amadey | 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
Size

321KB
MD5

198929adc74b1ba1e260c2b614e1ed80
SHA1

2bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512

094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Score

10^/10

amadey redline testid collection infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

redline

Botnet

testid

45.147.230.125:14422

Attributes

auth_value
3d3327cccfe43832bb9f6cd3da31d385

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/680-75-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/680-76-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/680-77-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/680-78-0x000000000041ADB2-mapping.dmp	family_redline
behavioral1/memory/680-81-0x0000000000402000-0x000000000041BC00-memory.dmp	family_redline
behavioral1/memory/680-82-0x0000000000402000-0x000000000041BC00-memory.dmp	family_redline

suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

54 1772 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

2036 ftewk.exe
680 ftewk.exe
1600 ftewk.exe
2028 ftewk.exe

flow	pid	process
54	1772	rundll32.exe

pid	process
2036	ftewk.exe
680	ftewk.exe
1600	ftewk.exe
2028	ftewk.exe

Loads dropped DLL 7 IoCs

Processes:

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.exerundll32.exe

pid	process
1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
2036	ftewk.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ftewk.exe

description pid process target process

PID 2036 set thread context of 680 2036 ftewk.exe ftewk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

936 schtasks.exe

description	pid	process	target process
PID 2036 set thread context of 680	2036	ftewk.exe	ftewk.exe

pid	process
936	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000007348923c43a0c54a2b3bc05164fe2bff914035c75fbe5fec5fe13fcfe3493c98000000000e8000000002000020000000f8aa6a3683e48d48f66616841c128792ce509219f1550410d58c8b56a1d89fca20000000342f75b887111fd8e0baa26cab0683f5c6e69d557e82a60df8705788763e038440000000fe3f9ef28002e25988d213e9f1822c4cf3940a23576a52d9fe1baf07450141c3a5cbc54960679dfec66101234a024005f9fa5b91f33c7c25bba9e89aed7ea486	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23128C11-D565-11EC-9674-D2F97027F5CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000134c7d656ec8d5df9486254858af9662307f73bba9a7897277424bdfc4895c6b000000000e8000000002000020000000300df47c03f433dc6c1ab2d15fa0dd1dff1a0192e5c5af9202e1cbf72de28a8190000000da1b1ab7c98aabdb7ecc73f33401258a52d2529d0b5e282879f8f64dd13e9b7f447ea23af69af7861305f40dc78ab5dba0017aafba5822d8d50b3d54054ece4994dab7a2475058cc42d7039cd55f97e60f7ce54b04a482caa2ed07a06b615bcc6ebb812b294b66dc097d5a3e03394ca1a6a883a0a2b75eaef2e5c76743a9fcc15652e6f6ffa065d4a7e0f0be1c988121400000002bbb51a44793ed97301c83f2f1c0233ec6f5b23bebfcee3144d7a9dcbeb31ecaf3382a2d267ac967c9e806471bfaa3911cf0b5cc471ae6d10a3bbd8f37f25eb3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359504072"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30dd8d097269d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ftewk.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ftewk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ftewk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ftewk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ftewk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ftewk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ftewk.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1308 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1308 iexplore.exe
1308 iexplore.exe
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE

pid	process
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

pid	process
1308	iexplore.exe

pid	process
1308	iexplore.exe
1308	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.execmd.exeftewk.exeiexplore.exetaskeng.exe

description	pid	process	target process
PID 1704 wrote to memory of 2036	1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 1704 wrote to memory of 2036	1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 1704 wrote to memory of 2036	1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 1704 wrote to memory of 2036	1704	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 2036 wrote to memory of 2008	2036	ftewk.exe	cmd.exe
PID 2036 wrote to memory of 2008	2036	ftewk.exe	cmd.exe
PID 2036 wrote to memory of 2008	2036	ftewk.exe	cmd.exe
PID 2036 wrote to memory of 2008	2036	ftewk.exe	cmd.exe
PID 2008 wrote to memory of 1228	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1228	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1228	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1228	2008	cmd.exe	reg.exe
PID 2036 wrote to memory of 936	2036	ftewk.exe	schtasks.exe
PID 2036 wrote to memory of 936	2036	ftewk.exe	schtasks.exe
PID 2036 wrote to memory of 936	2036	ftewk.exe	schtasks.exe
PID 2036 wrote to memory of 936	2036	ftewk.exe	schtasks.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 2036 wrote to memory of 680	2036	ftewk.exe	ftewk.exe
PID 680 wrote to memory of 1308	680	ftewk.exe	iexplore.exe
PID 680 wrote to memory of 1308	680	ftewk.exe	iexplore.exe
PID 680 wrote to memory of 1308	680	ftewk.exe	iexplore.exe
PID 680 wrote to memory of 1308	680	ftewk.exe	iexplore.exe
PID 1308 wrote to memory of 944	1308	iexplore.exe	IEXPLORE.EXE
PID 1308 wrote to memory of 944	1308	iexplore.exe	IEXPLORE.EXE
PID 1308 wrote to memory of 944	1308	iexplore.exe	IEXPLORE.EXE
PID 1308 wrote to memory of 944	1308	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 1600	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 1600	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 1600	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 1600	1372	taskeng.exe	ftewk.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 2036 wrote to memory of 1772	2036	ftewk.exe	rundll32.exe
PID 1372 wrote to memory of 2028	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 2028	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 2028	1372	taskeng.exe	ftewk.exe
PID 1372 wrote to memory of 2028	1372	taskeng.exe	ftewk.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
"C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
4⤵
PID:1228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:936

