amadey | eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9

Analysis

max time kernel
151s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-11-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
Size

147KB
MD5

ba7cc918a507055f9e7b5fd0a0910253
SHA1

785f6fa2c6464dc2eb1956ee1eac9a57efa514a6
SHA256

eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9
SHA512

d4a6667aae46d9cbf6c5f39245124366e2f21fd7aa7247afb5b7337ea7fa949dc361aaf74dd90928cae1e0635f968030fa6461bbb680a653c02f7dc635029c92
SSDEEP

3072:ulKoXbsTCxxoGB5F8kGA8u2U56jahHB7Y:ArRbomGPE6jax

Score

10^/10

amadey djvu smokeloader vidar 517 backdoor collection discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.kcbu
offline_id
hlqzhQ6w5SquNDF4Ul2XBDJQkSIKbAT6rmRBTit1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-lj5qINGbTc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0608Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

55.9

Botnet

517

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
517

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1840-495-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/752-498-0x00000000029A0000-0x0000000002ABB000-memory.dmp	family_djvu
behavioral1/memory/1840-554-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1840-599-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4508-628-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4508-693-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4508-800-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2124-146-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

3A79.exe3E71.exe46B0.exe518E.exe56CF.exe56CF.exe56CF.exe56CF.exebuild2.exebuild3.exebuild2.exemstsca.exe

pid	process
4832	3A79.exe
4844	3E71.exe
3492	46B0.exe
3308	518E.exe
752	56CF.exe
1840	56CF.exe
3468	56CF.exe
4508	56CF.exe
4448	build2.exe
4572	build3.exe
2248	build2.exe
756	mstsca.exe

Deletes itself 1 IoCs

Processes:

pid process

3064
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

3188 regsvr32.exe
2248 build2.exe
2248 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3400 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3064

pid	process
3188	regsvr32.exe
2248	build2.exe
2248	build2.exe

pid	process
3400	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56CF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8f89e71a-50f2-4183-9371-80bdc83b36f1\\56CF.exe\" --AutoStart"	56CF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.2ip.ua
17 api.2ip.ua
29 api.2ip.ua

flow	ioc
16	api.2ip.ua
17	api.2ip.ua
29	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

56CF.exe56CF.exebuild2.exe

description	pid	process	target process
PID 752 set thread context of 1840	752	56CF.exe	56CF.exe
PID 3468 set thread context of 4508	3468	56CF.exe	56CF.exe
PID 4448 set thread context of 2248	4448	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4820 3308 WerFault.exe 518E.exe

pid	pid_target	process	target process
4820	3308	WerFault.exe	518E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe46B0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46B0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46B0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46B0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4812 schtasks.exe
1248 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3752 timeout.exe

pid	process
4812	schtasks.exe
1248	schtasks.exe

pid	process
3752	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe

pid	process
2124	eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
2124	eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe46B0.exe

pid process

2124 eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
3064
3064
3064
3064
3492 46B0.exe

pid	process
3064

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe56CF.exe56CF.exe56CF.exe56CF.exebuild3.exebuild2.exe

