amadey | 75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64

Analysis

max time kernel
167s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
Size

145KB
MD5

1eced7a5a078e0c14805e3d6cc93d280
SHA1

76d3e77ea0b6360f7d7483cb72420fdd48c23fec
SHA256

75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64
SHA512

08788636fb06b50befe0e29bc60e53578d5beedac37afe0ac996fe1b9356daa0b22da7d6cd82a13e6c4a182df85b108b299dc2e77b419cf51b6379d7c6080f46
SSDEEP

3072:QLoJQNryN5wxpAEJkAddKzntJEOWyvCH:jgr37ddDOWy

Score

10^/10

amadey djvu smokeloader backdoor discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.kcbu
offline_id
hlqzhQ6w5SquNDF4Ul2XBDJQkSIKbAT6rmRBTit1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-lj5qINGbTc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0608Jhyjd

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2356-149-0x0000000002260000-0x000000000237B000-memory.dmp	family_djvu
behavioral1/memory/3828-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3828-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3828-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3828-160-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3828-216-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1460-225-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1460-227-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1536-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader
behavioral1/memory/1368-187-0x0000000000490000-0x0000000000499000-memory.dmp	family_smokeloader
behavioral1/memory/4920-192-0x00000000006A0000-0x00000000006A9000-memory.dmp	family_smokeloader
behavioral1/memory/392-203-0x0000000000EC0000-0x0000000000EC7000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

EEF4.exeFEF2.exe1039.exeEEF4.exerovwer.exerovwer.exe8FBB.exeA864.exeBCD8.exe13E3.exe13E3.exeEEF4.exeEEF4.exe

pid	process
2356	EEF4.exe
3772	FEF2.exe
1756	1039.exe
3828	EEF4.exe
932	rovwer.exe
884	rovwer.exe
4920	8FBB.exe
1368	A864.exe
3964	BCD8.exe
4520	13E3.exe
1652	13E3.exe
2204	EEF4.exe
1460	EEF4.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EEF4.exe1039.exeFEF2.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	EEF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1039.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	FEF2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

4772 regsvr32.exe
4772 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1692 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4772	regsvr32.exe
4772	regsvr32.exe

pid	process
1692	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EEF4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\30e52547-22cd-494e-8178-185a5e1aa46c\\EEF4.exe\" --AutoStart"	EEF4.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

65 api.2ip.ua
63 api.2ip.ua

flow	ioc
65	api.2ip.ua
63	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

EEF4.exe13E3.exeEEF4.exe

description	pid	process	target process
PID 2356 set thread context of 3828	2356	EEF4.exe	EEF4.exe
PID 4520 set thread context of 1652	4520	13E3.exe	13E3.exe
PID 2204 set thread context of 1460	2204	EEF4.exe	EEF4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3776	3772	WerFault.exe	FEF2.exe
3104	1756	WerFault.exe	1039.exe
3096	884	WerFault.exe	rovwer.exe
3012	3964	WerFault.exe	BCD8.exe
3144	4920	WerFault.exe	8FBB.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

A864.exe75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A864.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A864.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A864.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4056 schtasks.exe

pid	process
4056	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EEF4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EEF4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EEF4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe

pid	process
1536	75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
1536	75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2744
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exeA864.exe

pid process

1536 75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
1368 A864.exe
2744
2744
2744
2744

pid	process
2744

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EEF4.exe1039.exeFEF2.exerovwer.exeEEF4.exe13E3.exe

