nymaim | 198305a07facd04096fe3138a05d25acfe055f39ac339fd597c30d16928b88c9

Analysis

max time kernel
156s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

286KB
MD5

c5bb23b188f4d799d36a55c2ecb5cef9
SHA1

860451858cc60cd8d55337458de4fd28075df940
SHA256

198305a07facd04096fe3138a05d25acfe055f39ac339fd597c30d16928b88c9
SHA512

034024de4bdf6f3bcf629f628280c6ca676ab32ae0e82a3ffbf16bdaf977b6a899c9a8905e7f8d158dffc132e6f26b05a720a3e39e0e72ef45d865a4a0d1d238
SSDEEP

3072:3GzyC5JUoveLC0Ev45kaYjnFB2JlCIa9FzwJVhhs6HfbiM/h3:qTUoveLC0EvBTFB2KBmJVhK6e

Score

10^/10

nymaim smokeloader vidar 937 backdoor bootkit discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.3

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1628-134-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

4DD.exe4B4D.exe5570.exe5B5D.exe7474.exe4DD.exeAdventure.exe.pif

pid process

1300 4DD.exe
1244 4B4D.exe
4372 5570.exe
1776 5B5D.exe
4224 7474.exe
4100 4DD.exe
796 Adventure.exe.pif

pid	process
1300	4DD.exe
1244	4B4D.exe
4372	5570.exe
1776	5B5D.exe
4224	7474.exe
4100	4DD.exe
796	Adventure.exe.pif

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4DD.exe5B5D.exe5570.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4DD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5B5D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5570.exe

Loads dropped DLL 3 IoCs

Processes:

5B5D.exe

pid process

1776 5B5D.exe
1776 5B5D.exe
1776 5B5D.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1776	5B5D.exe
1776	5B5D.exe
1776	5B5D.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7474.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7474.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

4B4D.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 4B4D.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	4B4D.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1544	1300	WerFault.exe	4DD.exe
452	1300	WerFault.exe	4DD.exe
3892	1300	WerFault.exe	4DD.exe
2076	1300	WerFault.exe	4DD.exe
2084	1300	WerFault.exe	4DD.exe
412	4372	WerFault.exe	5570.exe
4948	1300	WerFault.exe	4DD.exe
3052	1300	WerFault.exe	4DD.exe
960	1300	WerFault.exe	4DD.exe
2780	4372	WerFault.exe	5570.exe
1632	4372	WerFault.exe	5570.exe
4016	4372	WerFault.exe	5570.exe
908	1300	WerFault.exe	4DD.exe
1688	4372	WerFault.exe	5570.exe
4136	4372	WerFault.exe	5570.exe
4356	1776	WerFault.exe	5B5D.exe
2304	4372	WerFault.exe	5570.exe
4264	4100	WerFault.exe	4DD.exe
512	4100	WerFault.exe	4DD.exe
2412	4372	WerFault.exe	5570.exe
636	4100	WerFault.exe	4DD.exe
3208	4372	WerFault.exe	5570.exe
4768	4100	WerFault.exe	4DD.exe
2168	4100	WerFault.exe	4DD.exe
2084	4100	WerFault.exe	4DD.exe
4516	4100	WerFault.exe	4DD.exe
1232	4100	WerFault.exe	4DD.exe
4452	1928	WerFault.exe	4DD.exe
3512	1300	WerFault.exe	4DD.exe
2628	1928	WerFault.exe	4DD.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5B5D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5B5D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5B5D.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5108 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4004 tasklist.exe
4260 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

560 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4960 PING.EXE

pid	process
5108	timeout.exe

pid	process
4004	tasklist.exe
4260	tasklist.exe

pid	process
560	taskkill.exe

pid	process
4960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1628	file.exe
1628	file.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

