nymaim | c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61

Analysis

max time kernel
153s
max time network
155s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-10-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
Size

286KB
MD5

6af8edda3ba74858ffed60c6a4f1bfd2
SHA1

aa41f583fb12db55eab39d1a0aad3fba254606dd
SHA256

c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61
SHA512

230f3296fc5228af98cc92477eb43f7fb5d0050667240dafaf161784dfba040a28aadb7eebe407e68f9ace5efac4b700db67dba85741feac21fa0dc7d64e86ee
SSDEEP

6144:QuUzvxLlfMCNK5rP4F5/I7W83SawB8a8xn1w:pUzp9PKhPa5/N83SawCa5

Score

10^/10

nymaim smokeloader vidar 937 backdoor bootkit discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.3

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-146-0x0000000002C90000-0x0000000002C99000-memory.dmp	family_smokeloader

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

71 4956 rundll32.exe
72 4956 rundll32.exe
74 4956 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

39BD.exe52D4.exe6B6E.exe7439.exeA02C.exe39BD.exe39BD.exe39BD.exe39BD.exe

pid process

4792 39BD.exe
1492 52D4.exe
2340 6B6E.exe
4244 7439.exe
4544 A02C.exe
3796 39BD.exe
4252 39BD.exe
4392 39BD.exe
4532 39BD.exe
Deletes itself 1 IoCs

Processes:

pid process

3056
Loads dropped DLL 9 IoCs

Processes:

7439.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4244 7439.exe
4244 7439.exe
4244 7439.exe
4956 rundll32.exe
1208 rundll32.exe
1208 rundll32.exe
4908 rundll32.exe
4772 rundll32.exe
4772 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
71	4956	rundll32.exe
72	4956	rundll32.exe
74	4956	rundll32.exe

pid	process
4792	39BD.exe
1492	52D4.exe
2340	6B6E.exe
4244	7439.exe
4544	A02C.exe
3796	39BD.exe
4252	39BD.exe
4392	39BD.exe
4532	39BD.exe

pid	process
3056

pid	process
4244	7439.exe
4244	7439.exe
4244	7439.exe
4956	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
4908	rundll32.exe
4772	rundll32.exe
4772	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

A02C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	A02C.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	A02C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

52D4.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 52D4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	52D4.exe

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3520	4792	WerFault.exe	39BD.exe
3720	2340	WerFault.exe	6B6E.exe
4956	4792	WerFault.exe	39BD.exe
4588	4792	WerFault.exe	39BD.exe
4692	2340	WerFault.exe	6B6E.exe
4760	4792	WerFault.exe	39BD.exe
4024	4792	WerFault.exe	39BD.exe
924	2340	WerFault.exe	6B6E.exe
232	2340	WerFault.exe	6B6E.exe
32	4792	WerFault.exe	39BD.exe
4384	4792	WerFault.exe	39BD.exe
620	2340	WerFault.exe	6B6E.exe
4368	2340	WerFault.exe	6B6E.exe
2904	2340	WerFault.exe	6B6E.exe
2144	2340	WerFault.exe	6B6E.exe
2484	4792	WerFault.exe	39BD.exe
392	2340	WerFault.exe	6B6E.exe
4312	3796	WerFault.exe	39BD.exe
3032	3796	WerFault.exe	39BD.exe
4984	4244	WerFault.exe	7439.exe
844	3796	WerFault.exe	39BD.exe
4488	3796	WerFault.exe	39BD.exe
3216	3796	WerFault.exe	39BD.exe
564	3796	WerFault.exe	39BD.exe
4524	3796	WerFault.exe	39BD.exe
3520	3796	WerFault.exe	39BD.exe
4740	4252	WerFault.exe	39BD.exe
3168	4252	WerFault.exe	39BD.exe
3340	4252	WerFault.exe	39BD.exe
3932	4252	WerFault.exe	39BD.exe
196	4252	WerFault.exe	39BD.exe
3088	4252	WerFault.exe	39BD.exe
684	4252	WerFault.exe	39BD.exe
1812	4252	WerFault.exe	39BD.exe
5080	4392	WerFault.exe	39BD.exe
4860	4392	WerFault.exe	39BD.exe
1948	4392	WerFault.exe	39BD.exe
4444	4392	WerFault.exe	39BD.exe
3952	4392	WerFault.exe	39BD.exe
4600	4392	WerFault.exe	39BD.exe
4540	4392	WerFault.exe	39BD.exe
4376	4392	WerFault.exe	39BD.exe
2140	4532	WerFault.exe	39BD.exe
1900	4532	WerFault.exe	39BD.exe
4220	4532	WerFault.exe	39BD.exe
2864	4532	WerFault.exe	39BD.exe
1620	4532	WerFault.exe	39BD.exe
3032	4532	WerFault.exe	39BD.exe
4472	4532	WerFault.exe	39BD.exe
4476	4532	WerFault.exe	39BD.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7439.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7439.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7439.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2124 tasklist.exe