description	pid	process	target process
PID 2744 wrote to memory of 2356	2744		EEF4.exe
PID 2744 wrote to memory of 2356	2744		EEF4.exe
PID 2744 wrote to memory of 2356	2744		EEF4.exe
PID 2744 wrote to memory of 3772	2744		FEF2.exe
PID 2744 wrote to memory of 3772	2744		FEF2.exe
PID 2744 wrote to memory of 3772	2744		FEF2.exe
PID 2744 wrote to memory of 1756	2744		1039.exe
PID 2744 wrote to memory of 1756	2744		1039.exe
PID 2744 wrote to memory of 1756	2744		1039.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 2356 wrote to memory of 3828	2356	EEF4.exe	EEF4.exe
PID 1756 wrote to memory of 932	1756	1039.exe	rovwer.exe
PID 1756 wrote to memory of 932	1756	1039.exe	rovwer.exe
PID 1756 wrote to memory of 932	1756	1039.exe	rovwer.exe
PID 3772 wrote to memory of 884	3772	FEF2.exe	rovwer.exe
PID 3772 wrote to memory of 884	3772	FEF2.exe	rovwer.exe
PID 3772 wrote to memory of 884	3772	FEF2.exe	rovwer.exe
PID 2744 wrote to memory of 4920	2744		8FBB.exe
PID 2744 wrote to memory of 4920	2744		8FBB.exe
PID 2744 wrote to memory of 4920	2744		8FBB.exe
PID 2744 wrote to memory of 1368	2744		A864.exe
PID 2744 wrote to memory of 1368	2744		A864.exe
PID 2744 wrote to memory of 1368	2744		A864.exe
PID 2744 wrote to memory of 3964	2744		BCD8.exe
PID 2744 wrote to memory of 3964	2744		BCD8.exe
PID 2744 wrote to memory of 3964	2744		BCD8.exe
PID 932 wrote to memory of 4056	932	rovwer.exe	schtasks.exe
PID 932 wrote to memory of 4056	932	rovwer.exe	schtasks.exe
PID 932 wrote to memory of 4056	932	rovwer.exe	schtasks.exe
PID 2744 wrote to memory of 2524	2744		regsvr32.exe
PID 2744 wrote to memory of 2524	2744		regsvr32.exe
PID 3828 wrote to memory of 1692	3828	EEF4.exe	icacls.exe
PID 3828 wrote to memory of 1692	3828	EEF4.exe	icacls.exe
PID 3828 wrote to memory of 1692	3828	EEF4.exe	icacls.exe
PID 2744 wrote to memory of 4520	2744		13E3.exe
PID 2744 wrote to memory of 4520	2744		13E3.exe
PID 2744 wrote to memory of 4520	2744		13E3.exe
PID 2744 wrote to memory of 1224	2744		explorer.exe
PID 2744 wrote to memory of 1224	2744		explorer.exe
PID 2744 wrote to memory of 1224	2744		explorer.exe
PID 2744 wrote to memory of 1224	2744		explorer.exe
PID 2744 wrote to memory of 392	2744		explorer.exe
PID 2744 wrote to memory of 392	2744		explorer.exe
PID 2744 wrote to memory of 392	2744		explorer.exe
PID 3828 wrote to memory of 2204	3828	EEF4.exe	EEF4.exe
PID 3828 wrote to memory of 2204	3828	EEF4.exe	EEF4.exe
PID 3828 wrote to memory of 2204	3828	EEF4.exe	EEF4.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe
PID 4520 wrote to memory of 1652	4520	13E3.exe	13E3.exe

C:\Users\Admin\AppData\Local\Temp\75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe
"C:\Users\Admin\AppData\Local\Temp\75756ae5f132368990d600e6884157b2ed9fd11879004e5adc0bbe4b8d377a64.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1536

C:\Users\Admin\AppData\Local\Temp\EEF4.exe
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\EEF4.exe
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\30e52547-22cd-494e-8178-185a5e1aa46c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1692

C:\Users\Admin\AppData\Local\Temp\EEF4.exe
"C:\Users\Admin\AppData\Local\Temp\EEF4.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2204

C:\Users\Admin\AppData\Local\Temp\EEF4.exe
"C:\Users\Admin\AppData\Local\Temp\EEF4.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\AppData\Local\Temp\FEF2.exe
C:\Users\Admin\AppData\Local\Temp\FEF2.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420
3⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 900
2⤵
- Program crash
PID:3776

