hawkeye | 834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

Analysis

max time kernel
185s
max time network
179s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Size

1023KB
MD5

48a7ffc306eb2df89fa8d5e76bb9f84a
SHA1

b35ac93dc1c8960b5535f3ea9115ce462563df95
SHA256

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a
SHA512

d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6
SSDEEP

24576:JlvEhuUvl2xtTaZL3LMNy32TkC4N8tHZkI0hVGSb4Glxrzd3Qcj:vvEPYxsr32TJ4UHZkLVj4Y9d3Qcj

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 16 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1056-60-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1056-62-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1056-61-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1056-63-0x00000000004EB17E-mapping.dmp	MailPassView
behavioral1/memory/1056-65-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1056-67-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1236-101-0x00000000004EB17E-mapping.dmp	MailPassView
behavioral1/memory/1236-104-0x00000000001A0000-0x0000000000290000-memory.dmp	MailPassView
behavioral1/memory/1236-108-0x00000000001A0000-0x0000000000290000-memory.dmp	MailPassView
behavioral1/memory/1236-111-0x00000000001A0000-0x0000000000290000-memory.dmp	MailPassView
behavioral1/memory/1560-128-0x00000000004EB17E-mapping.dmp	MailPassView
behavioral1/memory/544-139-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/544-140-0x0000000000411714-mapping.dmp	MailPassView
behavioral1/memory/544-143-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/544-145-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/544-146-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 15 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1056-60-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1056-62-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1056-61-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1056-63-0x00000000004EB17E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1056-65-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1056-67-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1236-101-0x00000000004EB17E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1236-104-0x00000000001A0000-0x0000000000290000-memory.dmp	WebBrowserPassView
behavioral1/memory/1236-108-0x00000000001A0000-0x0000000000290000-memory.dmp	WebBrowserPassView
behavioral1/memory/1236-111-0x00000000001A0000-0x0000000000290000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-128-0x00000000004EB17E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1360-148-0x0000000000442F04-mapping.dmp	WebBrowserPassView
behavioral1/memory/1360-147-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1360-151-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1360-152-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 28 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1056-60-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1056-62-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1056-61-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1056-63-0x00000000004EB17E-mapping.dmp	Nirsoft
behavioral1/memory/1056-65-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1056-67-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1236-101-0x00000000004EB17E-mapping.dmp	Nirsoft
behavioral1/memory/1236-104-0x00000000001A0000-0x0000000000290000-memory.dmp	Nirsoft
behavioral1/memory/1236-108-0x00000000001A0000-0x0000000000290000-memory.dmp	Nirsoft
behavioral1/memory/1236-111-0x00000000001A0000-0x0000000000290000-memory.dmp	Nirsoft
behavioral1/memory/1560-128-0x00000000004EB17E-mapping.dmp	Nirsoft
behavioral1/memory/544-139-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/544-140-0x0000000000411714-mapping.dmp	Nirsoft
behavioral1/memory/544-143-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/544-145-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/544-146-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1360-148-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/1360-147-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1360-151-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1360-152-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1612-155-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1612-156-0x000000000040BEC0-mapping.dmp	Nirsoft
behavioral1/memory/1612-159-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1612-161-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1768-162-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral1/memory/1768-163-0x000000000043BC50-mapping.dmp	Nirsoft
behavioral1/memory/1768-168-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral1/memory/1768-166-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exeWindows Update.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeWindows Update.exe

pid	process
860	BrokerInfrastructure.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe
1236	AudioEndpointBuilder.exe
1316	BrokerInfrastructure.exe
1560	Windows Update.exe

Loads dropped DLL 6 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exe834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeAudioEndpointBuilder.exeWindows Update.exe

pid	process
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1624	AudioEndpointBuilder.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 whatismyipaddress.com
7 whatismyipaddress.com
8 whatismyipaddress.com

flow	ioc
5	whatismyipaddress.com
7	whatismyipaddress.com
8	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeAudioEndpointBuilder.exeWindows Update.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 1224 set thread context of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1624 set thread context of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 968 set thread context of 1560	968	Windows Update.exe	Windows Update.exe
PID 1236 set thread context of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 set thread context of 1360	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 set thread context of 1612	1236	AudioEndpointBuilder.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeWindows Update.exe

