amadey | 2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
Size

188KB
MD5

5c3ac9c46404bb118bb004998d57a0e4
SHA1

532c4c1d2059352851d4c99b8b46957c43e132d7
SHA256

2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7
SHA512

ab412ff8f7cf108ca9c41270a2212d47bbfe3a4fd8725dedd83c6122e40c96abfc5fef47150cdc34301c08c5d2dc9dc784dc01b0b586877657ad38d45b18813a
SSDEEP

3072:ryXgqLKU5oRu3NmmL6xbY5ng7RMt8XzhtYbKk5czWVkzbf1TyE/mTH:WgyLLOY5nIkN5eW2DoEOr

Score

10^/10

amadey raccoon redline smokeloader 53508e7dc4e08bd33122d190a04a1200 google2 backdoor collection infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

53508e7dc4e08bd33122d190a04a1200

http://45.15.156.105/

rc4.plain

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4060-133-0x00000000022C0000-0x00000000022C9000-memory.dmp	family_smokeloader

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4116-207-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/3972-214-0x0000000000FD0000-0x0000000001045000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

125 4940 rundll32.exe
Downloads MZ/PE file

flow	pid	process
125	4940	rundll32.exe

Executes dropped EXE 10 IoCs

Processes:

91EF.exe94AF.exerovwer.exerovwer.exeF35B.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe899.exe11A3.exerovwer.exe

pid	process
2376	91EF.exe
2316	94AF.exe
1888	rovwer.exe
2888	rovwer.exe
4940	F35B.exe
4584	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
1240	LYKAA.exe
3476	899.exe
3972	11A3.exe
2572	rovwer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4520-189-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4520-191-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4520-192-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4520-193-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4520-194-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/4520-195-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91EF.exerovwer.exeF35B.exeLYKAA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	91EF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	F35B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LYKAA.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4940 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4940	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

94AF.exe899.exe11A3.exe

description	pid	process	target process
PID 2316 set thread context of 1212	2316	94AF.exe	AppLaunch.exe
PID 3476 set thread context of 4520	3476	899.exe	RegSvcs.exe
PID 3972 set thread context of 4116	3972	11A3.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4608	2316	WerFault.exe	94AF.exe
2920	2376	WerFault.exe	91EF.exe
632	2888	WerFault.exe	rovwer.exe
1668	3972	WerFault.exe	11A3.exe
4204	2572	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4020 schtasks.exe
4836 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

312 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 81 Go-http-client/1.1

pid	process
4020	schtasks.exe
4836	schtasks.exe

pid	process
312	timeout.exe

description	flow	ioc
HTTP User-Agent header	81	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe

pid	process
4060	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
4060	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064

pid	process
3064

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe

pid	process
4060	2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exevbc.exe

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4584	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeDebugPrivilege	1240	LYKAA.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4116	vbc.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

94AF.exe91EF.exerovwer.exeF35B.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.execmd.exeLYKAA.execmd.exe899.exe11A3.exe