description	pid	process	target process
PID 3064 wrote to memory of 4832	3064		3A79.exe
PID 3064 wrote to memory of 4832	3064		3A79.exe
PID 3064 wrote to memory of 4832	3064		3A79.exe
PID 3064 wrote to memory of 4844	3064		3E71.exe
PID 3064 wrote to memory of 4844	3064		3E71.exe
PID 3064 wrote to memory of 4844	3064		3E71.exe
PID 3064 wrote to memory of 3492	3064		46B0.exe
PID 3064 wrote to memory of 3492	3064		46B0.exe
PID 3064 wrote to memory of 3492	3064		46B0.exe
PID 3064 wrote to memory of 3308	3064		518E.exe
PID 3064 wrote to memory of 3308	3064		518E.exe
PID 3064 wrote to memory of 3308	3064		518E.exe
PID 3064 wrote to memory of 752	3064		56CF.exe
PID 3064 wrote to memory of 752	3064		56CF.exe
PID 3064 wrote to memory of 752	3064		56CF.exe
PID 3064 wrote to memory of 4988	3064		regsvr32.exe
PID 3064 wrote to memory of 4988	3064		regsvr32.exe
PID 4988 wrote to memory of 3188	4988	regsvr32.exe	regsvr32.exe
PID 4988 wrote to memory of 3188	4988	regsvr32.exe	regsvr32.exe
PID 4988 wrote to memory of 3188	4988	regsvr32.exe	regsvr32.exe
PID 3064 wrote to memory of 4348	3064		explorer.exe
PID 3064 wrote to memory of 4348	3064		explorer.exe
PID 3064 wrote to memory of 4348	3064		explorer.exe
PID 3064 wrote to memory of 4348	3064		explorer.exe
PID 3064 wrote to memory of 4896	3064		explorer.exe
PID 3064 wrote to memory of 4896	3064		explorer.exe
PID 3064 wrote to memory of 4896	3064		explorer.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 752 wrote to memory of 1840	752	56CF.exe	56CF.exe
PID 1840 wrote to memory of 3400	1840	56CF.exe	icacls.exe
PID 1840 wrote to memory of 3400	1840	56CF.exe	icacls.exe
PID 1840 wrote to memory of 3400	1840	56CF.exe	icacls.exe
PID 1840 wrote to memory of 3468	1840	56CF.exe	56CF.exe
PID 1840 wrote to memory of 3468	1840	56CF.exe	56CF.exe
PID 1840 wrote to memory of 3468	1840	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 3468 wrote to memory of 4508	3468	56CF.exe	56CF.exe
PID 4508 wrote to memory of 4448	4508	56CF.exe	build2.exe
PID 4508 wrote to memory of 4448	4508	56CF.exe	build2.exe
PID 4508 wrote to memory of 4448	4508	56CF.exe	build2.exe
PID 4508 wrote to memory of 4572	4508	56CF.exe	build3.exe
PID 4508 wrote to memory of 4572	4508	56CF.exe	build3.exe
PID 4508 wrote to memory of 4572	4508	56CF.exe	build3.exe
PID 4572 wrote to memory of 4812	4572	build3.exe	schtasks.exe
PID 4572 wrote to memory of 4812	4572	build3.exe	schtasks.exe
PID 4572 wrote to memory of 4812	4572	build3.exe	schtasks.exe
PID 4448 wrote to memory of 2248	4448	build2.exe	build2.exe
PID 4448 wrote to memory of 2248	4448	build2.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe
"C:\Users\Admin\AppData\Local\Temp\eaec14216a432e4395651d68824b9d2e26a5c7a1cc4d737e136fdadec3dde4a9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124

C:\Users\Admin\AppData\Local\Temp\3A79.exe
C:\Users\Admin\AppData\Local\Temp\3A79.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\3E71.exe
C:\Users\Admin\AppData\Local\Temp\3E71.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Local\Temp\46B0.exe
C:\Users\Admin\AppData\Local\Temp\46B0.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3492

C:\Users\Admin\AppData\Local\Temp\518E.exe
C:\Users\Admin\AppData\Local\Temp\518E.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 480
2⤵
- Program crash
PID:4820

C:\Users\Admin\AppData\Local\Temp\56CF.exe
C:\Users\Admin\AppData\Local\Temp\56CF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\56CF.exe
C:\Users\Admin\AppData\Local\Temp\56CF.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8f89e71a-50f2-4183-9371-80bdc83b36f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3400

C:\Users\Admin\AppData\Local\Temp\56CF.exe
"C:\Users\Admin\AppData\Local\Temp\56CF.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\56CF.exe
"C:\Users\Admin\AppData\Local\Temp\56CF.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe
"C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe
"C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe" & exit
7⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3752

C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build3.exe
"C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6660.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6660.dll
2⤵
- Loads dropped DLL
PID:3188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4348

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4896

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
8cd381eca2d5342e36b1e65a9b7f82d5

SHA1
d9b529576e1ea26e8daf88fcda26b7a0069da217

SHA256
17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

SHA512
c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
8641ac0a62e1e72023be75ceed4638a9

