xtremerat | cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Size

646KB
MD5

fac9fe795014ff2760a485836bce4f3e
SHA1

1a00b3edc541d3514a2b5efef2e9dcfd7c34160a
SHA256

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4
SHA512

a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209
SSDEEP

12288:FmdibbI6DagCtX2UGsSjP+Yw0ODICU9jZ8Y7W4tJX:s3o+m/nPOD4f8YCsX

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeadobett.exeadobett.execfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adobett.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adobett.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adobett.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adobett.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	svchost.exe

Executes dropped EXE 10 IoCs

Processes:

adobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exe

pid	process
2376	adobett.exe
4496	adobett.exe
4388	adobett.exe
3772	adobett.exe
4452	adobett.exe
4644	adobett.exe
3616	adobett.exe
5100	adobett.exe
3128	adobett.exe
4268	adobett.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3152-176-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-177-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-178-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-180-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-200-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-202-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3152-201-0x0000000001610000-0x000000000171F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adobett.exeadobett.execfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	adobett.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	adobett.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	adobett.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	adobett.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Tetris = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Tetris\\adobett.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	adobett.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exeadobett.exe

description	pid	process	target process
PID 1404 set thread context of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 2376 set thread context of 4388	2376	adobett.exe	adobett.exe
PID 4496 set thread context of 3772	4496	adobett.exe	adobett.exe
PID 4452 set thread context of 4644	4452	adobett.exe	adobett.exe
PID 4388 set thread context of 3152	4388	adobett.exe	explorer.exe
PID 3616 set thread context of 5100	3616	adobett.exe	adobett.exe
PID 3128 set thread context of 4268	3128	adobett.exe	adobett.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	explorer.exe

Modifies registry class 2 IoCs

Processes:

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

explorer.exe

pid process

3152 explorer.exe
3152 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

pid process

1988 cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

pid	process
3152	explorer.exe
3152	explorer.exe

pid	process
1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.execfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

description	pid	process	target process
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1404 wrote to memory of 1988	1404	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
PID 1988 wrote to memory of 5036	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	svchost.exe
PID 1988 wrote to memory of 5036	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	svchost.exe
PID 1988 wrote to memory of 5036	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	svchost.exe
PID 1988 wrote to memory of 5036	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	svchost.exe
PID 1988 wrote to memory of 3208	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 3208	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4768	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4768	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4768	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3680	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3680	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3680	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3680	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3140	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 3140	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4628	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4628	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4628	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 1820	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 1820	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4448	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4448	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4448	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 1816	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 1816	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 3172	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3172	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3172	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 2196	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 2196	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 1140	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 1140	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 1140	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4284	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4284	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 3640	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3640	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3640	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 3424	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 3424	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4008	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4008	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4008	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 1292	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 1292	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4360	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4360	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4360	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe
PID 1988 wrote to memory of 4376	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 4376	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	msedge.exe
PID 1988 wrote to memory of 5020	1988	cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
"C:\Users\Admin\AppData\Local\Temp\cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe
"C:\Users\Admin\AppData\Local\Temp\cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe"
2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies registry class
PID:5036

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2376

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3980

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4452

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
5⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3616

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5104

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
PID:2944

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3128

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
5⤵
- Executes dropped EXE
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3208

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4768

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3680

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1820

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1816

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4284

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3424

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1292

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4376

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4264

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2036

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3192

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3212

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:764

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2488

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1852

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:456

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3592

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4496

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe
"C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe"
4⤵
- Executes dropped EXE
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Tetris\adobett.exe

Filesize
646KB

MD5
fac9fe795014ff2760a485836bce4f3e

SHA1
1a00b3edc541d3514a2b5efef2e9dcfd7c34160a

SHA256
cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4

SHA512
a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.nfo

Filesize
3KB

MD5
64cca211e30dfe509ff50ad294ad8bd4

SHA1
1f4ea9069922b49eb7dcc2047b67fb4c3d12ce6e

SHA256
01fd18934a6520ce63af8b4c30156b4e2bb5c2a069c5dec654d07bedbbc6be9f

SHA512
a0c397cece830fca0c0d2851597d878541361da3d563da3043ffb94ed7541aeb301c1c0ec19bb956c49c8e3f7520f0129b85e7f608461a5bddc79e6c6284bce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.nfo

