amadey | 4bdfe505e72b4bb6b082967fab23e3e1cf282189c5b5c98f9b096d8a525535c9

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e6e6f7c2683bbce65570e600df6a7bb.exe
Size

335KB
MD5

9e6e6f7c2683bbce65570e600df6a7bb
SHA1

dbb3694b114c0c2edd8455529e71efd97c002e18
SHA256

4bdfe505e72b4bb6b082967fab23e3e1cf282189c5b5c98f9b096d8a525535c9
SHA512

deab3e2bca008a665e30e27c7ee298fe9cea5dd4f94705eb463c43fd6d3d93b13cb403f6aa63d5314cf622f3d780044c045e7e2e82ac45076534991483454bdb
SSDEEP

6144:21IUF1z+RxP9aWU/WKlH29hffn3h+3oQ9gOU+fzYBb6:bE0BaWmjWPfnY9gT6

Score

10^/10

amadey dcrat redline smokeloader vidar 1827 easy1018 kript backdoor collection discovery infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

easy1018

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
56edfa3741d7e2286e0bcfe901712a2c

Extracted

Family

vidar

Version

55.7

Botnet

1827

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
1827

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

KRIPT

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1792-133-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2876-140-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/4224-248-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

120 3896 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

150E.exe1CA1.exe23B6.exe2677.exe3210.exerovwer.exe4367.exerovwer.exerovwer.exe

pid process

2524 150E.exe
2768 1CA1.exe
4900 23B6.exe
3752 2677.exe
1008 3210.exe
1656 rovwer.exe
2552 4367.exe
3784 rovwer.exe
1640 rovwer.exe

flow	pid	process
120	3896	rundll32.exe

pid	process
2524	150E.exe
2768	1CA1.exe
4900	23B6.exe
3752	2677.exe
1008	3210.exe
1656	rovwer.exe
2552	4367.exe
3784	rovwer.exe
1640	rovwer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2220-271-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2220-272-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2220-269-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2220-273-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1CA1.exerovwer.exe2677.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1CA1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2677.exe

Loads dropped DLL 3 IoCs

Processes:

1CA1.exerundll32.exe

pid process

2768 1CA1.exe
2768 1CA1.exe
3896 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2768	1CA1.exe
2768	1CA1.exe
3896	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

150E.exe3210.exe4367.exe

description	pid	process	target process
PID 2524 set thread context of 2876	2524	150E.exe	vbc.exe
PID 1008 set thread context of 4224	1008	3210.exe	ngentask.exe
PID 2552 set thread context of 2220	2552	4367.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4556	2524	WerFault.exe	150E.exe
2488	3752	WerFault.exe	2677.exe
1704	2768	WerFault.exe	1CA1.exe
3476	4900	WerFault.exe	23B6.exe
4004	3784	WerFault.exe	rovwer.exe
4784	1640	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9e6e6f7c2683bbce65570e600df6a7bb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e6f7c2683bbce65570e600df6a7bb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e6f7c2683bbce65570e600df6a7bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e6f7c2683bbce65570e600df6a7bb.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1CA1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1CA1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1CA1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3984 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2948 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 117 Go-http-client/1.1

pid	process
3984	schtasks.exe

pid	process
2948	timeout.exe

description	flow	ioc
HTTP User-Agent header	117	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9e6e6f7c2683bbce65570e600df6a7bb.exe

pid	process
1792	9e6e6f7c2683bbce65570e600df6a7bb.exe
1792	9e6e6f7c2683bbce65570e600df6a7bb.exe
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1040
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

9e6e6f7c2683bbce65570e600df6a7bb.exe

pid process

1792 9e6e6f7c2683bbce65570e600df6a7bb.exe
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040
1040

pid	process
1040

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

23B6.exevbc.exengentask.exe

description	pid	process
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeDebugPrivilege	4900	23B6.exe
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeDebugPrivilege	2876	vbc.exe
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeDebugPrivilege	4224	ngentask.exe
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040
Token: SeShutdownPrivilege	1040
Token: SeCreatePagefilePrivilege	1040