description	pid	process	target process
PID 3064 wrote to memory of 2376	3064		91EF.exe
PID 3064 wrote to memory of 2376	3064		91EF.exe
PID 3064 wrote to memory of 2376	3064		91EF.exe
PID 3064 wrote to memory of 2316	3064		94AF.exe
PID 3064 wrote to memory of 2316	3064		94AF.exe
PID 3064 wrote to memory of 2316	3064		94AF.exe
PID 2316 wrote to memory of 3484	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 3484	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 3484	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 1212	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 1212	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 1212	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 1212	2316	94AF.exe	AppLaunch.exe
PID 2316 wrote to memory of 1212	2316	94AF.exe	AppLaunch.exe
PID 2376 wrote to memory of 1888	2376	91EF.exe	rovwer.exe
PID 2376 wrote to memory of 1888	2376	91EF.exe	rovwer.exe
PID 2376 wrote to memory of 1888	2376	91EF.exe	rovwer.exe
PID 1888 wrote to memory of 4020	1888	rovwer.exe	schtasks.exe
PID 1888 wrote to memory of 4020	1888	rovwer.exe	schtasks.exe
PID 1888 wrote to memory of 4020	1888	rovwer.exe	schtasks.exe
PID 3064 wrote to memory of 4940	3064		F35B.exe
PID 3064 wrote to memory of 4940	3064		F35B.exe
PID 4940 wrote to memory of 4584	4940	F35B.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 4940 wrote to memory of 4584	4940	F35B.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 4584 wrote to memory of 5004	4584	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 4584 wrote to memory of 5004	4584	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 5004 wrote to memory of 312	5004	cmd.exe	timeout.exe
PID 5004 wrote to memory of 312	5004	cmd.exe	timeout.exe
PID 5004 wrote to memory of 1240	5004	cmd.exe	LYKAA.exe
PID 5004 wrote to memory of 1240	5004	cmd.exe	LYKAA.exe
PID 1240 wrote to memory of 5072	1240	LYKAA.exe	cmd.exe
PID 1240 wrote to memory of 5072	1240	LYKAA.exe	cmd.exe
PID 5072 wrote to memory of 4836	5072	cmd.exe	schtasks.exe
PID 5072 wrote to memory of 4836	5072	cmd.exe	schtasks.exe
PID 3064 wrote to memory of 3476	3064		899.exe
PID 3064 wrote to memory of 3476	3064		899.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3476 wrote to memory of 4520	3476	899.exe	RegSvcs.exe
PID 3064 wrote to memory of 3972	3064		11A3.exe
PID 3064 wrote to memory of 3972	3064		11A3.exe
PID 3064 wrote to memory of 3972	3064		11A3.exe
PID 3064 wrote to memory of 3776	3064		explorer.exe
PID 3064 wrote to memory of 3776	3064		explorer.exe
PID 3064 wrote to memory of 3776	3064		explorer.exe
PID 3064 wrote to memory of 3776	3064		explorer.exe
PID 3064 wrote to memory of 1680	3064		explorer.exe
PID 3064 wrote to memory of 1680	3064		explorer.exe
PID 3064 wrote to memory of 1680	3064		explorer.exe
PID 3064 wrote to memory of 3604	3064		explorer.exe
PID 3064 wrote to memory of 3604	3064		explorer.exe
PID 3064 wrote to memory of 3604	3064		explorer.exe
PID 3064 wrote to memory of 3604	3064		explorer.exe
PID 3972 wrote to memory of 4116	3972	11A3.exe	vbc.exe
PID 3972 wrote to memory of 4116	3972	11A3.exe	vbc.exe
PID 3972 wrote to memory of 4116	3972	11A3.exe	vbc.exe
PID 3972 wrote to memory of 4116	3972	11A3.exe	vbc.exe
PID 3972 wrote to memory of 4116	3972	11A3.exe	vbc.exe
PID 3064 wrote to memory of 796	3064		explorer.exe
PID 3064 wrote to memory of 796	3064		explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe
"C:\Users\Admin\AppData\Local\Temp\2419035aff27fb789dbef913dc3b8a41571c7d92b7803c945b96fe10f07934f7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4060

C:\Users\Admin\AppData\Local\Temp\91EF.exe
C:\Users\Admin\AppData\Local\Temp\91EF.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4020

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 912
2⤵
- Program crash
PID:2920

C:\Users\Admin\AppData\Local\Temp\94AF.exe
C:\Users\Admin\AppData\Local\Temp\94AF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 256
2⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2316 -ip 2316
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2376 -ip 2376
1⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 420
2⤵
- Program crash
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2888 -ip 2888
1⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\F35B.exe
C:\Users\Admin\AppData\Local\Temp\F35B.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF8E7.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:312

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:4836

C:\Users\Admin\AppData\Local\Temp\899.exe
C:\Users\Admin\AppData\Local\Temp\899.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\11A3.exe
C:\Users\Admin\AppData\Local\Temp\11A3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 248
2⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3972 -ip 3972
1⤵
PID:1056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2664

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 420
2⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2572 -ip 2572
1⤵
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Local\Temp\11A3.exe
Filesize
451KB

MD5
d72b372b0787fc4d852a106b333cc7c8

SHA1
6988123af95387fedc454af85e0c4f33f4b7556d

SHA256
41626c59005232dbc0696b8a57f51fdde1035915ecdbd465c1f6ac7666069116

SHA512
86d57d4588e10fd7ef2c35d7b9ce48b74d7863f9772c526972e39b294c9724f14bcbf98010bdb0fe788208624c2b03e5cdd2dbd47933d05445a48b66c75f377c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11A3.exe
Filesize
451KB

MD5
d72b372b0787fc4d852a106b333cc7c8

SHA1
6988123af95387fedc454af85e0c4f33f4b7556d

SHA256
41626c59005232dbc0696b8a57f51fdde1035915ecdbd465c1f6ac7666069116

SHA512
86d57d4588e10fd7ef2c35d7b9ce48b74d7863f9772c526972e39b294c9724f14bcbf98010bdb0fe788208624c2b03e5cdd2dbd47933d05445a48b66c75f377c

