amadey | 8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
Size

338KB
MD5

a687e1c326c9f03569bbfef53e21c315
SHA1

1993746a547c67807c1118501e1a7ff9261f7c8b
SHA256

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74
SHA512

69c6d3a228ad0df876ca3259a1cbd62893c48409af271d9c4871fc8bdbb8e35ecf0c2d382086b65fc155a86d9ccd6101379a4d02d2f54545a5f746a6558d6a1c
SSDEEP

3072:OJvvbtjLGg1cSgH7P7AGkZ2gdRJvh2vOfPztr+c+PEG7lOmV25lKE1miUO1a1e4Y:mtfGg0b8Gkfvh2v0BohVVPE+O1voXc

Score

10^/10

amadey redline smokeloader vidar 10m 1148 kript new2022 backdoor collection discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

10m

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
52531a1a08be5995cbd063d92845e9fa

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

vidar

Version

55.7

Botnet

1148

https://t.me/deadftx

https://www.tiktok.com/@user6068972597711

Attributes

profile_id
1148

Extracted

Family

redline

Botnet

New2022

185.106.92.111:2510

Attributes

auth_value
ef6fe7baf59e3191ff2f569e3bf0e2c7

Extracted

Family

redline

Botnet

KRIPT

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4944-141-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3968-200-0x00000000004221B6-mapping.dmp	family_redline
behavioral1/memory/3968-197-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral1/memory/4428-978-0x00000000028E0000-0x000000000291E000-memory.dmp	family_redline
behavioral1/memory/4428-1018-0x0000000004E00000-0x0000000004E3C000-memory.dmp	family_redline
behavioral1/memory/2240-1032-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

81 5044 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

FAD0.exe10.exeB0E.exe1FC0.exerovwer.exe2BA8.exe2BA8.exe3C72.exe2BA8.exerovwer.exerovwer.exe

pid process

3484 FAD0.exe
4532 10.exe
2784 B0E.exe
4288 1FC0.exe
4656 rovwer.exe
4684 2BA8.exe
4904 2BA8.exe
4428 3C72.exe
552 2BA8.exe
4720 rovwer.exe
1228 rovwer.exe
Deletes itself 1 IoCs

Processes:

pid process

2816
Loads dropped DLL 3 IoCs

Processes:

2BA8.exerundll32.exe

pid process

552 2BA8.exe
552 2BA8.exe
5044 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
81	5044	rundll32.exe

pid	process
3484	FAD0.exe
4532	10.exe
2784	B0E.exe
4288	1FC0.exe
4656	rovwer.exe
4684	2BA8.exe
4904	2BA8.exe
4428	3C72.exe
552	2BA8.exe
4720	rovwer.exe
1228	rovwer.exe

pid	process
2816

pid	process
552	2BA8.exe
552	2BA8.exe
5044	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

FAD0.exe2BA8.exeB0E.exe1FC0.exe

description	pid	process	target process
PID 3484 set thread context of 3968	3484	FAD0.exe	InstallUtil.exe
PID 4904 set thread context of 552	4904	2BA8.exe	2BA8.exe
PID 2784 set thread context of 2240	2784	B0E.exe	ngentask.exe
PID 4288 set thread context of 5056	4288	1FC0.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2BA8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2BA8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2BA8.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

680 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4784 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 80 Go-http-client/1.1

pid	process
680	schtasks.exe

pid	process
4784	timeout.exe

description	flow	ioc
HTTP User-Agent header	80	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe

pid	process
4944	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
4944	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2816

pid	process
2816

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe

pid	process
4944	8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816
2816

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

FAD0.exeInstallUtil.exe3C72.exengentask.exe

description	pid	process
Token: SeDebugPrivilege	3484	FAD0.exe
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeDebugPrivilege	3968	InstallUtil.exe
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeDebugPrivilege	4428	3C72.exe
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeDebugPrivilege	2240	ngentask.exe
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816
Token: SeShutdownPrivilege	2816
Token: SeCreatePagefilePrivilege	2816