SHA1
a347dbd79e99d81cdd6ec77783008fec9f7e7d42

SHA256
d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

SHA512
9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
6a57a8f8247b704009c95b08117c72ac

SHA1
e3cc62b3f8d7a974e5598a9e2d8d3dbcf25226e0

SHA256
64ebac97edd391c05f392cc98ae62e05b22d289d621482a5cc60b79a80ff76e0

SHA512
3c035bbc32a70346a6ef69e62b255084566fbfe1040c1002040619e863e2b8c5469a4b5f480412a6e43aa20c4eea2e7f2bd239a5062ce1aca55bc8b6d66ed501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
fa7cf2e0aaf0160a8f1e48cad79d8798

SHA1
7fededcf8962cc8ef1c768c21086d6c24f6de2fe

SHA256
9b5f0bfd436f133c589d0ab564ef2deb96b2009002f8367df81c5d173b9abdb8

SHA512
ba7c91ca4d72d932867b40c6905f800cf00dd567c450ef5069c1e1e4383466e5b39ba6d9d89b27c524a38549b1b7636b8a50be19f66efd14ae4f41e11f455323

Download Submit
C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe
Filesize
299KB

MD5
03ddc9dc7312d33ad1c5f6ed2d167645

SHA1
e75de38aee3b0beb5cc91334ecbd8a876c8351a6

SHA256
60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708

SHA512
9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

Download Submit
C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe
Filesize
299KB

MD5
03ddc9dc7312d33ad1c5f6ed2d167645

SHA1
e75de38aee3b0beb5cc91334ecbd8a876c8351a6

SHA256
60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708

SHA512
9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

Download Submit
C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build2.exe
Filesize
299KB

MD5
03ddc9dc7312d33ad1c5f6ed2d167645

SHA1
e75de38aee3b0beb5cc91334ecbd8a876c8351a6

SHA256
60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708

SHA512
9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

Download Submit
C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\2565663e-f115-4cdc-bdae-0e89c66a876c\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\8f89e71a-50f2-4183-9371-80bdc83b36f1\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A79.exe
Filesize
206KB

MD5
caa2b9781b5aae691347298ecec8e7e7

SHA1
44aeb2cd466d820e23ae91bff755033905b4124c

SHA256
1b31d31314be8ef931088d03ac7fff7f3431619d0abadac320e364a8e49de4c5

SHA512
c82f3d99d1e037cdd67f3972e0b63ad38b46fdc1a3c4e0036f0ca6e9d379f036f1592766192280666e86736eb54eae81e4775bfa862a4d2eb72c7220a00b122a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A79.exe
Filesize
206KB

MD5
caa2b9781b5aae691347298ecec8e7e7

SHA1
44aeb2cd466d820e23ae91bff755033905b4124c

SHA256
1b31d31314be8ef931088d03ac7fff7f3431619d0abadac320e364a8e49de4c5

SHA512
c82f3d99d1e037cdd67f3972e0b63ad38b46fdc1a3c4e0036f0ca6e9d379f036f1592766192280666e86736eb54eae81e4775bfa862a4d2eb72c7220a00b122a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E71.exe
Filesize
205KB

MD5
e9f6fccda69077cfc6d220e0f665264c

SHA1
87be46433353c2f746df5f84f14fd21bcd50e55b

SHA256
b71c27f07c3367ed0733d3bfc17eec9d101a955cf1f8af003ed8977584778d87

SHA512
fdf1860fb1061d5ea7f0f742c80b74d2c066bf4602dae1372455f8beb556cda28d049ce82ec3f1569e30f72593647ad8ecf27d2526ff98e16c054433496a18a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E71.exe
Filesize
205KB

MD5
e9f6fccda69077cfc6d220e0f665264c

SHA1
87be46433353c2f746df5f84f14fd21bcd50e55b

SHA256
b71c27f07c3367ed0733d3bfc17eec9d101a955cf1f8af003ed8977584778d87

SHA512
fdf1860fb1061d5ea7f0f742c80b74d2c066bf4602dae1372455f8beb556cda28d049ce82ec3f1569e30f72593647ad8ecf27d2526ff98e16c054433496a18a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\46B0.exe
Filesize
148KB