pid	process
2124	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe

pid	process
2016	c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
2016	c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe

pid process

2016 c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

A02C.exe39BD.execmd.exe39BD.exe39BD.exe39BD.exe

description	pid	process	target process
PID 3056 wrote to memory of 4792	3056		39BD.exe
PID 3056 wrote to memory of 4792	3056		39BD.exe
PID 3056 wrote to memory of 4792	3056		39BD.exe
PID 3056 wrote to memory of 1492	3056		52D4.exe
PID 3056 wrote to memory of 1492	3056		52D4.exe
PID 3056 wrote to memory of 1492	3056		52D4.exe
PID 3056 wrote to memory of 2340	3056		6B6E.exe
PID 3056 wrote to memory of 2340	3056		6B6E.exe
PID 3056 wrote to memory of 2340	3056		6B6E.exe
PID 3056 wrote to memory of 4244	3056		7439.exe
PID 3056 wrote to memory of 4244	3056		7439.exe
PID 3056 wrote to memory of 4244	3056		7439.exe
PID 3056 wrote to memory of 4544	3056		A02C.exe
PID 3056 wrote to memory of 4544	3056		A02C.exe
PID 3056 wrote to memory of 4544	3056		A02C.exe
PID 4544 wrote to memory of 3812	4544	A02C.exe	dllhost.exe
PID 4544 wrote to memory of 3812	4544	A02C.exe	dllhost.exe
PID 4544 wrote to memory of 3812	4544	A02C.exe	dllhost.exe
PID 4792 wrote to memory of 3796	4792	39BD.exe	39BD.exe
PID 4792 wrote to memory of 3796	4792	39BD.exe	39BD.exe
PID 4792 wrote to memory of 3796	4792	39BD.exe	39BD.exe
PID 4544 wrote to memory of 3408	4544	A02C.exe	cmd.exe
PID 4544 wrote to memory of 3408	4544	A02C.exe	cmd.exe
PID 4544 wrote to memory of 3408	4544	A02C.exe	cmd.exe
PID 3408 wrote to memory of 2356	3408	cmd.exe	cmd.exe
PID 3408 wrote to memory of 2356	3408	cmd.exe	cmd.exe
PID 3408 wrote to memory of 2356	3408	cmd.exe	cmd.exe
PID 3796 wrote to memory of 4252	3796	39BD.exe	39BD.exe
PID 3796 wrote to memory of 4252	3796	39BD.exe	39BD.exe
PID 3796 wrote to memory of 4252	3796	39BD.exe	39BD.exe
PID 4792 wrote to memory of 4956	4792	39BD.exe	rundll32.exe
PID 4792 wrote to memory of 4956	4792	39BD.exe	rundll32.exe
PID 4792 wrote to memory of 4956	4792	39BD.exe	rundll32.exe
PID 4252 wrote to memory of 4392	4252	39BD.exe	39BD.exe
PID 4252 wrote to memory of 4392	4252	39BD.exe	39BD.exe
PID 4252 wrote to memory of 4392	4252	39BD.exe	39BD.exe
PID 4252 wrote to memory of 1208	4252	39BD.exe	rundll32.exe
PID 4252 wrote to memory of 1208	4252	39BD.exe	rundll32.exe
PID 4252 wrote to memory of 1208	4252	39BD.exe	rundll32.exe
PID 3796 wrote to memory of 4908	3796	39BD.exe	rundll32.exe
PID 3796 wrote to memory of 4908	3796	39BD.exe	rundll32.exe
PID 3796 wrote to memory of 4908	3796	39BD.exe	rundll32.exe
PID 4392 wrote to memory of 4532	4392	39BD.exe	39BD.exe
PID 4392 wrote to memory of 4532	4392	39BD.exe	39BD.exe
PID 4392 wrote to memory of 4532	4392	39BD.exe	39BD.exe
PID 4392 wrote to memory of 4772	4392	39BD.exe	rundll32.exe
PID 4392 wrote to memory of 4772	4392	39BD.exe	rundll32.exe
PID 4392 wrote to memory of 4772	4392	39BD.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe
"C:\Users\Admin\AppData\Local\Temp\c15f3ac17ea11c15b75f91cfdfb7871d6acfb656bf491a56095940ee340ffb61.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2016