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FAD0.exe10.exe2BA8.exe2BA8.exerovwer.exe

description	pid	process	target process
PID 2816 wrote to memory of 3484	2816		FAD0.exe
PID 2816 wrote to memory of 3484	2816		FAD0.exe
PID 2816 wrote to memory of 4532	2816		10.exe
PID 2816 wrote to memory of 4532	2816		10.exe
PID 2816 wrote to memory of 4532	2816		10.exe
PID 2816 wrote to memory of 2784	2816		B0E.exe
PID 2816 wrote to memory of 2784	2816		B0E.exe
PID 2816 wrote to memory of 2784	2816		B0E.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 3484 wrote to memory of 3968	3484	FAD0.exe	InstallUtil.exe
PID 2816 wrote to memory of 4288	2816		1FC0.exe
PID 2816 wrote to memory of 4288	2816		1FC0.exe
PID 4532 wrote to memory of 4656	4532	10.exe	rovwer.exe
PID 4532 wrote to memory of 4656	4532	10.exe	rovwer.exe
PID 4532 wrote to memory of 4656	4532	10.exe	rovwer.exe
PID 2816 wrote to memory of 4684	2816		2BA8.exe
PID 2816 wrote to memory of 4684	2816		2BA8.exe
PID 2816 wrote to memory of 4684	2816		2BA8.exe
PID 4684 wrote to memory of 4904	4684	2BA8.exe	2BA8.exe
PID 4684 wrote to memory of 4904	4684	2BA8.exe	2BA8.exe
PID 4684 wrote to memory of 4904	4684	2BA8.exe	2BA8.exe
PID 2816 wrote to memory of 4428	2816		3C72.exe
PID 2816 wrote to memory of 4428	2816		3C72.exe
PID 2816 wrote to memory of 4428	2816		3C72.exe
PID 2816 wrote to memory of 1900	2816		explorer.exe
PID 2816 wrote to memory of 1900	2816		explorer.exe
PID 2816 wrote to memory of 1900	2816		explorer.exe
PID 2816 wrote to memory of 1900	2816		explorer.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 4904 wrote to memory of 552	4904	2BA8.exe	2BA8.exe
PID 2816 wrote to memory of 400	2816		explorer.exe
PID 2816 wrote to memory of 400	2816		explorer.exe
PID 2816 wrote to memory of 400	2816		explorer.exe
PID 2816 wrote to memory of 2296	2816		explorer.exe
PID 2816 wrote to memory of 2296	2816		explorer.exe
PID 2816 wrote to memory of 2296	2816		explorer.exe
PID 2816 wrote to memory of 2296	2816		explorer.exe
PID 4656 wrote to memory of 680	4656	rovwer.exe	schtasks.exe
PID 4656 wrote to memory of 680	4656	rovwer.exe	schtasks.exe
PID 4656 wrote to memory of 680	4656	rovwer.exe	schtasks.exe
PID 4656 wrote to memory of 1352	4656	rovwer.exe	cmd.exe
PID 4656 wrote to memory of 1352	4656	rovwer.exe	cmd.exe
PID 4656 wrote to memory of 1352	4656	rovwer.exe	cmd.exe
PID 2816 wrote to memory of 4860	2816		explorer.exe
PID 2816 wrote to memory of 4860	2816		explorer.exe
PID 2816 wrote to memory of 4860	2816		explorer.exe
PID 2816 wrote to memory of 4600	2816		explorer.exe
PID 2816 wrote to memory of 4600	2816		explorer.exe
PID 2816 wrote to memory of 4600	2816		explorer.exe
PID 2816 wrote to memory of 4600	2816		explorer.exe
PID 2816 wrote to memory of 3776	2816		explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe
"C:\Users\Admin\AppData\Local\Temp\8c2b385622de52145317d9e740b62edfb74260efab3478810d6c87ca41183f74.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4944

C:\Users\Admin\AppData\Local\Temp\FAD0.exe
C:\Users\Admin\AppData\Local\Temp\FAD0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\10.exe
C:\Users\Admin\AppData\Local\Temp\10.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2740

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3408

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:164

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:1428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:5044

C:\Users\Admin\AppData\Local\Temp\B0E.exe
C:\Users\Admin\AppData\Local\Temp\B0E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Local\Temp\1FC0.exe
C:\Users\Admin\AppData\Local\Temp\1FC0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\2BA8.exe
C:\Users\Admin\AppData\Local\Temp\2BA8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\2BA8.exe
"C:\Users\Admin\AppData\Local\Temp\2BA8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\2BA8.exe
"C:\Users\Admin\AppData\Local\Temp\2BA8.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2BA8.exe" & exit
4⤵
PID:2516

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:4784

C:\Users\Admin\AppData\Local\Temp\3C72.exe
C:\Users\Admin\AppData\Local\Temp\3C72.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:400