Download Submit
C:\Users\Admin\AppData\Local\Temp\899.exe
Filesize
3.0MB

MD5
39dea452043651bbb94be8f3b009d6b5

SHA1
cad231a8730d3d09fdc34e212a6ed8e839b1cb90

SHA256
c1b946de49fe49cfd1c4033bf0d88b0724b93b73d83ed1ec208442359860055f

SHA512
0a029b8075cb5bfef0f499b2c807772b5be76db3e8a49cd7ffb5c890db7888c09c6aafe509c98e977d9df40a7e4e93e83c095e37cd3758ebd8d5cd2045ec0498

Download Submit
C:\Users\Admin\AppData\Local\Temp\899.exe
Filesize
3.0MB

MD5
39dea452043651bbb94be8f3b009d6b5

SHA1
cad231a8730d3d09fdc34e212a6ed8e839b1cb90

SHA256
c1b946de49fe49cfd1c4033bf0d88b0724b93b73d83ed1ec208442359860055f

SHA512
0a029b8075cb5bfef0f499b2c807772b5be76db3e8a49cd7ffb5c890db7888c09c6aafe509c98e977d9df40a7e4e93e83c095e37cd3758ebd8d5cd2045ec0498

Download Submit
C:\Users\Admin\AppData\Local\Temp\91EF.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\91EF.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\94AF.exe
Filesize
275KB

MD5
ab45b17d29efac4957075c72519d2243

SHA1
d6b044ab1f103424f190ed3fb33944609b21db3e

SHA256
02577523a1d0dc64387458f4257473a08dc152fe6070fa06febd645ed6d515ad

SHA512
72a28a26d2dffe56cfc330a9d7d6b3e8674e453d3a1ffedc982f276ae853d296b424e25031c4befb292449a4e30c28ed79956a227f71da5a4c2caf70f81802e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\94AF.exe
Filesize
275KB

MD5
ab45b17d29efac4957075c72519d2243

SHA1
d6b044ab1f103424f190ed3fb33944609b21db3e

SHA256
02577523a1d0dc64387458f4257473a08dc152fe6070fa06febd645ed6d515ad

SHA512
72a28a26d2dffe56cfc330a9d7d6b3e8674e453d3a1ffedc982f276ae853d296b424e25031c4befb292449a4e30c28ed79956a227f71da5a4c2caf70f81802e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F35B.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\F35B.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
246KB

MD5
388ffb4e3c39ecbfde976f7f592ceccd

SHA1
521d63ff4dccec9c9550d870124b58be6ad0df91

SHA256
33feba6217909c7ee87d269ed169ccf451b5493098c329adb58d6fb56ace2d9a

SHA512
305a77962f581c026d331a76e94300bbe627eda246a3b87ba83e796e8abc04b93198a2c3508def694833d33614d7ed19f9576157aa4a5a86f94077e09914b234

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8E7.tmp.bat
Filesize
153B

MD5
c4df15df23887fc4bde9587f8e58249e

SHA1
ea1f722b10d1f1d4b40e25250c368b7152e26660

SHA256
6278fc50b805833d38a712239dea1d55e9d3900c2173d4ca6d1d3e333b7231d9

SHA512
0f94a405c7be6774aa289d6bf3d17bb80f4bb4b2544e32da6a4b89d9aaf48a2b62d95954a4ed357ad56c81572f4adcd326f764a46cdb590a0f57542c78c71300

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
memory/312-179-0x0000000000000000-mapping.dmp

Download
memory/796-220-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/796-215-0x0000000000000000-mapping.dmp

Download
memory/796-222-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/796-245-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/1212-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-144-0x0000000000000000-mapping.dmp

Download
memory/1240-180-0x0000000000000000-mapping.dmp

Download
memory/1240-256-0x00007FFBDB230000-0x00007FFBDBCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1240-185-0x00007FFBDB230000-0x00007FFBDBCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1240-233-0x00007FFBDB230000-0x00007FFBDBCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1680-204-0x00000000008E0000-0x00000000008EF000-memory.dmp

Filesize
60KB

Download
memory/1680-243-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/1680-203-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/1680-202-0x0000000000000000-mapping.dmp

Download
memory/1888-159-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1888-158-0x00000000008AC000-0x00000000008CB000-memory.dmp

Filesize
124KB

Download
memory/1888-161-0x00000000008AC000-0x00000000008CB000-memory.dmp

Filesize
124KB

Download
memory/1888-152-0x0000000000000000-mapping.dmp

Download
memory/1888-162-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1944-252-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1944-236-0x0000000000000000-mapping.dmp

Download
memory/1944-237-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1944-238-0x0000000000D80000-0x0000000000D8B000-memory.dmp

Filesize
44KB

Download
memory/2316-140-0x0000000000000000-mapping.dmp

Download
memory/2376-156-0x00000000021C0000-0x00000000021FE000-memory.dmp

Filesize
248KB

Download
memory/2376-155-0x00000000006FD000-0x000000000071C000-memory.dmp

Filesize
124KB

Download
memory/2376-137-0x0000000000000000-mapping.dmp

Download
memory/2376-157-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2572-258-0x000000000093F000-0x000000000095E000-memory.dmp