C:\Users\Admin\AppData\Local\Temp\39BD.exe
C:\Users\Admin\AppData\Local\Temp\39BD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 596
2⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 856
2⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 932
2⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1028
2⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1068
2⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1004
2⤵
- Program crash
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1080
2⤵
- Program crash
PID:4384

C:\Users\Admin\AppData\Local\Temp\39BD.exe
"C:\Users\Admin\AppData\Local\Temp\39BD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 564
3⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 856
3⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 924
3⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 988
3⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1040
3⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1004
3⤵
- Program crash
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1052
3⤵
- Program crash
PID:4524

C:\Users\Admin\AppData\Local\Temp\39BD.exe
"C:\Users\Admin\AppData\Local\Temp\39BD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 564
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 856
4⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1000
4⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 968
4⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1040
4⤵
- Program crash
PID:196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1016
4⤵
- Program crash
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1092
4⤵
- Program crash
PID:684

C:\Users\Admin\AppData\Local\Temp\39BD.exe
"C:\Users\Admin\AppData\Local\Temp\39BD.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 564
5⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 900
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 992
5⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 964
5⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1040
5⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1080
5⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1048
5⤵
- Program crash
PID:4540

C:\Users\Admin\AppData\Local\Temp\39BD.exe
"C:\Users\Admin\AppData\Local\Temp\39BD.exe"
5⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 564
6⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 916
6⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1000
6⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 968
6⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1040
6⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 924
6⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1064
6⤵
- Program crash
PID:4472

C:\Users\Admin\AppData\Local\Temp\39BD.exe
"C:\Users\Admin\AppData\Local\Temp\39BD.exe"
6⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1164
6⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
6⤵
PID:4428

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
5⤵
- Loads dropped DLL
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1164
5⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
4⤵
- Loads dropped DLL
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1200
4⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 888
3⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
3⤵
- Loads dropped DLL
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1160
2⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4956

C:\Users\Admin\AppData\Local\Temp\52D4.exe
C:\Users\Admin\AppData\Local\Temp\52D4.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1492

C:\Users\Admin\AppData\Local\Temp\6B6E.exe
C:\Users\Admin\AppData\Local\Temp\6B6E.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 536
2⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 736
2⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 776
2⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 872
2⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 880
2⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 968
2⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1124
2⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1132
2⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1100
2⤵
- Program crash
PID:392

C:\Users\Admin\AppData\Local\Temp\7439.exe
C:\Users\Admin\AppData\Local\Temp\7439.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1756
2⤵
- Program crash
PID:4984