C:\Users\Admin\AppData\Local\Temp\1039.exe
C:\Users\Admin\AppData\Local\Temp\1039.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1140
2⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3772 -ip 3772
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1756 -ip 1756
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 884 -ip 884
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\8FBB.exe
C:\Users\Admin\AppData\Local\Temp\8FBB.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 344
2⤵
- Program crash
PID:3144

C:\Users\Admin\AppData\Local\Temp\A864.exe
C:\Users\Admin\AppData\Local\Temp\A864.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1368

C:\Users\Admin\AppData\Local\Temp\BCD8.exe
C:\Users\Admin\AppData\Local\Temp\BCD8.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 344
2⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3964 -ip 3964
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4920 -ip 4920
1⤵
PID:1160

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CA56.dll
1⤵
PID:2524

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CA56.dll
2⤵
- Loads dropped DLL
PID:4772

C:\Users\Admin\AppData\Local\Temp\13E3.exe
C:\Users\Admin\AppData\Local\Temp\13E3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\13E3.exe
C:\Users\Admin\AppData\Local\Temp\13E3.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\30e52547-22cd-494e-8178-185a5e1aa46c\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1039.exe
Filesize
313KB

MD5
c42d13fbc2efd907113054c91ff86130

SHA1
6dc92133c1410be4d4911b7ae934e8c4a6d050af

SHA256
76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0

SHA512
6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\1039.exe
Filesize
313KB

MD5
c42d13fbc2efd907113054c91ff86130

SHA1
6dc92133c1410be4d4911b7ae934e8c4a6d050af

SHA256
76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0

SHA512
6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E3.exe
Filesize
2.0MB

MD5
47ad5d71dcd38f85253d882d93c04906

SHA1
941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf

SHA256
6ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2

SHA512
75291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E3.exe
Filesize
2.0MB

MD5
47ad5d71dcd38f85253d882d93c04906

SHA1
941ef208fb34ff9a3b25f7a325fcd0a44eacaaaf

SHA256
6ba14148ff3ce0ee93f4d2641677ac454aa0187821cba41c8eb03212a8c04fe2

SHA512
75291bdf369e90b76d7c15a45c3532f751e82a7acde205af1c019775e1138833cea32652fe940cc98e3a491f2c3677c45d58933c7e2ea55f089e99f2133dd0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
204KB

MD5
7a08dddaf46824ff249224fd48591b18

SHA1
86a4b189594ab64831622ac1e78718dfba40cda8

SHA256
6d9852dec66703e9518cbafddff0e640f4b776bbf8a0cc3201eba942a7a7a3aa

SHA512
3680c88d3f3d41fcea155eec6a4c1d4e07ad055a8d84f678ee9c8895831256295ede48bb76a5857fc07590dece0965a2610710ed4869a083cbd4cea8ed70cd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
313KB

MD5
c42d13fbc2efd907113054c91ff86130

SHA1
6dc92133c1410be4d4911b7ae934e8c4a6d050af

SHA256
76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0

SHA512
6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
313KB

MD5
c42d13fbc2efd907113054c91ff86130

SHA1
6dc92133c1410be4d4911b7ae934e8c4a6d050af

SHA256
76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0

SHA512
6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
313KB

MD5
c42d13fbc2efd907113054c91ff86130

SHA1
6dc92133c1410be4d4911b7ae934e8c4a6d050af

SHA256
76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0

SHA512
6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FBB.exe
Filesize
274KB

MD5
26ab12af334137fedf1961a421294abc

SHA1
f96fa14d035e6408d47093a85be5f6224ee250ed

SHA256
dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67

SHA512
c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FBB.exe
Filesize
274KB

MD5
26ab12af334137fedf1961a421294abc

SHA1
f96fa14d035e6408d47093a85be5f6224ee250ed

SHA256
dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67

SHA512
c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\A864.exe
Filesize
146KB