1628 file.exe

pid	process
2424

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeShutdownPrivilege	2424

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Adventure.exe.pif

pid process

796 Adventure.exe.pif
2424
2424
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Adventure.exe.pif

pid process

796 Adventure.exe.pif

pid	process
796	Adventure.exe.pif
2424
2424

pid	process
796	Adventure.exe.pif

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

7474.execmd.exe4DD.exe5B5D.execmd.exe5570.execmd.execmd.exe

description	pid	process	target process
PID 2424 wrote to memory of 1300	2424		4DD.exe
PID 2424 wrote to memory of 1300	2424		4DD.exe
PID 2424 wrote to memory of 1300	2424		4DD.exe
PID 2424 wrote to memory of 1244	2424		4B4D.exe
PID 2424 wrote to memory of 1244	2424		4B4D.exe
PID 2424 wrote to memory of 1244	2424		4B4D.exe
PID 2424 wrote to memory of 4372	2424		5570.exe
PID 2424 wrote to memory of 4372	2424		5570.exe
PID 2424 wrote to memory of 4372	2424		5570.exe
PID 2424 wrote to memory of 1776	2424		5B5D.exe
PID 2424 wrote to memory of 1776	2424		5B5D.exe
PID 2424 wrote to memory of 1776	2424		5B5D.exe
PID 2424 wrote to memory of 4224	2424		7474.exe
PID 2424 wrote to memory of 4224	2424		7474.exe
PID 2424 wrote to memory of 4224	2424		7474.exe
PID 4224 wrote to memory of 1336	4224	7474.exe	dllhost.exe
PID 4224 wrote to memory of 1336	4224	7474.exe	dllhost.exe
PID 4224 wrote to memory of 1336	4224	7474.exe	dllhost.exe
PID 4224 wrote to memory of 376	4224	7474.exe	cmd.exe
PID 4224 wrote to memory of 376	4224	7474.exe	cmd.exe
PID 4224 wrote to memory of 376	4224	7474.exe	cmd.exe
PID 376 wrote to memory of 2800	376	cmd.exe	cmd.exe
PID 376 wrote to memory of 2800	376	cmd.exe	cmd.exe
PID 376 wrote to memory of 2800	376	cmd.exe	cmd.exe
PID 1300 wrote to memory of 4100	1300	4DD.exe	4DD.exe
PID 1300 wrote to memory of 4100	1300	4DD.exe	4DD.exe
PID 1300 wrote to memory of 4100	1300	4DD.exe	4DD.exe
PID 1776 wrote to memory of 1676	1776	5B5D.exe	cmd.exe
PID 1776 wrote to memory of 1676	1776	5B5D.exe	cmd.exe
PID 1776 wrote to memory of 1676	1776	5B5D.exe	cmd.exe
PID 1676 wrote to memory of 5108	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 5108	1676	cmd.exe	timeout.exe
PID 1676 wrote to memory of 5108	1676	cmd.exe	timeout.exe
PID 4372 wrote to memory of 1304	4372	5570.exe	cmd.exe
PID 4372 wrote to memory of 1304	4372	5570.exe	cmd.exe
PID 4372 wrote to memory of 1304	4372	5570.exe	cmd.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	taskkill.exe
PID 2800 wrote to memory of 4004	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 4004	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 4004	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 3392	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 3392	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 3392	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	tasklist.exe
PID 2800 wrote to memory of 5044	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 5044	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 5044	2800	cmd.exe	find.exe
PID 2800 wrote to memory of 536	2800	cmd.exe	findstr.exe
PID 2800 wrote to memory of 536	2800	cmd.exe	findstr.exe
PID 2800 wrote to memory of 536	2800	cmd.exe	findstr.exe
PID 2800 wrote to memory of 796	2800	cmd.exe	Adventure.exe.pif
PID 2800 wrote to memory of 796	2800	cmd.exe	Adventure.exe.pif
PID 2800 wrote to memory of 796	2800	cmd.exe	Adventure.exe.pif
PID 376 wrote to memory of 4960	376	cmd.exe	PING.EXE
PID 376 wrote to memory of 4960	376	cmd.exe	PING.EXE
PID 376 wrote to memory of 4960	376	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Users\Admin\AppData\Local\Temp\4DD.exe
C:\Users\Admin\AppData\Local\Temp\4DD.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 628
2⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 924
2⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 988
2⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1064
2⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1140
2⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1148
2⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 932
2⤵
- Program crash
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1168
2⤵
- Program crash
PID:960