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {920C09E6-CD93-488D-9E06-9CBE0F7C752C} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
2⤵
- Executes dropped EXE
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b9811989845f25be26f30947040ec505

SHA1
3edf89bf9ec051868c494d583d22cbd40349c0bb

SHA256
5da84f5349c405b278d5862dfeb2556b296630e53f3c2b688cac7b5d8010293a

SHA512
d2df5935cd215064c632c3eead0d99f66c9a65161487127be65c41a031bf9dd9083cb59644b4e2944f4f143e4b6570dc6186f9f796e71ef0863b88a0fd1ef64f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a08a6caa82c61ff321c88b7347333420

SHA1
bba2b752a43e32da59533dad364a048281e98bf7

SHA256
9c1bae2b890ff0c92eb575b8fbcb6e25f6880906a9cdb900b8c75e12d97da6c3

SHA512
b46f1c18362e8ad585b029f1e8a324bf39aca57f003910b532c772baf55efbda93768f365f75017244ea5ecbaa6bf8eafefb3be1546af82efb7d6a9229c666a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
21KB

MD5
f16ecc210a11722167ae77a798074a0d

SHA1
acbd585338ac76976617dc9a38f06996001f1625

SHA256
dc62170b6e58dcd3c95d4249f5e898e5c287fba7c1274b550c165d7d74bd4ba1

SHA512
ff34a449956552fb807162793db64c69ceb10415ef14dd821d775982a2802dfd1784bed81de6e3144071aac9e60a5a111c38bcc425b2b1cc10c34cbb011b0b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KPEPLWRZ.txt
Filesize
603B

MD5
88e4f3367d1c96a904a2a1eaafc96ee3

SHA1
100deae9793d7dfd81c1715a57e9ac94983bcf8c

SHA256
af5cfb3a9f987053a2b2390d387939aace84c04eddb48654f05a7310ad35710d

SHA512
49074bf3f5541327a492db63fbce1c1536765ad9a9d17d6cb5d80dbd45e2354962af600e3a1548cdcc527e6d3d1a1b961dc9dc686ae34b3dc6fbf2f9f003937e

Download Submit
\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
memory/680-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/680-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/680-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/680-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/680-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/680-78-0x000000000041ADB2-mapping.dmp

Download
memory/680-81-0x0000000000402000-0x000000000041BC00-memory.dmp

Filesize
103KB

Download
memory/680-82-0x0000000000402000-0x000000000041BC00-memory.dmp

Filesize
103KB

Download
memory/936-69-0x0000000000000000-mapping.dmp

Download
memory/1228-68-0x0000000000000000-mapping.dmp

Download
memory/1600-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1600-91-0x0000000000558000-0x0000000000576000-memory.dmp

Filesize
120KB

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1600-89-0x0000000000558000-0x0000000000576000-memory.dmp

Filesize
120KB

Download
memory/1704-57-0x00000000002B0000-0x00000000002E8000-memory.dmp

Filesize
224KB

Download
memory/1704-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1704-55-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/1704-54-0x0000000000508000-0x0000000000526000-memory.dmp

Filesize
120KB

Download
memory/1704-56-0x0000000000508000-0x0000000000526000-memory.dmp

Filesize
120KB

Download
memory/1772-93-0x0000000000000000-mapping.dmp

Download
memory/2008-67-0x0000000000000000-mapping.dmp

Download
memory/2028-102-0x0000000000000000-mapping.dmp

Download
memory/2028-104-0x0000000000268000-0x0000000000286000-memory.dmp

Filesize
120KB

Download
memory/2028-106-0x0000000000268000-0x0000000000286000-memory.dmp

Filesize
120KB

Download
memory/2028-107-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-61-0x0000000000000000-mapping.dmp

Download
memory/2036-63-0x00000000002C8000-0x00000000002E6000-memory.dmp

Filesize
120KB

Download
memory/2036-65-0x00000000002C8000-0x00000000002E6000-memory.dmp

Filesize
120KB

Download
memory/2036-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download