Filesize
124KB

Download
memory/2572-259-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2664-230-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download
memory/2664-229-0x0000000000000000-mapping.dmp

Download
memory/2664-231-0x00000000010A0000-0x00000000010AB000-memory.dmp

Filesize
44KB

Download
memory/2664-250-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download
memory/2888-164-0x000000000072F000-0x000000000074E000-memory.dmp

Filesize
124KB

Download
memory/2888-165-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3476-186-0x0000000000000000-mapping.dmp

Download
memory/3484-143-0x0000000000000000-mapping.dmp

Download
memory/3604-244-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/3604-213-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/3604-212-0x0000000000680000-0x0000000000685000-memory.dmp

Filesize
20KB

Download
memory/3604-205-0x0000000000000000-mapping.dmp

Download
memory/3776-199-0x0000000000000000-mapping.dmp

Download
memory/3776-201-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/3776-200-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/3776-241-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/3972-196-0x0000000000000000-mapping.dmp

Download
memory/3972-214-0x0000000000FD0000-0x0000000001045000-memory.dmp

Filesize
468KB

Download
memory/4020-160-0x0000000000000000-mapping.dmp

Download
memory/4060-136-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4060-132-0x000000000081D000-0x000000000082D000-memory.dmp

Filesize
64KB

Download
memory/4060-135-0x000000000081D000-0x000000000082D000-memory.dmp

Filesize
64KB

Download
memory/4060-134-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4060-133-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/4116-249-0x00000000097B0000-0x0000000009CDC000-memory.dmp

Filesize
5.2MB

Download
memory/4116-206-0x0000000000000000-mapping.dmp

Download
memory/4116-221-0x00000000077B0000-0x00000000077EC000-memory.dmp

Filesize
240KB

Download
memory/4116-218-0x0000000007750000-0x0000000007762000-memory.dmp

Filesize
72KB

Download
memory/4116-217-0x0000000007830000-0x000000000793A000-memory.dmp

Filesize
1.0MB

Download
memory/4116-248-0x00000000090B0000-0x0000000009272000-memory.dmp

Filesize
1.8MB

Download
memory/4116-242-0x0000000008420000-0x00000000084B2000-memory.dmp

Filesize
584KB

Download
memory/4116-240-0x0000000008930000-0x0000000008ED4000-memory.dmp

Filesize
5.6MB

Download
memory/4116-216-0x0000000005E90000-0x00000000064A8000-memory.dmp

Filesize
6.1MB

Download
memory/4116-207-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4116-239-0x0000000008310000-0x0000000008376000-memory.dmp

Filesize
408KB

Download
memory/4272-225-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download
memory/4272-224-0x0000000000EF0000-0x0000000000F12000-memory.dmp

Filesize
136KB

Download
memory/4272-246-0x0000000000EF0000-0x0000000000F12000-memory.dmp

Filesize
136KB

Download
memory/4272-223-0x0000000000000000-mapping.dmp

Download
memory/4276-227-0x00000000006D0000-0x00000000006D5000-memory.dmp

Filesize
20KB

Download
memory/4276-228-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/4276-226-0x0000000000000000-mapping.dmp

Download
memory/4276-247-0x00000000006D0000-0x00000000006D5000-memory.dmp

Filesize
20KB

Download
memory/4492-235-0x0000000000BF0000-0x0000000000BFD000-memory.dmp

Filesize
52KB

Download
memory/4492-234-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/4492-232-0x0000000000000000-mapping.dmp

Download
memory/4492-251-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/4520-189-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4520-193-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4520-192-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4520-191-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4520-190-0x0000000000BE8EA0-mapping.dmp

Download
memory/4520-194-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4520-195-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/4584-177-0x00007FFBDAFE0000-0x00007FFBDBAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-175-0x00007FFBDAFE0000-0x00007FFBDBAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-173-0x0000000000C10000-0x0000000000CE6000-memory.dmp

Filesize
856KB

Download
memory/4584-170-0x0000000000000000-mapping.dmp

Download
memory/4836-184-0x0000000000000000-mapping.dmp

Download
memory/4940-219-0x00007FFBDAFE0000-0x00007FFBDBAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-253-0x0000000000000000-mapping.dmp

Download
memory/4940-174-0x00007FFBDAFE0000-0x00007FFBDBAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-169-0x0000000000F90000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/4940-166-0x0000000000000000-mapping.dmp

Download
memory/5004-176-0x0000000000000000-mapping.dmp

Download
memory/5072-183-0x0000000000000000-mapping.dmp

Download