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2296

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC0.exe
Filesize
3.0MB

MD5
44a7e13ecc55ce9797c5121b230d9927

SHA1
b99f1d86e6d9c7e0d694ca605abd205663278487

SHA256
9e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae

SHA512
74df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC0.exe
Filesize
3.0MB

MD5
44a7e13ecc55ce9797c5121b230d9927

SHA1
b99f1d86e6d9c7e0d694ca605abd205663278487

SHA256
9e0425e14520485fa7e86057d07d26e8064f99a7ad09e35211edd4a428ee57ae

SHA512
74df06b20d23483f854b5a88e5ccdfe534497630a105614e6cd87f3238398e0fb03218cb864fd6f7798b69e083c1098225010aecd959fbec28d63c0626711a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BA8.exe
Filesize
333KB

MD5
f46063253ff38e6b2452bf4410c5fec0

SHA1
c2444e21cc72bfc1cd74197e327323eb2e3e3815

SHA256
d0a4986cea15c050dee854ccd21cff84179a950a70faec28526c7aebd25a0970

SHA512
bfa09a46dacd3138448a93782229b24993f47f6ef6c7b283b55a32e056bb76dc63f043fc4bb64d57f49fb6d5b3a97551b55ec0363b2f7df3193e5144f85a3a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BA8.exe
Filesize
333KB

MD5
f46063253ff38e6b2452bf4410c5fec0

SHA1
c2444e21cc72bfc1cd74197e327323eb2e3e3815

SHA256
d0a4986cea15c050dee854ccd21cff84179a950a70faec28526c7aebd25a0970

SHA512
bfa09a46dacd3138448a93782229b24993f47f6ef6c7b283b55a32e056bb76dc63f043fc4bb64d57f49fb6d5b3a97551b55ec0363b2f7df3193e5144f85a3a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BA8.exe
Filesize
333KB

MD5
f46063253ff38e6b2452bf4410c5fec0

SHA1
c2444e21cc72bfc1cd74197e327323eb2e3e3815

SHA256
d0a4986cea15c050dee854ccd21cff84179a950a70faec28526c7aebd25a0970

SHA512
bfa09a46dacd3138448a93782229b24993f47f6ef6c7b283b55a32e056bb76dc63f043fc4bb64d57f49fb6d5b3a97551b55ec0363b2f7df3193e5144f85a3a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BA8.exe
Filesize
333KB

MD5
f46063253ff38e6b2452bf4410c5fec0

SHA1
c2444e21cc72bfc1cd74197e327323eb2e3e3815

SHA256
d0a4986cea15c050dee854ccd21cff84179a950a70faec28526c7aebd25a0970

SHA512
bfa09a46dacd3138448a93782229b24993f47f6ef6c7b283b55a32e056bb76dc63f043fc4bb64d57f49fb6d5b3a97551b55ec0363b2f7df3193e5144f85a3a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C72.exe
Filesize
448KB

MD5
df920aebfabb8c4ccceb4dcead922abd

SHA1
be09cf240fbb15b7eafc3d875c17b0ee30e94aa1

SHA256
46dc1985999fc34875c1110e2e9a177a5a637b7668657525f6148aac2cd23996

SHA512
075ab9409f4db41adba43652f3cf00dda51799d9146ad7502b4b04524c68ebc2a0108307e979b49d86c45051f9d31684514f96490b5d782107c279bff90c8ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C72.exe
Filesize
448KB

MD5
df920aebfabb8c4ccceb4dcead922abd

SHA1
be09cf240fbb15b7eafc3d875c17b0ee30e94aa1

SHA256
46dc1985999fc34875c1110e2e9a177a5a637b7668657525f6148aac2cd23996

SHA512
075ab9409f4db41adba43652f3cf00dda51799d9146ad7502b4b04524c68ebc2a0108307e979b49d86c45051f9d31684514f96490b5d782107c279bff90c8ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
376KB

MD5
0e455d9c65e7d53a67c227dcd8d70fb8

SHA1
f776a9f8165d6e41fb249223b5568d9c3ffa23b4

SHA256
29bf9daf2f5ffc7df253fa7fdd78e4a02669df89fd7f0517a599f6c70ea1f121

SHA512
d441908a743fecd572518624238c138c7c7f4a88779963d8134ac7b5e9cb89c52259a2f601bb8891a565def48b07771ab4ea623c81b54306f3290ffc364c5bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E.exe
Filesize
1.2MB

MD5
f96144b1d5b53d93caadddade38db5e9

SHA1
1587e66f9a4d83060ee597f983a7323a556bc1c0

SHA256
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146

SHA512
824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E.exe
Filesize
1.2MB