C:\Users\Admin\AppData\Local\Temp\4DD.exe
"C:\Users\Admin\AppData\Local\Temp\4DD.exe"
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 600
3⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 996
3⤵
- Program crash
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1064
3⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1072
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1104
3⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1080
3⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1004
3⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Local\Temp\4DD.exe
"C:\Users\Admin\AppData\Local\Temp\4DD.exe"
3⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 600
4⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 764
4⤵
- Program crash
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 988
3⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1048
2⤵
- Program crash
PID:908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
2⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1076
2⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1300 -ip 1300
1⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\4B4D.exe
C:\Users\Admin\AppData\Local\Temp\4B4D.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 1300
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1300 -ip 1300
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\5570.exe
C:\Users\Admin\AppData\Local\Temp\5570.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 460
2⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 772
2⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 808
2⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 816
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 876
2⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1028
2⤵
- Program crash
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1056
2⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1404
2⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5570.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5570.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5570.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 452
2⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1300 -ip 1300
1⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\5B5D.exe
C:\Users\Admin\AppData\Local\Temp\5B5D.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5B5D.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1992
2⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1300 -ip 1300
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4372 -ip 4372
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1300 -ip 1300
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1300 -ip 1300
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1300 -ip 1300
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4372 -ip 4372
1⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\7474.exe
C:\Users\Admin\AppData\Local\Temp\7474.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\dllhost.exe
dllhost vfrfgh ningggfdee
2⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Chrome.pdf & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
PID:4004

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:3392

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
PID:4260

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:5044

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kuSBdsbDhZNHQD$" Chicago.pdf
4⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Adventure.exe.pif I
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 4372
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 4372
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1300 -ip 1300
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4372 -ip 4372
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4372 -ip 4372
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1776 -ip 1776
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4372 -ip 4372
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4100 -ip 4100
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4100 -ip 4100
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4372 -ip 4372
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4100 -ip 4100
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4372 -ip 4372
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4100 -ip 4100
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4100 -ip 4100
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4100 -ip 4100
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4100 -ip 4100
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4100 -ip 4100
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1928 -ip 1928
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1300 -ip 1300
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1928 -ip 1928
1⤵
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B4D.exe
Filesize
587KB

MD5
cdb5de1b32bf729b83a3c68b6f17074d

SHA1
bc50674a6df188486a19fbc87ffba6806eb105c8

SHA256
34da660a7c46b2558a3e34d192786f8a7a48f4c0b73cb55769f613f60d18dc3e

SHA512
3c05b77a6bc0438ef2c70fe5a1db568d43b7b277e443b134c22dd5c0ff6876b9a2b93bb3955f187ea30baabac41d656cc95638bec5f9661d31a07f134486b0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B4D.exe
Filesize
587KB

MD5
cdb5de1b32bf729b83a3c68b6f17074d

SHA1
bc50674a6df188486a19fbc87ffba6806eb105c8

SHA256
34da660a7c46b2558a3e34d192786f8a7a48f4c0b73cb55769f613f60d18dc3e

SHA512
3c05b77a6bc0438ef2c70fe5a1db568d43b7b277e443b134c22dd5c0ff6876b9a2b93bb3955f187ea30baabac41d656cc95638bec5f9661d31a07f134486b0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD.exe
Filesize
6.1MB

MD5
660c791a048da7a94aea15b2afd18f29

SHA1
de2b82ae153902b79fb998f84c396f68fe8c3ab5

SHA256
052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

SHA512
1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD.exe
Filesize
6.1MB

MD5
660c791a048da7a94aea15b2afd18f29

SHA1
de2b82ae153902b79fb998f84c396f68fe8c3ab5

SHA256
052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

SHA512
1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD.exe
Filesize
6.1MB

MD5
660c791a048da7a94aea15b2afd18f29

SHA1
de2b82ae153902b79fb998f84c396f68fe8c3ab5

SHA256
052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

SHA512
1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD.exe
Filesize
6.1MB

MD5
660c791a048da7a94aea15b2afd18f29

SHA1
de2b82ae153902b79fb998f84c396f68fe8c3ab5

SHA256
052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

SHA512
1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

Download Submit
C:\Users\Admin\AppData\Local\Temp\5570.exe
Filesize
354KB

MD5
62c79cd088667d2e8a82e45df699367d

SHA1
e76ae05db004e4dbce829ddebdbde4ba89c3a559

SHA256
0d1062417b02871d308965c067c37162a65af5015b40eef0fae1ac9f01483fc2

SHA512
39a18091f497e46b7d659d8e0c5c21b854c57f7ef80b718ad9a1b98d0225a8c5344f82522e83ee72d51cc0749a7bd117e571c5ab661baa35fb9af31918b0a538