MD5
fa12e99b8dcaa524d35b21fa3a6e9ccd

SHA1
bf3b4c4c6187accb1553a4c2614ead413f04c20b

SHA256
88abf2f909732b468192a4c6e5550992d763e525531c0d8983f0b24db39e890d

SHA512
f62de28061bd7299dfe363a7109653c323ea9f3e573acafce5ada63d01839abba85569cb926de52cbbfccba62d712ee0011849f96e8f54c3016c184f73d0650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\46B0.exe
Filesize
148KB

MD5
fa12e99b8dcaa524d35b21fa3a6e9ccd

SHA1
bf3b4c4c6187accb1553a4c2614ead413f04c20b

SHA256
88abf2f909732b468192a4c6e5550992d763e525531c0d8983f0b24db39e890d

SHA512
f62de28061bd7299dfe363a7109653c323ea9f3e573acafce5ada63d01839abba85569cb926de52cbbfccba62d712ee0011849f96e8f54c3016c184f73d0650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
206KB

MD5
caa2b9781b5aae691347298ecec8e7e7

SHA1
44aeb2cd466d820e23ae91bff755033905b4124c

SHA256
1b31d31314be8ef931088d03ac7fff7f3431619d0abadac320e364a8e49de4c5

SHA512
c82f3d99d1e037cdd67f3972e0b63ad38b46fdc1a3c4e0036f0ca6e9d379f036f1592766192280666e86736eb54eae81e4775bfa862a4d2eb72c7220a00b122a

Download Submit
C:\Users\Admin\AppData\Local\Temp\518E.exe
Filesize
147KB

MD5
1a91e69d7ac978fe7dbd9c1082e1abfd

SHA1
e688694596872d570350ac640464a47b9cd883e8

SHA256
35728864feffc615636cd614008e7e3ed9fc697542c556f0edc98b705d4f2553

SHA512
91a5573093c509d1c290f10528b1d2e9528785a58c372f5a9cdbe3856f0323430b1124af3502196dee45e5a7c5002da16aad6be775b9e89244f0838a9e434530

Download Submit
C:\Users\Admin\AppData\Local\Temp\518E.exe
Filesize
147KB

MD5
1a91e69d7ac978fe7dbd9c1082e1abfd

SHA1
e688694596872d570350ac640464a47b9cd883e8

SHA256
35728864feffc615636cd614008e7e3ed9fc697542c556f0edc98b705d4f2553

SHA512
91a5573093c509d1c290f10528b1d2e9528785a58c372f5a9cdbe3856f0323430b1124af3502196dee45e5a7c5002da16aad6be775b9e89244f0838a9e434530

Download Submit
C:\Users\Admin\AppData\Local\Temp\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\56CF.exe
Filesize
665KB

MD5
698c00e9e9924478132c46014dc9da21

SHA1
077c978496177845ee9617e84bfed2957a270192

SHA256
48a657015a32224204f9f6fd1725d5e6f1df955912f25015f5a6e951f350f412

SHA512
28445eb6500897021086158d10bdef8f9f7711c0505cdb8f10b1fa854bc94a398c1b58dc0069128bd9b8fc9311c4f4a511370d7b95a640a08f90e464cffe0487

Download Submit
C:\Users\Admin\AppData\Local\Temp\6660.dll
Filesize
2.0MB

MD5
6ea8dc442b1047724ef46a9f98e29b13

SHA1
7cf2a62d735f76a152ac726a5d812ee4dd6fdf9f

SHA256
f385017a476d5b29cb78a4f51e4cb5e78bb05049dcce928616d64a314ee8ea30

SHA512
c7d8d73ca07bbea3aacdbf56355d4f7bcfc34b3ed709b70df9777fe38fa9decf6bae0c8cde1b8eeecacfc6d0d6a4d82a5369a8a663afc0d964bd18fb07a32675