MD5
f96144b1d5b53d93caadddade38db5e9

SHA1
1587e66f9a4d83060ee597f983a7323a556bc1c0

SHA256
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146

SHA512
824a86438150df143c7475605600b4a03dbfa819806f193be248650a3a70e97bdcd3d20cac9b8b00693d464b5cbd168e1f0c78beaa00d167b8a877cfbce3c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAD0.exe
Filesize
452KB

MD5
e0352f8b20303111fea43044e736c0e5

SHA1
fef8e719f5dd55fedd6c99090f7f5e175f124740

SHA256
b2280bc6cc58ae7bcbabc2ed5c5878d70ed463b46cab27da2103ac19ea5e52fb

SHA512
a89d98c6bb46309f7364322079e9cdabbada5504aad588c2ca047323b403a002f8ed8bd0583699fd4d93f8b8fa32c4e085e0f3fcb9ad712455298fa5f5ddd02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAD0.exe
Filesize
452KB

MD5
e0352f8b20303111fea43044e736c0e5

SHA1
fef8e719f5dd55fedd6c99090f7f5e175f124740

SHA256
b2280bc6cc58ae7bcbabc2ed5c5878d70ed463b46cab27da2103ac19ea5e52fb

SHA512
a89d98c6bb46309f7364322079e9cdabbada5504aad588c2ca047323b403a002f8ed8bd0583699fd4d93f8b8fa32c4e085e0f3fcb9ad712455298fa5f5ddd02c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/164-1107-0x0000000000000000-mapping.dmp

Download
memory/400-454-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/400-972-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/400-417-0x0000000000000000-mapping.dmp

Download
memory/400-460-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/552-979-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/552-421-0x000000000042352C-mapping.dmp

Download
memory/552-500-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/552-1199-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/680-464-0x0000000000000000-mapping.dmp

Download
memory/884-1088-0x0000000000000000-mapping.dmp

Download
memory/1352-475-0x0000000000000000-mapping.dmp

Download
memory/1428-1129-0x0000000000000000-mapping.dmp

Download
memory/1900-392-0x0000000000000000-mapping.dmp

Download
memory/1900-1184-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1900-711-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1900-727-0x0000000002AE0000-0x0000000002AEB000-memory.dmp

Filesize
44KB

Download
memory/2240-1032-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2296-852-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2296-914-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/2296-448-0x0000000000000000-mapping.dmp

Download
memory/2516-1196-0x0000000000000000-mapping.dmp

Download
memory/2740-823-0x0000000000000000-mapping.dmp

Download
memory/2784-309-0x0000000002720000-0x0000000002BE4000-memory.dmp

Filesize
4.8MB

Download
memory/2784-192-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-704-0x0000000010850000-0x00000000109A2000-memory.dmp

Filesize
1.3MB

Download
memory/2784-188-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-196-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-394-0x00000000021F0000-0x00000000022E5000-memory.dmp

Filesize
980KB

Download
memory/2784-205-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-174-0x0000000000000000-mapping.dmp

Download
memory/2784-836-0x00000000021F0000-0x00000000022E5000-memory.dmp

Filesize
980KB

Download
memory/2784-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-588-0x0000000002720000-0x0000000002BE4000-memory.dmp

Filesize
4.8MB

Download
memory/2784-202-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-199-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-186-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3216-639-0x0000000000000000-mapping.dmp

Download
memory/3216-668-0x0000000000CC0000-0x0000000000CCD000-memory.dmp

Filesize
52KB

Download
memory/3216-1161-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/3216-661-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/3408-905-0x0000000000000000-mapping.dmp