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

150E.exe2677.exe1CA1.execmd.exerovwer.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 2524	1040		150E.exe
PID 1040 wrote to memory of 2524	1040		150E.exe
PID 1040 wrote to memory of 2524	1040		150E.exe
PID 2524 wrote to memory of 2876	2524	150E.exe	vbc.exe
PID 2524 wrote to memory of 2876	2524	150E.exe	vbc.exe
PID 2524 wrote to memory of 2876	2524	150E.exe	vbc.exe
PID 2524 wrote to memory of 2876	2524	150E.exe	vbc.exe
PID 2524 wrote to memory of 2876	2524	150E.exe	vbc.exe
PID 1040 wrote to memory of 2768	1040		1CA1.exe
PID 1040 wrote to memory of 2768	1040		1CA1.exe
PID 1040 wrote to memory of 2768	1040		1CA1.exe
PID 1040 wrote to memory of 4900	1040		23B6.exe
PID 1040 wrote to memory of 4900	1040		23B6.exe
PID 1040 wrote to memory of 4900	1040		23B6.exe
PID 1040 wrote to memory of 3752	1040		2677.exe
PID 1040 wrote to memory of 3752	1040		2677.exe
PID 1040 wrote to memory of 3752	1040		2677.exe
PID 1040 wrote to memory of 1008	1040		3210.exe
PID 1040 wrote to memory of 1008	1040		3210.exe
PID 1040 wrote to memory of 1008	1040		3210.exe
PID 3752 wrote to memory of 1656	3752	2677.exe	rovwer.exe
PID 3752 wrote to memory of 1656	3752	2677.exe	rovwer.exe
PID 3752 wrote to memory of 1656	3752	2677.exe	rovwer.exe
PID 2768 wrote to memory of 3424	2768	1CA1.exe	cmd.exe
PID 2768 wrote to memory of 3424	2768	1CA1.exe	cmd.exe
PID 2768 wrote to memory of 3424	2768	1CA1.exe	cmd.exe
PID 1040 wrote to memory of 2552	1040		4367.exe
PID 1040 wrote to memory of 2552	1040		4367.exe
PID 1040 wrote to memory of 1340	1040		explorer.exe
PID 1040 wrote to memory of 1340	1040		explorer.exe
PID 1040 wrote to memory of 1340	1040		explorer.exe
PID 1040 wrote to memory of 1340	1040		explorer.exe
PID 1040 wrote to memory of 3592	1040		explorer.exe
PID 1040 wrote to memory of 3592	1040		explorer.exe
PID 1040 wrote to memory of 3592	1040		explorer.exe
PID 1040 wrote to memory of 1648	1040		explorer.exe
PID 1040 wrote to memory of 1648	1040		explorer.exe
PID 1040 wrote to memory of 1648	1040		explorer.exe
PID 1040 wrote to memory of 1648	1040		explorer.exe
PID 3424 wrote to memory of 2948	3424	cmd.exe	timeout.exe
PID 3424 wrote to memory of 2948	3424	cmd.exe	timeout.exe
PID 3424 wrote to memory of 2948	3424	cmd.exe	timeout.exe
PID 1040 wrote to memory of 2460	1040		explorer.exe
PID 1040 wrote to memory of 2460	1040		explorer.exe
PID 1040 wrote to memory of 2460	1040		explorer.exe
PID 1656 wrote to memory of 3984	1656	rovwer.exe	schtasks.exe
PID 1656 wrote to memory of 3984	1656	rovwer.exe	schtasks.exe
PID 1656 wrote to memory of 3984	1656	rovwer.exe	schtasks.exe
PID 1656 wrote to memory of 4744	1656	rovwer.exe	cmd.exe
PID 1656 wrote to memory of 4744	1656	rovwer.exe	cmd.exe
PID 1656 wrote to memory of 4744	1656	rovwer.exe	cmd.exe
PID 4744 wrote to memory of 728	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 728	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 728	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 4604	4744	cmd.exe	cacls.exe
PID 4744 wrote to memory of 4604	4744	cmd.exe	cacls.exe
PID 4744 wrote to memory of 4604	4744	cmd.exe	cacls.exe
PID 1040 wrote to memory of 4240	1040		explorer.exe
PID 1040 wrote to memory of 4240	1040		explorer.exe
PID 1040 wrote to memory of 4240	1040		explorer.exe
PID 1040 wrote to memory of 4240	1040		explorer.exe
PID 4744 wrote to memory of 3200	4744	cmd.exe	cacls.exe
PID 4744 wrote to memory of 3200	4744	cmd.exe	cacls.exe
PID 4744 wrote to memory of 3200	4744	cmd.exe	cacls.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9e6e6f7c2683bbce65570e600df6a7bb.exe
"C:\Users\Admin\AppData\Local\Temp\9e6e6f7c2683bbce65570e600df6a7bb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1792