Download Submit
C:\Users\Admin\AppData\Local\Temp\5570.exe
Filesize
354KB

MD5
62c79cd088667d2e8a82e45df699367d

SHA1
e76ae05db004e4dbce829ddebdbde4ba89c3a559

SHA256
0d1062417b02871d308965c067c37162a65af5015b40eef0fae1ac9f01483fc2

SHA512
39a18091f497e46b7d659d8e0c5c21b854c57f7ef80b718ad9a1b98d0225a8c5344f82522e83ee72d51cc0749a7bd117e571c5ab661baa35fb9af31918b0a538

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B5D.exe
Filesize
373KB

MD5
c527971eeba174c1005267f4cb1f0f79

SHA1
fa205ffa3464f2d2f6a4b554b6ad0f6b131a1592

SHA256
1d3c1417ec5e609e591100966d291f888f6f4feb255a5ffaa9b75d1f9d2c1a26

SHA512
8cd3533978e12d29fc9a8e5b461135f26d061ab2cc020f39f01ddd6fbfeae6f897a907e9bae4c85025e82bdf86fa87173e4bfde4a1c90957add0e0f8852faa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B5D.exe
Filesize
373KB

MD5
c527971eeba174c1005267f4cb1f0f79

SHA1
fa205ffa3464f2d2f6a4b554b6ad0f6b131a1592

SHA256
1d3c1417ec5e609e591100966d291f888f6f4feb255a5ffaa9b75d1f9d2c1a26

SHA512
8cd3533978e12d29fc9a8e5b461135f26d061ab2cc020f39f01ddd6fbfeae6f897a907e9bae4c85025e82bdf86fa87173e4bfde4a1c90957add0e0f8852faa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7474.exe
Filesize
737KB

MD5
8d013b4129e9f90f841a494190847b31

SHA1
53cefb2945a37889b5442cc45aea28dea8a5ac22

SHA256
5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

SHA512
c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
1fe5c4c4ff8ff0865fb3768d9187a1bd

SHA1
2e7960907964aba5264169b2dced5a8dbf463b9a

SHA256
f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a

SHA512
4263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
1fe5c4c4ff8ff0865fb3768d9187a1bd

SHA1
2e7960907964aba5264169b2dced5a8dbf463b9a

SHA256
f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a

SHA512
4263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
Filesize
3.2MB

MD5
1fe5c4c4ff8ff0865fb3768d9187a1bd

SHA1
2e7960907964aba5264169b2dced5a8dbf463b9a

SHA256
f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a

SHA512
4263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chicago.pdf
Filesize
924KB

MD5
aabe6813697af03369aa450bb4436f55

SHA1
6e2ab9fdebe157325f1e83318bfa502b83b164ad

SHA256
969066f1533d7f8295294934cae842d6e04bf995347a926f59eab567554699a1

SHA512
bc169c94564c22e40a446dd6c64de09f98bf09f6b0ec238ef252c29e1e2e9c10a0bef8cf8fca1192f5a7d4cd7afe4c4fa4597a3307b7c71916dda73d3fb2f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chrome.pdf
Filesize
11KB

MD5
615333778325ed2e1d9deff0a5039a15

SHA1
40ab327c890707a9c9a5c2a10a6cdea8649a3341

SHA256
dc5bc0a06f4879eb547f8be95543452755fc4bd84725e6637b37fd541ca21c1e

SHA512
4359da53340dd931d38d268a7180f56c5ac1f88fe4e120dac7c13966a151f2d5d7331d9eeb5ee6d24bb4f3aa53f573bc3f7fe71e9eb148d8f808e0b2bb400b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Softball.pdf
Filesize
598KB

MD5
06fd6f511cf200e7732d6e39caaab63f

SHA1
b6215c6e20e9135743041559ef8d90f28ebbea5b

SHA256
62aa5a27b09fc6b8573fc9ab0f0d6a8aacb1f8b2323525a5592a773b008fcdb5

SHA512
57ecfbcd488136ab2adaca45cb7d2122275bdd7fc9b19bedaef5a06d45019b7a9a6b98e5f5f4df26e1cdd206552b38306bf4dd045bfdb7ab12224244f8a80d49

