SHA1
3c83d0eea596f0028f9279fa17e444dc33fa250f

SHA256
1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451

SHA512
a505e3d7ff6a6e107819026cbd28183d720a05a5f50601baf0f633c05004774f4a7f58df584384c7c0d503ff9fcd1726d5a0ae4b75ef0092eb1d4cbfddc495ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\413.exe
MD5
a6fe288d87226f784eeaca4a4fbe8c06

SHA1
3c83d0eea596f0028f9279fa17e444dc33fa250f

SHA256
1b4e1e9586e86d4728bb9396fe757b258ca6d5f36f8b277e7a5aa19c35c88451

SHA512
a505e3d7ff6a6e107819026cbd28183d720a05a5f50601baf0f633c05004774f4a7f58df584384c7c0d503ff9fcd1726d5a0ae4b75ef0092eb1d4cbfddc495ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\784A.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\784A.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0A.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0A.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\88340284281526874389
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\88340284281526874389
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB2.dll
MD5
c2326f5c2286b6272f7acde3e2d2915b

SHA1
0f283ca3c4041e3f915af729371405bec94c50b8

SHA256
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd

SHA512
ac4592dcda03337016b25a3723d094c2dcff1477d2fea67140bec329af89d4760a602dd1e35e951856d9698655ffcc3fe87ea6680e77fe70c82d4583956f63ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6CF.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6CF.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9A8.exe
MD5
8ae78c8e658e64d4f01851fef63b8076

SHA1
3f415995143a7b07fe70f7586d75e7175beffc4c

SHA256
94f8655a5751dd58930359931db8e0f3cc0cfe5145eb140b2b8778d9063dd3f0

SHA512
00e3b599e668987b8b9ccd9aadc689c13800f79abc898bef3779d958bbe673f297ef95c011e0ea4aca374646a95fdcd17daefb819a2e677d44a14a6475554e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9A8.exe
MD5
8ae78c8e658e64d4f01851fef63b8076

SHA1
3f415995143a7b07fe70f7586d75e7175beffc4c

SHA256
94f8655a5751dd58930359931db8e0f3cc0cfe5145eb140b2b8778d9063dd3f0

SHA512
00e3b599e668987b8b9ccd9aadc689c13800f79abc898bef3779d958bbe673f297ef95c011e0ea4aca374646a95fdcd17daefb819a2e677d44a14a6475554e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\F04E.exe
MD5
12e524ab34859f7ffdc7f92cdbe2e283

SHA1
3e7b2ac54d1523be93df208c33721a97bec0cb67

SHA256
8016cf2a984909cad748683e27ecef70a65c417317b55e8b4031d0aec1f10f06

SHA512
d667b9e122cf5cbbeeb095151474a27b581039ed6811f51e5d359387094b78bff3f15cf7f69e1d1d79311eb8efbf12f410fe7df5a9d129e2310e88c02ed85ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F04E.exe
MD5
12e524ab34859f7ffdc7f92cdbe2e283

SHA1
3e7b2ac54d1523be93df208c33721a97bec0cb67

SHA256
8016cf2a984909cad748683e27ecef70a65c417317b55e8b4031d0aec1f10f06

SHA512
d667b9e122cf5cbbeeb095151474a27b581039ed6811f51e5d359387094b78bff3f15cf7f69e1d1d79311eb8efbf12f410fe7df5a9d129e2310e88c02ed85ac7

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\9BB2.dll
MD5
c2326f5c2286b6272f7acde3e2d2915b

SHA1
0f283ca3c4041e3f915af729371405bec94c50b8

SHA256
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd

SHA512
ac4592dcda03337016b25a3723d094c2dcff1477d2fea67140bec329af89d4760a602dd1e35e951856d9698655ffcc3fe87ea6680e77fe70c82d4583956f63ac

Download Submit
memory/844-157-0x0000000000000000-mapping.dmp

Download
memory/904-265-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/904-264-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/904-253-0x0000000000000000-mapping.dmp

Download
memory/964-179-0x0000000000000000-mapping.dmp

Download
memory/1060-128-0x0000000000402F47-mapping.dmp

Download
memory/1616-244-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1616-210-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1616-217-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-227-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1616-225-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-224-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-218-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1616-223-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1616-222-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1616-220-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1616-252-0x0000000006460000-0x0000000006461000-memory.dmp