C:\Users\Admin\AppData\Local\Temp\150E.exe
C:\Users\Admin\AppData\Local\Temp\150E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 496
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2524 -ip 2524
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\1CA1.exe
C:\Users\Admin\AppData\Local\Temp\1CA1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1CA1.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1992
2⤵
- Program crash
PID:1704

C:\Users\Admin\AppData\Local\Temp\23B6.exe
C:\Users\Admin\AppData\Local\Temp\23B6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1828
2⤵
- Program crash
PID:3476

C:\Users\Admin\AppData\Local\Temp\2677.exe
C:\Users\Admin\AppData\Local\Temp\2677.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:728

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:4604

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4216

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:2260

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 908
2⤵
- Program crash
PID:2488

C:\Users\Admin\AppData\Local\Temp\3210.exe
C:\Users\Admin\AppData\Local\Temp\3210.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3752 -ip 3752
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\4367.exe
C:\Users\Admin\AppData\Local\Temp\4367.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2768 -ip 2768
1⤵
PID:3524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1440

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:516

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:484

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 416
2⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4900 -ip 4900
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3784 -ip 3784
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 416
2⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1640 -ip 1640
1⤵
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\150E.exe
Filesize
234KB

MD5
d7812ba32d4c9d84169ee9703e0c13ac

SHA1
1f964c8797dc08fa46fe442acc371adc8b874d38

SHA256
57202ca65b8718fbed9ec980d45e94b2668e3ea40447fcca9125e2e4fa57e7ed

SHA512
e957f5cd9b2ef982cf6bbc1f6b63d56306804f05f77ebbbc73c8d475ed6913aa500f5153bb90aa892ed33b39e8bb6bc5703a3146c81c609c75e1e4ccc0cfec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\150E.exe
Filesize
234KB

MD5
d7812ba32d4c9d84169ee9703e0c13ac

SHA1
1f964c8797dc08fa46fe442acc371adc8b874d38

SHA256
57202ca65b8718fbed9ec980d45e94b2668e3ea40447fcca9125e2e4fa57e7ed

SHA512
e957f5cd9b2ef982cf6bbc1f6b63d56306804f05f77ebbbc73c8d475ed6913aa500f5153bb90aa892ed33b39e8bb6bc5703a3146c81c609c75e1e4ccc0cfec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CA1.exe
Filesize
274KB

MD5
39e947318bd7c04280e9266f4b6c0a35

SHA1
1568c064c8aa24f17549fbbff895fc7eae574dcd

SHA256
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746

SHA512
05361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CA1.exe
Filesize
274KB

MD5
39e947318bd7c04280e9266f4b6c0a35

SHA1
1568c064c8aa24f17549fbbff895fc7eae574dcd

SHA256
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746

SHA512
05361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\23B6.exe
Filesize
293KB

MD5
2dee200193091be2f2321d921750c4ed

SHA1
4c5b6c7512be4d4e200c4141dc0e90bcabce4ca3

SHA256
7330807028605eba5b4ecfaca0390b78cb04e4276d1de23eb95b407e1244ef12

SHA512
4124e9bc1c7c587ce394ad35ec56fd3c6ec4466167df6e00ffa1d88b09b34fa69072d946337cad696223d31d85f8662ff9d5452c474d20cca06d91a8b9c608ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\23B6.exe
Filesize
293KB

MD5
2dee200193091be2f2321d921750c4ed

SHA1
4c5b6c7512be4d4e200c4141dc0e90bcabce4ca3

SHA256
7330807028605eba5b4ecfaca0390b78cb04e4276d1de23eb95b407e1244ef12

SHA512
4124e9bc1c7c587ce394ad35ec56fd3c6ec4466167df6e00ffa1d88b09b34fa69072d946337cad696223d31d85f8662ff9d5452c474d20cca06d91a8b9c608ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2677.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2677.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\3210.exe
Filesize
1.2MB