C:\Users\Admin\AppData\Local\Temp\A02C.exe
C:\Users\Admin\AppData\Local\Temp\A02C.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\dllhost.exe
dllhost vfrfgh ningggfdee
2⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Chrome.pdf & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:2356

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
PID:2124

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
3.6MB

MD5
c84f631b982a55306834c0123555a199

SHA1
23c67574f5004e2232e5caa7d85b86ed33e51842

SHA256
3e289c09004c4897bfd45aab26f9b8efeb64763a671189d472f7004ee72f100a

SHA512
1c6a6c16744ab08abe40d568cd9bdcd6f39bf4d5c919f70804576f023a5a3b8354f3190c8ea75e9635fddaa55c02ca5fb561fcd0182a7889be0324ac07ab81a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39BD.exe
Filesize
6.1MB

MD5
5fb645516dc59c5f35c5619c5ca77aa8

SHA1
bf676068acb90fd1feea6ee34bb7bf03ceb419ed

SHA256
25fec2ccde0c95ea123361b62011c202d29e955712e0b62c15b914728c548cd7

SHA512
7019fce98ab70d7189cac97af461f2dd33e42b4a9ec0444a8cac852cd882ae97da41387a5a2067c9bdeb65ae724e117193e92430834f47fe5494cb9a8b0162e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\52D4.exe
Filesize
586KB

MD5
7015fcaa3bfd71f411ab92817bb1ba8e

SHA1
1e3805f3b09fa116960d47058a4c359ae8a3ab3d

SHA256
46d6bc3be0043622a9c51c2b8731317a75b7fa324881a776f8c1c7f7947b32ad

SHA512
a5efff5d7474b048bc96415a4746912389c0e95c02b7be5df4fa7ab5874a7edf595e131136aeff2270c04d0016b4a37bef53ddeb3e3c75477f76069be661a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\52D4.exe
Filesize
586KB

MD5
7015fcaa3bfd71f411ab92817bb1ba8e

SHA1
1e3805f3b09fa116960d47058a4c359ae8a3ab3d

SHA256
46d6bc3be0043622a9c51c2b8731317a75b7fa324881a776f8c1c7f7947b32ad

SHA512
a5efff5d7474b048bc96415a4746912389c0e95c02b7be5df4fa7ab5874a7edf595e131136aeff2270c04d0016b4a37bef53ddeb3e3c75477f76069be661a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B6E.exe
Filesize
354KB

MD5
ab7e2ee57a39de7ff64a2f571ab29676

SHA1
c04a95bfdf6dfc93c9c152f61d254adbdc2774cb

SHA256
aae33a5c1971bc848715a660f6a878a20ff4198c244b3d58737274545f1bb17c

SHA512
dbeaf88f2d9ba57f52eda543662bb298e71e59a722a8c5114b8b245d64536bf054b1aa08d452d273fd89c41e18b7d8d23a955a47a069b868ea2f7ee56b9b74b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B6E.exe
Filesize
354KB

MD5
ab7e2ee57a39de7ff64a2f571ab29676

SHA1
c04a95bfdf6dfc93c9c152f61d254adbdc2774cb

SHA256
aae33a5c1971bc848715a660f6a878a20ff4198c244b3d58737274545f1bb17c

SHA512
dbeaf88f2d9ba57f52eda543662bb298e71e59a722a8c5114b8b245d64536bf054b1aa08d452d273fd89c41e18b7d8d23a955a47a069b868ea2f7ee56b9b74b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7439.exe
Filesize
349KB

MD5
322e56c0800806f7b0c22a29b9621cc3

SHA1
09a9a0eaec8facaed1d2d8f82990fa154e80a470

SHA256
9ef5e9112b6f46e3aa83394ab5cb5d7a160b80cbe31c1b179d11c6d1b17d782d

SHA512
e882375c48ee3305f0afcebee7933a76c8017e670e6e76b1b8286b7357d17d39ae0dce1020c8358fae5de71591294a44e2457034181bdd860f30579615db204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7439.exe
Filesize
349KB