Download Submit
memory/376-173-0x0000000000000000-mapping.dmp

Download
memory/536-193-0x0000000000000000-mapping.dmp

Download
memory/560-186-0x0000000000000000-mapping.dmp

Download
memory/796-196-0x0000000000000000-mapping.dmp

Download
memory/1244-150-0x0000000000400000-0x0000000002C81000-memory.dmp

Filesize
40.5MB

Download
memory/1244-152-0x0000000002DB0000-0x0000000002E1B000-memory.dmp

Filesize
428KB

Download
memory/1244-167-0x0000000000400000-0x0000000002C81000-memory.dmp

Filesize
40.5MB

Download
memory/1244-166-0x0000000002FE3000-0x0000000003044000-memory.dmp

Filesize
388KB

Download
memory/1244-151-0x0000000002FE3000-0x0000000003044000-memory.dmp

Filesize
388KB

Download
memory/1244-144-0x0000000000000000-mapping.dmp

Download
memory/1300-143-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/1300-156-0x00000000054F0000-0x0000000005B10000-memory.dmp

Filesize
6.1MB

Download
memory/1300-142-0x00000000054F0000-0x0000000005B10000-memory.dmp

Filesize
6.1MB

Download
memory/1300-141-0x0000000003558000-0x0000000003B42000-memory.dmp

Filesize
5.9MB

Download
memory/1300-138-0x0000000000000000-mapping.dmp

Download
memory/1304-185-0x0000000000000000-mapping.dmp

Download
memory/1336-168-0x0000000000000000-mapping.dmp

Download
memory/1628-135-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/1628-136-0x0000000002C73000-0x0000000002C89000-memory.dmp

Filesize
88KB

Download
memory/1628-137-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/1628-134-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1628-133-0x0000000002C73000-0x0000000002C89000-memory.dmp

Filesize
88KB

Download
memory/1676-179-0x0000000000000000-mapping.dmp

Download
memory/1776-160-0x0000000002FD0000-0x0000000003019000-memory.dmp

Filesize
292KB

Download
memory/1776-172-0x0000000000400000-0x0000000002C4B000-memory.dmp

Filesize
40.3MB

Download
memory/1776-153-0x0000000000000000-mapping.dmp

Download
memory/1776-161-0x0000000000400000-0x0000000002C4B000-memory.dmp

Filesize
40.3MB

Download
memory/1776-164-0x0000000003036000-0x0000000003062000-memory.dmp

Filesize
176KB

Download
memory/1776-183-0x0000000003036000-0x0000000003062000-memory.dmp

Filesize
176KB

Download
memory/1776-184-0x0000000000400000-0x0000000002C4B000-memory.dmp

Filesize
40.3MB

Download
memory/1928-204-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/1928-200-0x0000000000000000-mapping.dmp

Download
memory/1928-203-0x0000000003528000-0x0000000003B12000-memory.dmp

Filesize
5.9MB

Download
memory/2800-176-0x0000000000000000-mapping.dmp

Download
memory/3276-209-0x0000000002420000-0x000000000276D000-memory.dmp

Filesize
3.3MB

Download
memory/3276-205-0x0000000000000000-mapping.dmp

Download
memory/3276-210-0x0000000002420000-0x000000000276D000-memory.dmp

Filesize
3.3MB

Download
memory/3392-190-0x0000000000000000-mapping.dmp

Download
memory/4004-189-0x0000000000000000-mapping.dmp

Download
memory/4100-182-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4100-177-0x0000000000000000-mapping.dmp

Download
memory/4100-202-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/4100-181-0x00000000034A5000-0x0000000003A8F000-memory.dmp

Filesize
5.9MB

Download
memory/4224-162-0x0000000000000000-mapping.dmp

Download
memory/4260-191-0x0000000000000000-mapping.dmp

Download
memory/4372-187-0x0000000002D63000-0x0000000002D8A000-memory.dmp

Filesize
156KB

Download
memory/4372-188-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/4372-171-0x0000000002D63000-0x0000000002D8A000-memory.dmp

Filesize
156KB

Download
memory/4372-170-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/4372-159-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/4372-158-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

Filesize
256KB

Download
memory/4372-157-0x0000000002D63000-0x0000000002D8A000-memory.dmp

Filesize
156KB

Download
memory/4372-147-0x0000000000000000-mapping.dmp

Download
memory/4960-198-0x0000000000000000-mapping.dmp

Download
memory/5044-192-0x0000000000000000-mapping.dmp

Download
memory/5108-180-0x0000000000000000-mapping.dmp

Download