MD5
e1468e32cf1a04ec14d141b82fbd3065

SHA1
06f115935da170c2d583a9fa3be2f3d1c0be7813

SHA256
c890a4c18c9c00cb14063f53c3e7c1298422122c1983008e5116c1031ac2b368

SHA512
946c15e71c105aa3293c4fcffadc56ed478af91745406d431a4c47f0add7265f6bdadb43c9c0f4ca9cb72ff025d3618e2cc67747cdbda9448b13cab00e33fcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\A864.exe
Filesize
146KB

MD5
e1468e32cf1a04ec14d141b82fbd3065

SHA1
06f115935da170c2d583a9fa3be2f3d1c0be7813

SHA256
c890a4c18c9c00cb14063f53c3e7c1298422122c1983008e5116c1031ac2b368

SHA512
946c15e71c105aa3293c4fcffadc56ed478af91745406d431a4c47f0add7265f6bdadb43c9c0f4ca9cb72ff025d3618e2cc67747cdbda9448b13cab00e33fcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCD8.exe
Filesize
274KB

MD5
29a373c2434df5c3203864edadf0142e

SHA1
06eeaf59c220156007f491e6d5c158ef8cbe39da

SHA256
278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48

SHA512
2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCD8.exe
Filesize
274KB

MD5
29a373c2434df5c3203864edadf0142e

SHA1
06eeaf59c220156007f491e6d5c158ef8cbe39da

SHA256
278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48

SHA512
2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA56.dll
Filesize
2.2MB

MD5
c5b915ef4725ee4ad0229e053dad05d4

SHA1
032fb4cef8ee63d527e98dadf4cdf94c707e1005

SHA256
7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db

SHA512
763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA56.dll
Filesize
2.2MB

MD5
c5b915ef4725ee4ad0229e053dad05d4

SHA1
032fb4cef8ee63d527e98dadf4cdf94c707e1005

SHA256
7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db

SHA512
763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA56.dll
Filesize
2.2MB

MD5
c5b915ef4725ee4ad0229e053dad05d4

SHA1
032fb4cef8ee63d527e98dadf4cdf94c707e1005

SHA256
7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db

SHA512
763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEF4.exe
Filesize
666KB

MD5
48d297bfd2e885dc24ecb4905db4482a

SHA1
208f24f50ae748a002a5497f88abecf0e9f1dc3e

SHA256
e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2

SHA512
e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF2.exe
Filesize
204KB

MD5
7a08dddaf46824ff249224fd48591b18

SHA1
86a4b189594ab64831622ac1e78718dfba40cda8

SHA256
6d9852dec66703e9518cbafddff0e640f4b776bbf8a0cc3201eba942a7a7a3aa

SHA512
3680c88d3f3d41fcea155eec6a4c1d4e07ad055a8d84f678ee9c8895831256295ede48bb76a5857fc07590dece0965a2610710ed4869a083cbd4cea8ed70cd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF2.exe
Filesize
204KB

MD5
7a08dddaf46824ff249224fd48591b18

SHA1
86a4b189594ab64831622ac1e78718dfba40cda8

SHA256
6d9852dec66703e9518cbafddff0e640f4b776bbf8a0cc3201eba942a7a7a3aa

SHA512
3680c88d3f3d41fcea155eec6a4c1d4e07ad055a8d84f678ee9c8895831256295ede48bb76a5857fc07590dece0965a2610710ed4869a083cbd4cea8ed70cd46

Download Submit
memory/392-210-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/392-203-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/392-201-0x0000000000000000-mapping.dmp

Download
memory/884-164-0x0000000000000000-mapping.dmp

Download
memory/884-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/884-169-0x0000000000630000-0x000000000064F000-memory.dmp