Filesize
3KB

MD5
64cca211e30dfe509ff50ad294ad8bd4

SHA1
1f4ea9069922b49eb7dcc2047b67fb4c3d12ce6e

SHA256
01fd18934a6520ce63af8b4c30156b4e2bb5c2a069c5dec654d07bedbbc6be9f

SHA512
a0c397cece830fca0c0d2851597d878541361da3d563da3043ffb94ed7541aeb301c1c0ec19bb956c49c8e3f7520f0129b85e7f608461a5bddc79e6c6284bce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.nfo

Filesize
3KB

MD5
64cca211e30dfe509ff50ad294ad8bd4

SHA1
1f4ea9069922b49eb7dcc2047b67fb4c3d12ce6e

SHA256
01fd18934a6520ce63af8b4c30156b4e2bb5c2a069c5dec654d07bedbbc6be9f

SHA512
a0c397cece830fca0c0d2851597d878541361da3d563da3043ffb94ed7541aeb301c1c0ec19bb956c49c8e3f7520f0129b85e7f608461a5bddc79e6c6284bce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.nfo

Filesize
3KB

MD5
64cca211e30dfe509ff50ad294ad8bd4

SHA1
1f4ea9069922b49eb7dcc2047b67fb4c3d12ce6e

SHA256
01fd18934a6520ce63af8b4c30156b4e2bb5c2a069c5dec654d07bedbbc6be9f

SHA512
a0c397cece830fca0c0d2851597d878541361da3d563da3043ffb94ed7541aeb301c1c0ec19bb956c49c8e3f7520f0129b85e7f608461a5bddc79e6c6284bce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.nfo

Filesize
3KB

MD5
64cca211e30dfe509ff50ad294ad8bd4

SHA1
1f4ea9069922b49eb7dcc2047b67fb4c3d12ce6e

SHA256
01fd18934a6520ce63af8b4c30156b4e2bb5c2a069c5dec654d07bedbbc6be9f

SHA512
a0c397cece830fca0c0d2851597d878541361da3d563da3043ffb94ed7541aeb301c1c0ec19bb956c49c8e3f7520f0129b85e7f608461a5bddc79e6c6284bce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MYJ5jZ6DFjzx\MYJ5jZ6DFjzx.svr

Filesize
356KB

MD5
a0eaa79f7fc06363a4be2586faf870c4

SHA1
4a917e5edeb6ef24d3254cc4736c51f3328819ac

SHA256
63d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3

SHA512
b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8

Download Submit
memory/1988-162-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1988-132-0x0000000000000000-mapping.dmp

Download
memory/1988-133-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1988-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1988-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1988-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2376-142-0x0000000000000000-mapping.dmp

Download
memory/3128-189-0x0000000000000000-mapping.dmp

Download
memory/3152-173-0x0000000000000000-mapping.dmp

Download
memory/3152-202-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-200-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-203-0x00000000016C5000-0x000000000171D000-memory.dmp

Filesize
352KB

Download
memory/3152-201-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-204-0x0000000001611000-0x00000000016C5000-memory.dmp

Filesize
720KB

Download
memory/3152-205-0x00000000016C5000-0x000000000171D000-memory.dmp

Filesize
352KB

Download
memory/3152-180-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-176-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-177-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3152-178-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3616-174-0x0000000000000000-mapping.dmp

Download
memory/3680-140-0x0000000000000000-mapping.dmp

Download
memory/3680-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3772-150-0x0000000000000000-mapping.dmp

Download
memory/3772-163-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3772-158-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4268-198-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4268-196-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4268-191-0x0000000000000000-mapping.dmp

Download
memory/4388-171-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4388-181-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4388-155-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4388-146-0x0000000000000000-mapping.dmp

Download
memory/4452-159-0x0000000000000000-mapping.dmp

Download
memory/4496-144-0x0000000000000000-mapping.dmp

Download
memory/4644-170-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4644-164-0x0000000000000000-mapping.dmp

Download
memory/5036-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5036-137-0x0000000000000000-mapping.dmp

Download
memory/5100-188-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5100-182-0x0000000000000000-mapping.dmp

Download
memory/5100-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download