MD5
322e56c0800806f7b0c22a29b9621cc3

SHA1
09a9a0eaec8facaed1d2d8f82990fa154e80a470

SHA256
9ef5e9112b6f46e3aa83394ab5cb5d7a160b80cbe31c1b179d11c6d1b17d782d

SHA512
e882375c48ee3305f0afcebee7933a76c8017e670e6e76b1b8286b7357d17d39ae0dce1020c8358fae5de71591294a44e2457034181bdd860f30579615db204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A02C.exe
Filesize
737KB

MD5
8d013b4129e9f90f841a494190847b31

SHA1
53cefb2945a37889b5442cc45aea28dea8a5ac22

SHA256
5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

SHA512
c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A02C.exe
Filesize
737KB

MD5
8d013b4129e9f90f841a494190847b31

SHA1
53cefb2945a37889b5442cc45aea28dea8a5ac22

SHA256
5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

SHA512
c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chicago.pdf
Filesize
924KB

MD5
aabe6813697af03369aa450bb4436f55

SHA1
6e2ab9fdebe157325f1e83318bfa502b83b164ad

SHA256
969066f1533d7f8295294934cae842d6e04bf995347a926f59eab567554699a1

SHA512
bc169c94564c22e40a446dd6c64de09f98bf09f6b0ec238ef252c29e1e2e9c10a0bef8cf8fca1192f5a7d4cd7afe4c4fa4597a3307b7c71916dda73d3fb2f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chrome.pdf
Filesize
11KB

MD5
615333778325ed2e1d9deff0a5039a15

SHA1
40ab327c890707a9c9a5c2a10a6cdea8649a3341

SHA256
dc5bc0a06f4879eb547f8be95543452755fc4bd84725e6637b37fd541ca21c1e

SHA512
4359da53340dd931d38d268a7180f56c5ac1f88fe4e120dac7c13966a151f2d5d7331d9eeb5ee6d24bb4f3aa53f573bc3f7fe71e9eb148d8f808e0b2bb400b70

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
4e40b0b21e5c1f9dab372c2fc981ad5a

SHA1
286cae3b928d7fad7d793038d46a14e92d592192

SHA256
75442a8421770c2db6c108ed10c8a2761adc7c93d083854dfe83ccc5974aa32c

SHA512
d722ecca5d572960ea7206d87f4da31be71e1b8c6388d88e2b1574388857739baedaead8d2d4dba8210b1151004196a7eea19d9084f63725b66fefee5cdfa892

Download Submit
memory/1208-744-0x0000000004220000-0x000000000456D000-memory.dmp

Filesize
3.3MB

Download
memory/1208-891-0x0000000004220000-0x000000000456D000-memory.dmp

Filesize
3.3MB

Download
memory/1208-690-0x0000000000000000-mapping.dmp

Download
memory/1492-188-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-184-0x0000000000000000-mapping.dmp

Download
memory/1492-398-0x0000000002DA0000-0x0000000002EEA000-memory.dmp

Filesize
1.3MB

Download
memory/1492-399-0x0000000002FD0000-0x000000000303B000-memory.dmp

Filesize
428KB

Download
memory/1492-284-0x0000000000400000-0x0000000002C80000-memory.dmp

Filesize
40.5MB

Download
memory/1492-415-0x0000000000400000-0x0000000002C80000-memory.dmp

Filesize
40.5MB

Download
memory/1492-261-0x0000000002FD0000-0x000000000303B000-memory.dmp

Filesize
428KB

Download
memory/1492-260-0x0000000002DA0000-0x0000000002EEA000-memory.dmp

Filesize
1.3MB

Download
memory/1492-189-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-194-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-191-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-192-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-187-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-127-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-145-0x0000000002CE0000-0x0000000002D8E000-memory.dmp

Filesize
696KB

Download
memory/2016-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-120-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-130-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-146-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/2016-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-156-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/2016-157-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/2016-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-124-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-123-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-982-0x0000000000000000-mapping.dmp