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\6660.dll
Filesize
2.0MB

MD5
6ea8dc442b1047724ef46a9f98e29b13

SHA1
7cf2a62d735f76a152ac726a5d812ee4dd6fdf9f

SHA256
f385017a476d5b29cb78a4f51e4cb5e78bb05049dcce928616d64a314ee8ea30

SHA512
c7d8d73ca07bbea3aacdbf56355d4f7bcfc34b3ed709b70df9777fe38fa9decf6bae0c8cde1b8eeecacfc6d0d6a4d82a5369a8a663afc0d964bd18fb07a32675

Download Submit
memory/752-246-0x0000000000000000-mapping.dmp

Download
memory/752-498-0x00000000029A0000-0x0000000002ABB000-memory.dmp

Filesize
1.1MB

Download
memory/1248-983-0x0000000000000000-mapping.dmp

Download
memory/1840-599-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1840-554-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1840-495-0x0000000000424141-mapping.dmp

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-158-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2124-146-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-145-0x000000000079A000-0x00000000007AB000-memory.dmp

Filesize
68KB

Download
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x000000000079A000-0x00000000007AB000-memory.dmp

Filesize
68KB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-809-0x000000000042353C-mapping.dmp

Download
memory/2248-850-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2248-923-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3056-920-0x0000000000000000-mapping.dmp

Download
memory/3188-274-0x0000000000000000-mapping.dmp

Download
memory/3308-471-0x0000000000E5A000-0x0000000000E6A000-memory.dmp

Filesize
64KB

Download
memory/3308-472-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/3308-473-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/3308-220-0x0000000000000000-mapping.dmp

Download
memory/3308-619-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/3400-569-0x0000000000000000-mapping.dmp

Download
memory/3468-596-0x0000000000000000-mapping.dmp

Download
memory/3492-478-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3492-197-0x0000000000000000-mapping.dmp

Download
memory/3492-476-0x000000000073A000-0x000000000074B000-memory.dmp

Filesize
68KB

Download
memory/3492-376-0x000000000073A000-0x000000000074B000-memory.dmp

Filesize
68KB

Download
memory/3492-382-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/3492-387-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3752-927-0x0000000000000000-mapping.dmp

Download
memory/4348-275-0x0000000000000000-mapping.dmp

Download
memory/4348-452-0x0000000000E70000-0x0000000000EE5000-memory.dmp

Filesize
468KB

Download
memory/4348-453-0x0000000000E00000-0x0000000000E6B000-memory.dmp

Filesize
428KB

Download
memory/4348-521-0x0000000000E00000-0x0000000000E6B000-memory.dmp

Filesize
428KB

Download
memory/4448-709-0x0000000000000000-mapping.dmp

Download
memory/4508-628-0x0000000000424141-mapping.dmp

Download
memory/4508-693-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4508-800-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4572-738-0x0000000000000000-mapping.dmp

Download
memory/4812-780-0x0000000000000000-mapping.dmp

Download
memory/4832-190-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-466-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4832-159-0x0000000000000000-mapping.dmp

Download
memory/4832-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-430-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4832-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-194-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-192-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-341-0x000000000068A000-0x00000000006A9000-memory.dmp

Filesize
124KB

Download
memory/4832-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-344-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4832-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-464-0x000000000068A000-0x00000000006A9000-memory.dmp

Filesize
124KB

Download
memory/4832-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-437-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/4844-587-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/4844-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-187-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-392-0x0000000000D5A000-0x0000000000D79000-memory.dmp

Filesize
124KB

Download
memory/4844-399-0x0000000000BA0000-0x0000000000CEA000-memory.dmp

Filesize
1.3MB

Download
memory/4844-167-0x0000000000000000-mapping.dmp

Download
memory/4844-432-0x0000000000D5A000-0x0000000000D79000-memory.dmp

Filesize
124KB

Download
memory/4844-193-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4844-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4896-295-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/4896-299-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download
memory/4896-287-0x0000000000000000-mapping.dmp

Download
memory/4988-269-0x0000000000000000-mapping.dmp

Download