Filesize
124KB

Download
memory/932-174-0x00000000006EC000-0x000000000070B000-memory.dmp

Filesize
124KB

Download
memory/932-163-0x0000000000000000-mapping.dmp

Download
memory/932-172-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-171-0x00000000006EC000-0x000000000070B000-memory.dmp

Filesize
124KB

Download
memory/1224-200-0x0000000000000000-mapping.dmp

Download
memory/1224-214-0x00000000012B0000-0x000000000131B000-memory.dmp

Filesize
428KB

Download
memory/1224-217-0x0000000001320000-0x0000000001395000-memory.dmp

Filesize
468KB

Download
memory/1368-177-0x0000000000000000-mapping.dmp

Download
memory/1368-196-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1368-188-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1368-187-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/1368-186-0x00000000005BD000-0x00000000005CD000-memory.dmp

Filesize
64KB

Download
memory/1460-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1460-225-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1460-222-0x0000000000000000-mapping.dmp

Download
memory/1536-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/1536-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1536-132-0x00000000007CD000-0x00000000007DD000-memory.dmp

Filesize
64KB

Download
memory/1536-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1536-135-0x00000000007CD000-0x00000000007DD000-memory.dmp

Filesize
64KB

Download
memory/1652-204-0x0000000000000000-mapping.dmp

Download
memory/1652-218-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/1652-205-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/1652-207-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/1652-211-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/1692-195-0x0000000000000000-mapping.dmp

Download
memory/1756-158-0x00000000006B0000-0x00000000006EE000-memory.dmp

Filesize
248KB

Download
memory/1756-156-0x000000000070D000-0x000000000072C000-memory.dmp

Filesize
124KB

Download
memory/1756-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-145-0x0000000000000000-mapping.dmp

Download
memory/1756-167-0x000000000070D000-0x000000000072C000-memory.dmp

Filesize
124KB

Download
memory/1756-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2204-213-0x0000000000000000-mapping.dmp

Download
memory/2204-226-0x0000000001FD6000-0x0000000002068000-memory.dmp

Filesize
584KB

Download
memory/2356-148-0x000000000203E000-0x00000000020D0000-memory.dmp

Filesize
584KB

Download
memory/2356-149-0x0000000002260000-0x000000000237B000-memory.dmp

Filesize
1.1MB

Download
memory/2356-137-0x0000000000000000-mapping.dmp

Download
memory/2524-194-0x0000000000000000-mapping.dmp

Download
memory/3772-143-0x00000000007FD000-0x000000000081C000-memory.dmp

Filesize
124KB

Download
memory/3772-140-0x0000000000000000-mapping.dmp

Download
memory/3772-150-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3772-185-0x00000000007FD000-0x000000000081C000-memory.dmp

Filesize
124KB

Download
memory/3772-161-0x00000000007FD000-0x000000000081C000-memory.dmp

Filesize
124KB

Download
memory/3772-173-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3772-144-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/3828-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3828-151-0x0000000000000000-mapping.dmp

Download
memory/3828-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3828-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3828-160-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3828-216-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3964-190-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3964-189-0x00000000006CD000-0x00000000006E2000-memory.dmp

Filesize
84KB

Download
memory/3964-179-0x0000000000000000-mapping.dmp

Download
memory/4056-181-0x0000000000000000-mapping.dmp

Download
memory/4520-209-0x0000000004A7F000-0x0000000004C3A000-memory.dmp

Filesize
1.7MB

Download
memory/4520-212-0x0000000004C40000-0x000000000500F000-memory.dmp

Filesize
3.8MB

Download
memory/4520-197-0x0000000000000000-mapping.dmp

Download
memory/4772-221-0x00000000023B0000-0x00000000025EC000-memory.dmp

Filesize
2.2MB

Download
memory/4772-208-0x0000000000000000-mapping.dmp

Download
memory/4920-193-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4920-192-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/4920-191-0x000000000078D000-0x00000000007A2000-memory.dmp

Filesize
84KB

Download
memory/4920-175-0x0000000000000000-mapping.dmp

Download