pid	process
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
860	BrokerInfrastructure.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1624	AudioEndpointBuilder.exe
1316	BrokerInfrastructure.exe
968	Windows Update.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe
1316	BrokerInfrastructure.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe
1624	AudioEndpointBuilder.exe
968	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeWindows Update.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

description	pid	process
Token: SeDebugPrivilege	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Token: SeDebugPrivilege	860	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1624	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	968	Windows Update.exe
Token: SeDebugPrivilege	1316	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1236	AudioEndpointBuilder.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AudioEndpointBuilder.exe

pid process

1236 AudioEndpointBuilder.exe

pid	process
1236	AudioEndpointBuilder.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 1056	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 1224 wrote to memory of 860	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 1224 wrote to memory of 860	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 1224 wrote to memory of 860	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 1224 wrote to memory of 860	1224	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 860 wrote to memory of 1624	860	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 860 wrote to memory of 1624	860	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 860 wrote to memory of 1624	860	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 860 wrote to memory of 1624	860	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1056 wrote to memory of 968	1056	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1236	1624	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1624 wrote to memory of 1316	1624	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 1624 wrote to memory of 1316	1624	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 1624 wrote to memory of 1316	1624	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 1624 wrote to memory of 1316	1624	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 968 wrote to memory of 1560	968	Windows Update.exe	Windows Update.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 544	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 1360	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 1360	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 1360	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 1360	1236	AudioEndpointBuilder.exe	vbc.exe
PID 1236 wrote to memory of 1360	1236	AudioEndpointBuilder.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
"C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
"C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
5⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
5⤵
PID:1768

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
86f49fba1e2bd32484a49be33efbed1a

SHA1
529f46b90a626016c6708a1af05b449346980802

SHA256
2fd940083c6f51c6b0324a4c367aadd674b5cc7495688a75ed82f858444e1b78

SHA512
43019a316913e3d3fe3aebb7827e2fe75e741335132651cf0185e889dd29ca6d1a7846eb7b04b9412e5c7c2146c7b148b866a0868caf26945ce0651a22a9d609

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
Filesize
1KB

MD5
51ea342ea057241c0aa85a3ff6bf02c8

SHA1
b4a1cdd65b07296e2b085d8e8a3b08902a4134a3

SHA256
4da446fd1c5b896a29b09d06fa7f87d0f767d9cfa57481b63dfb174b66714703

SHA512
3bce00a8b586808a60baf26dfb5e4071b888eb84108724483ebe43917b39dc30bc34f696a682884729cec348183c5be65311382b66ca38d52df87a0fc6d84c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
memory/544-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-140-0x0000000000411714-mapping.dmp

Download
memory/544-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/860-75-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/860-71-0x0000000000000000-mapping.dmp

Download
memory/860-89-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/860-92-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/968-83-0x0000000000000000-mapping.dmp

Download
memory/968-87-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/968-91-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-69-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-61-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-60-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-67-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-62-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-88-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-57-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-65-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1056-63-0x00000000004EB17E-mapping.dmp

Download
memory/1056-58-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1224-55-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-56-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-93-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1236-108-0x00000000001A0000-0x0000000000290000-memory.dmp

Filesize
960KB

Download
memory/1236-122-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-154-0x0000000000315000-0x0000000000326000-memory.dmp

Filesize
68KB

Download
memory/1236-111-0x00000000001A0000-0x0000000000290000-memory.dmp

Filesize
960KB

Download
memory/1236-136-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-144-0x0000000000315000-0x0000000000326000-memory.dmp

Filesize
68KB

Download
memory/1236-104-0x00000000001A0000-0x0000000000290000-memory.dmp

Filesize
960KB

Download
memory/1236-101-0x00000000004EB17E-mapping.dmp

Download
memory/1316-125-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-115-0x0000000000000000-mapping.dmp

Download
memory/1316-137-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1360-148-0x0000000000442F04-mapping.dmp

Download
memory/1360-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1360-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1360-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1560-135-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-128-0x00000000004EB17E-mapping.dmp

Download
memory/1560-138-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-155-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1612-156-0x000000000040BEC0-mapping.dmp

Download
memory/1612-159-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1612-161-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1612-169-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1624-81-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-90-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-78-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-163-0x000000000043BC50-mapping.dmp

Download
memory/1768-168-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-166-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download