Download
memory/2340-223-0x0000000000000000-mapping.dmp

Download
memory/2340-438-0x0000000002FB3000-0x0000000002FDA000-memory.dmp

Filesize
156KB

Download
memory/2340-441-0x0000000002EC0000-0x0000000002F00000-memory.dmp

Filesize
256KB

Download
memory/2340-456-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/2340-305-0x0000000002FB3000-0x0000000002FDA000-memory.dmp

Filesize
156KB

Download
memory/2340-307-0x0000000002EC0000-0x0000000002F00000-memory.dmp

Filesize
256KB

Download
memory/2340-322-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/2356-489-0x0000000000000000-mapping.dmp

Download
memory/2592-989-0x0000000000000000-mapping.dmp

Download
memory/3408-475-0x0000000000000000-mapping.dmp

Download
memory/3796-568-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3796-792-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3796-527-0x00000000037E0000-0x0000000003DCB000-memory.dmp

Filesize
5.9MB

Download
memory/3796-538-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3796-447-0x0000000000000000-mapping.dmp

Download
memory/3796-567-0x00000000037E0000-0x0000000003DCB000-memory.dmp

Filesize
5.9MB

Download
memory/3812-444-0x0000000000000000-mapping.dmp

Download
memory/3936-1052-0x0000000000000000-mapping.dmp

Download
memory/4244-352-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/4244-482-0x0000000000400000-0x0000000002C45000-memory.dmp

Filesize
40.3MB

Download
memory/4244-479-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/4244-262-0x0000000000000000-mapping.dmp

Download
memory/4244-486-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/4244-338-0x0000000000400000-0x0000000002C45000-memory.dmp

Filesize
40.3MB

Download
memory/4244-324-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/4252-591-0x00000000035D0000-0x0000000003BC2000-memory.dmp

Filesize
5.9MB

Download
memory/4252-552-0x0000000000000000-mapping.dmp

Download
memory/4252-705-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4252-596-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4392-898-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4392-785-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4392-761-0x0000000003690000-0x0000000003C8A000-memory.dmp

Filesize
6.0MB

Download
memory/4392-663-0x0000000000000000-mapping.dmp

Download
memory/4428-1068-0x0000000000000000-mapping.dmp

Download
memory/4532-861-0x0000000000000000-mapping.dmp

Download
memory/4532-965-0x00000000037F0000-0x0000000003DE2000-memory.dmp

Filesize
5.9MB

Download
memory/4532-976-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4532-1074-0x00000000037F0000-0x0000000003DE2000-memory.dmp

Filesize
5.9MB

Download
memory/4544-346-0x0000000000000000-mapping.dmp

Download
memory/4772-888-0x0000000000000000-mapping.dmp

Download
memory/4772-937-0x0000000004090000-0x00000000043DD000-memory.dmp

Filesize
3.3MB

Download
memory/4772-1043-0x0000000004090000-0x00000000043DD000-memory.dmp

Filesize
3.3MB

Download
memory/4792-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-349-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4792-311-0x0000000003710000-0x0000000003D03000-memory.dmp

Filesize
5.9MB

Download
memory/4792-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-178-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-158-0x0000000000000000-mapping.dmp

Download
memory/4792-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-303-0x00000000055B0000-0x0000000005BD0000-memory.dmp

Filesize
6.1MB

Download
memory/4792-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-211-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4792-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-190-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-193-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-610-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4792-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-201-0x0000000003710000-0x0000000003D03000-memory.dmp

Filesize
5.9MB

Download
memory/4792-205-0x00000000055B0000-0x0000000005BD0000-memory.dmp

Filesize
6.1MB

Download
memory/4792-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-949-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4908-834-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4908-779-0x0000000000000000-mapping.dmp

Download
memory/4956-748-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4956-651-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4956-597-0x0000000000000000-mapping.dmp

Download