MD5
f96144b1d5b53d93caadddade38db5e9

SHA1
1587e66f9a4d83060ee597f983a7323a556bc1c0

SHA256
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146

SHA512
824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3210.exe
Filesize
1.2MB

MD5
f96144b1d5b53d93caadddade38db5e9

SHA1
1587e66f9a4d83060ee597f983a7323a556bc1c0

SHA256
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146

SHA512
824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4367.exe
Filesize
3.0MB

MD5
44a7e13ecc55ce9797c5121b230d9927

SHA1
b99f1d86e6d9c7e0d694ca605abd205663278487

SHA256
9e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae

SHA512
74df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4367.exe
Filesize
3.0MB

MD5
44a7e13ecc55ce9797c5121b230d9927

SHA1
b99f1d86e6d9c7e0d694ca605abd205663278487

SHA256
9e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae

SHA512
74df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
372KB

MD5
d162fc0c82665c30829ebe8bc9b6155d

SHA1
df0896eb352c9ce886dd1da00800a35dd35cb293

SHA256
6d5eb6f2b3623f10894e49e765564314797782684464bdb9f3599d8140bd7da6

SHA512
c126c165f06b4d9b477fdfb0fd94077bbd7fe0399c982e40e95eb77df620e47497f22f3a9675e8c31a22d4d14d815b0840f1195af8bff0d93a2b0de96d217a91

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/412-233-0x0000000000000000-mapping.dmp

Download
memory/484-239-0x0000000000000000-mapping.dmp

Download
memory/484-242-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/484-243-0x0000000000BF0000-0x0000000000BFD000-memory.dmp

Filesize
52KB

Download
memory/484-265-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/516-264-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/516-238-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/516-241-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/516-236-0x0000000000000000-mapping.dmp

Download
memory/728-223-0x0000000000000000-mapping.dmp

Download
memory/1008-240-0x000000000FA70000-0x000000000FBC2000-memory.dmp

Filesize
1.3MB

Download
memory/1008-231-0x000000000228A000-0x0000000002379000-memory.dmp

Filesize
956KB

Download
memory/1008-169-0x0000000000000000-mapping.dmp

Download
memory/1008-235-0x000000000FA70000-0x000000000FBC2000-memory.dmp

Filesize
1.3MB

Download
memory/1008-206-0x0000000002804000-0x0000000002CC5000-memory.dmp

Filesize
4.8MB

Download
memory/1008-252-0x000000000228A000-0x0000000002379000-memory.dmp

Filesize
956KB

Download
memory/1340-208-0x0000000001290000-0x000000000129B000-memory.dmp

Filesize
44KB

Download
memory/1340-203-0x00000000012A0000-0x00000000012A7000-memory.dmp

Filesize
28KB

Download
memory/1340-199-0x0000000000000000-mapping.dmp

Download
memory/1440-232-0x0000000000000000-mapping.dmp

Download
memory/1440-237-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/1440-234-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/1440-260-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/1648-213-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/1648-211-0x0000000000000000-mapping.dmp

Download
memory/1648-255-0x00000000012A0000-0x00000000012A5000-memory.dmp

Filesize
20KB

Download
memory/1648-212-0x00000000012A0000-0x00000000012A5000-memory.dmp

Filesize
20KB

Download
memory/1656-219-0x0000000000983000-0x00000000009A2000-memory.dmp

Filesize
124KB

Download
memory/1656-257-0x0000000000400000-0x0000000000860000-memory.dmp

Filesize
4.4MB

Download
memory/1656-189-0x0000000000000000-mapping.dmp

Download
memory/1656-220-0x0000000000400000-0x0000000000860000-memory.dmp

Filesize
4.4MB

Download
memory/1792-132-0x0000000000BB2000-0x0000000000BC8000-memory.dmp

Filesize
88KB

Download
memory/1792-134-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/1792-135-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/1792-133-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2220-270-0x0000000000BE8EA0-mapping.dmp

Download
memory/2220-272-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2220-269-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2220-273-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2220-271-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2260-228-0x0000000000000000-mapping.dmp

Download
memory/2460-258-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/2460-222-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2460-216-0x0000000000000000-mapping.dmp

Download
memory/2460-221-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/2524-136-0x0000000000000000-mapping.dmp