Download
memory/3484-163-0x000001FB3C4C0000-0x000001FB3C52A000-memory.dmp

Filesize
424KB

Download
memory/3484-161-0x000001FB3C3C0000-0x000001FB3C42E000-memory.dmp

Filesize
440KB

Download
memory/3484-160-0x000001FB3A6C0000-0x000001FB3A734000-memory.dmp

Filesize
464KB

Download
memory/3484-157-0x0000000000000000-mapping.dmp

Download
memory/3484-162-0x000001FB3C450000-0x000001FB3C4BC000-memory.dmp

Filesize
432KB

Download
memory/3776-564-0x0000000000000000-mapping.dmp

Download
memory/3776-1031-0x0000000002CD0000-0x0000000002CD9000-memory.dmp

Filesize
36KB

Download
memory/3776-992-0x0000000002CE0000-0x0000000002CE5000-memory.dmp

Filesize
20KB

Download
memory/3968-1168-0x0000000007000000-0x00000000071C2000-memory.dmp

Filesize
1.8MB

Download
memory/3968-1172-0x0000000007700000-0x0000000007C2C000-memory.dmp

Filesize
5.2MB

Download
memory/3968-827-0x0000000006B00000-0x0000000006FFE000-memory.dmp

Filesize
5.0MB

Download
memory/3968-323-0x00000000053F0000-0x000000000542E000-memory.dmp

Filesize
248KB

Download
memory/3968-328-0x0000000005390000-0x00000000053DB000-memory.dmp

Filesize
300KB

Download
memory/3968-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3968-203-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-200-0x00000000004221B6-mapping.dmp

Download
memory/3968-317-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/3968-861-0x0000000006670000-0x00000000066D6000-memory.dmp

Filesize
408KB

Download
memory/3968-314-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/3968-806-0x0000000006560000-0x00000000065F2000-memory.dmp

Filesize
584KB

Download
memory/3968-313-0x0000000005920000-0x0000000005F26000-memory.dmp

Filesize
6.0MB

Download
memory/4224-1036-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/4224-604-0x0000000000000000-mapping.dmp

Download
memory/4224-1040-0x0000000002D20000-0x0000000002D2B000-memory.dmp

Filesize
44KB

Download
memory/4288-269-0x0000000000000000-mapping.dmp

Download
memory/4428-377-0x0000000000000000-mapping.dmp

Download
memory/4428-718-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4428-978-0x00000000028E0000-0x000000000291E000-memory.dmp

Filesize
248KB

Download
memory/4428-1018-0x0000000004E00000-0x0000000004E3C000-memory.dmp

Filesize
240KB

Download
memory/4428-785-0x0000000000880000-0x000000000092E000-memory.dmp

Filesize
696KB

Download
memory/4428-1185-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4428-860-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4532-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-168-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-292-0x0000000000400000-0x0000000000861000-memory.dmp

Filesize
4.4MB

Download
memory/4532-164-0x0000000000000000-mapping.dmp

Download
memory/4532-167-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-289-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4532-256-0x0000000000400000-0x0000000000861000-memory.dmp

Filesize
4.4MB

Download
memory/4532-201-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-204-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-198-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-189-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-193-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-195-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-194-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4532-190-0x0000000000940000-0x0000000000A8A000-memory.dmp

Filesize
1.3MB

Download
memory/4532-187-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4600-923-0x0000000002E00000-0x0000000002E22000-memory.dmp

Filesize
136KB

Download
memory/4600-525-0x0000000000000000-mapping.dmp

Download
memory/4600-986-0x0000000002BC0000-0x0000000002BE7000-memory.dmp

Filesize
156KB

Download
memory/4656-355-0x0000000000AF1000-0x0000000000B10000-memory.dmp

Filesize
124KB

Download
memory/4656-285-0x0000000000000000-mapping.dmp

Download
memory/4656-397-0x0000000000400000-0x0000000000861000-memory.dmp

Filesize
4.4MB

Download
memory/4656-845-0x0000000000400000-0x0000000000861000-memory.dmp

Filesize
4.4MB

Download
memory/4656-776-0x0000000000AF1000-0x0000000000B10000-memory.dmp

Filesize
124KB

Download
memory/4684-316-0x0000000000000000-mapping.dmp

Download
memory/4688-1080-0x0000000003070000-0x000000000307B000-memory.dmp

Filesize
44KB

Download
memory/4688-675-0x0000000000000000-mapping.dmp

Download
memory/4688-1078-0x0000000003080000-0x0000000003088000-memory.dmp

Filesize
32KB

Download
memory/4784-1204-0x0000000000000000-mapping.dmp

Download
memory/4860-488-0x0000000000000000-mapping.dmp

Download
memory/4860-1075-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/4860-544-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/4860-507-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/4904-341-0x0000000000000000-mapping.dmp

Download
memory/4928-1112-0x0000000000000000-mapping.dmp

Download
memory/4944-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-143-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/4944-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-139-0x00000000008F0000-0x000000000099E000-memory.dmp

Filesize
696KB

Download
memory/4944-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-141-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4944-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-156-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/4944-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4944-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/5044-1308-0x0000000000000000-mapping.dmp

Download
memory/5056-1295-0x0000000000BE8EA0-mapping.dmp

Download