Filesize
4KB

Download
memory/1616-251-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1616-249-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1616-250-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1616-221-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1616-243-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1616-245-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1616-215-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-229-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1616-219-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1616-247-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1616-248-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1616-246-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1616-241-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1616-242-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1616-240-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1616-230-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1616-216-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-239-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1616-238-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1616-237-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-236-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-235-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-233-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-234-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-214-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1616-213-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1616-232-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1616-231-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1616-193-0x0000000000000000-mapping.dmp

Download
memory/1616-212-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1616-226-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1616-196-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1616-197-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/1616-198-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1616-204-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/1616-205-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1616-208-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1616-209-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1616-228-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1616-207-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1616-206-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1616-211-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1684-190-0x0000000000000000-mapping.dmp

Download
memory/1932-136-0x0000000000618000-0x0000000000667000-memory.dmp

Filesize
316KB

Download
memory/1932-147-0x00000000020A0000-0x000000000212F000-memory.dmp

Filesize
572KB

Download
memory/1932-131-0x0000000000000000-mapping.dmp

Download
memory/1932-149-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1944-171-0x0000000001F60000-0x0000000001F99000-memory.dmp

Filesize
228KB

Download
memory/1944-167-0x0000000000000000-mapping.dmp

Download
memory/1944-172-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2100-189-0x0000000000000000-mapping.dmp

Download
memory/2244-180-0x0000000000000000-mapping.dmp

Download
memory/2404-181-0x0000000000000000-mapping.dmp

Download
memory/2420-173-0x0000000000000000-mapping.dmp

Download
memory/2540-121-0x0000000000402F47-mapping.dmp

Download
memory/2540-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-155-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2564-165-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/2564-153-0x00000000758B0000-0x0000000076BF8000-memory.dmp

Filesize
19.3MB

Download
memory/2564-138-0x0000000000B20000-0x0000000000B89000-memory.dmp

Filesize
420KB

Download
memory/2564-139-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2564-156-0x0000000070490000-0x00000000704DB000-memory.dmp

Filesize
300KB

Download
memory/2564-154-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2564-146-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2564-140-0x00000000753E0000-0x00000000755A2000-memory.dmp

Filesize
1.8MB

Download
memory/2564-160-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2564-141-0x0000000074B10000-0x0000000074C01000-memory.dmp

Filesize
964KB

Download
memory/2564-150-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/2564-161-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2564-134-0x0000000000000000-mapping.dmp

Download
memory/2564-152-0x00000000770C0000-0x0000000077644000-memory.dmp

Filesize
5.5MB

Download
memory/2564-162-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/2564-151-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2564-148-0x0000000000B90000-0x0000000000CDA000-memory.dmp

Filesize
1.3MB

Download
memory/2564-142-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2564-163-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2564-164-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/2564-144-0x0000000072220000-0x00000000722A0000-memory.dmp

Filesize
512KB

Download
memory/2564-145-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2564-166-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2832-271-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2832-279-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2832-273-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2832-278-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2832-272-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2832-266-0x0000000000000000-mapping.dmp

Download
memory/2832-275-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2832-274-0x00000000753E0000-0x00000000755A2000-memory.dmp

Filesize
1.8MB

Download
memory/2832-269-0x0000000000B50000-0x0000000000B95000-memory.dmp

Filesize
276KB

Download
memory/2832-270-0x0000000001080000-0x0000000001492000-memory.dmp

Filesize
4.1MB

Download
memory/2884-177-0x0000000000000000-mapping.dmp

Download
memory/2912-175-0x0000000000000000-mapping.dmp

Download
memory/3056-174-0x0000000000000000-mapping.dmp

Download
memory/3064-130-0x0000000002B00000-0x0000000002B16000-memory.dmp

Filesize
88KB

Download
memory/3064-122-0x0000000000F00000-0x0000000000F16000-memory.dmp

Filesize
88KB

Download
memory/3388-178-0x0000000000000000-mapping.dmp

Download
memory/3512-182-0x0000000000000000-mapping.dmp

Download
memory/3564-123-0x0000000000000000-mapping.dmp

Download
memory/3616-184-0x0000000000000000-mapping.dmp

Download
memory/3616-186-0x00000000006B9000-0x00000000006D7000-memory.dmp

Filesize
120KB

Download
memory/3616-191-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/3616-192-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3640-188-0x0000000000000000-mapping.dmp

Download
memory/3708-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4008-183-0x0000000000000000-mapping.dmp

Download