Download
memory/2552-196-0x0000000000000000-mapping.dmp

Download
memory/2768-156-0x00000000006F0000-0x000000000073A000-memory.dmp

Filesize
296KB

Download
memory/2768-145-0x0000000000000000-mapping.dmp

Download
memory/2768-209-0x0000000000918000-0x0000000000945000-memory.dmp

Filesize
180KB

Download
memory/2768-210-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-153-0x0000000000918000-0x0000000000945000-memory.dmp

Filesize
180KB

Download
memory/2768-157-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-161-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2876-200-0x0000000006790000-0x00000000067F6000-memory.dmp

Filesize
408KB

Download
memory/2876-204-0x0000000007280000-0x0000000007442000-memory.dmp

Filesize
1.8MB

Download
memory/2876-207-0x0000000007980000-0x0000000007EAC000-memory.dmp

Filesize
5.2MB

Download
memory/2876-148-0x0000000005980000-0x0000000005F98000-memory.dmp

Filesize
6.1MB

Download
memory/2876-149-0x0000000005500000-0x000000000560A000-memory.dmp

Filesize
1.0MB

Download
memory/2876-150-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/2876-151-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/2876-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2876-139-0x0000000000000000-mapping.dmp

Download
memory/2948-214-0x0000000000000000-mapping.dmp

Download
memory/3200-226-0x0000000000000000-mapping.dmp

Download
memory/3424-195-0x0000000000000000-mapping.dmp

Download
memory/3592-215-0x0000000000FE0000-0x0000000000FEF000-memory.dmp

Filesize
60KB

Download
memory/3592-205-0x0000000000000000-mapping.dmp

Download
memory/3592-256-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

Filesize
36KB

Download
memory/3752-158-0x0000000000000000-mapping.dmp

Download
memory/3752-180-0x0000000000AE3000-0x0000000000B02000-memory.dmp

Filesize
124KB

Download
memory/3752-183-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/3752-201-0x0000000000AE3000-0x0000000000B02000-memory.dmp

Filesize
124KB

Download
memory/3752-202-0x0000000000400000-0x0000000000860000-memory.dmp

Filesize
4.4MB

Download
memory/3752-184-0x0000000000400000-0x0000000000860000-memory.dmp

Filesize
4.4MB

Download
memory/3784-263-0x0000000000400000-0x0000000000860000-memory.dmp

Filesize
4.4MB

Download
memory/3784-262-0x0000000000AF4000-0x0000000000B12000-memory.dmp

Filesize
120KB

Download
memory/3896-275-0x0000000000000000-mapping.dmp

Download
memory/3984-217-0x0000000000000000-mapping.dmp

Download
memory/4216-227-0x0000000000000000-mapping.dmp

Download
memory/4224-248-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4224-267-0x00000000073D0000-0x0000000007420000-memory.dmp

Filesize
320KB

Download
memory/4224-266-0x0000000006CE0000-0x0000000006D56000-memory.dmp

Filesize
472KB

Download
memory/4224-245-0x0000000000000000-mapping.dmp

Download
memory/4224-246-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4240-259-0x0000000000710000-0x0000000000732000-memory.dmp

Filesize
136KB

Download
memory/4240-225-0x0000000000000000-mapping.dmp

Download
memory/4240-230-0x00000000006E0000-0x0000000000707000-memory.dmp

Filesize
156KB

Download
memory/4240-229-0x0000000000710000-0x0000000000732000-memory.dmp

Filesize
136KB

Download
memory/4604-224-0x0000000000000000-mapping.dmp

Download
memory/4612-250-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/4612-251-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/4612-244-0x0000000000000000-mapping.dmp

Download
memory/4744-218-0x0000000000000000-mapping.dmp

Download
memory/4900-186-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4900-152-0x0000000000000000-mapping.dmp

Download
memory/4900-185-0x0000000000710000-0x000000000074E000-memory.dmp

Filesize
248KB

Download
memory/4900-253-0x00000000008A8000-0x00000000008D9000-memory.dmp

Filesize
196KB

Download
memory/4900-190-0x0000000004D10000-0x00000000052B4000-memory.dmp

Filesize
5.6MB

Download
memory/4900-194-0x00000000008A8000-0x00000000008D9000-memory.dmp

Filesize
196KB

Download
memory/4900-261-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4900-191-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/4900-249-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download