amadey | b1a842303958fe6433b91b72bb6eb2fec34602cafe400e42ba42d591a5fbee47

Analysis

max time kernel
301s
max time network
259s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupSoft(x64,x32)/Setup_Soft.exe
Size

734.1MB
MD5

9d31e17b11395dc9b2e23b735e3fdb66
SHA1

163fa32c8564013c91caad6801c77b54df758f04
SHA256

94f41bb3d9a7a8b5e0fd58ad4e334d2c923a45cfb42a633b505bd94be8b2c127
SHA512

72fbe9173abb065f20409ce23ce3d3cc6af94468bfae9267926e6acb4203dc5d6fb7bac347c4c5d4ddb91aeff079bb3d87bbb3b2a355310723d6c76e4188b6dd
SSDEEP

98304:Y5I5x3omArylYOI5CAaT+dPas2Yv0zcBWc1fldTRwaykXf1DO4:15xqyoaT+dPB2mwq7T5bXf7

Score

10^/10

amadey dcrat redline smokeloader backdoor infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

95.216.252.182:4279

Attributes

auth_value
a909e2aaecf96137978fea4f86400b9b

Extracted

Family

amadey

Version

3.65

83.217.11.7/8vcWxwwx3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 2 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

powershell.exeschtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\SystemCertificates\CA	powershell.exe
1040	schtasks.exe

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1656-148-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral12/memory/1656-149-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral12/memory/1656-150-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 1860 powershell.exe
Downloads MZ/PE file

flow	pid	process
33	1860	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

7E78.exe835B.exe8550.exenbveek.exenbveek.execook.exenbveek.exenbveek.exenbveek.exenbveek.exetwevwesnbveek.exe

pid	process
3484	7E78.exe
1344	835B.exe
936	8550.exe
3624	nbveek.exe
4532	nbveek.exe
4352	cook.exe
1988	nbveek.exe
544	nbveek.exe
1968	nbveek.exe
4160	nbveek.exe
716	twevwes
3420	nbveek.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\835B.exe	upx
C:\Users\Admin\AppData\Local\Temp\835B.exe	upx
behavioral12/memory/1344-178-0x0000000000950000-0x0000000001135000-memory.dmp	upx
behavioral12/memory/1344-193-0x0000000000950000-0x0000000001135000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe	upx
behavioral12/memory/4352-239-0x0000000000C80000-0x0000000001465000-memory.dmp	upx
behavioral12/memory/4352-243-0x0000000000C80000-0x0000000001465000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8550.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4368 rundll32.exe
3488 rundll32.exe
3956 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4368	rundll32.exe
3488	rundll32.exe
3956	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

powershell.exe

pid	process
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exe7E78.exenbveek.exenbveek.exe

description	pid	process	target process
PID 1860 set thread context of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 3484 set thread context of 908	3484	7E78.exe	AppLaunch.exe
PID 3624 set thread context of 4532	3624	nbveek.exe	nbveek.exe
PID 4532 set thread context of 1556	4532	nbveek.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3760 3488 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3760	3488	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1040 schtasks.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1148 taskkill.exe
4704 taskkill.exe
1656 taskkill.exe
3804 taskkill.exe
1852 taskkill.exe
4136 taskkill.exe
Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2504 NOTEPAD.EXE

pid	process
1040	schtasks.exe

pid	process
1148	taskkill.exe
4704	taskkill.exe
1656	taskkill.exe
3804	taskkill.exe
1852	taskkill.exe
4136	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings

pid	process
2504	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid	process
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2456
Suspicious behavior: MapViewOfSection 15 IoCs

Processes:

aspnet_compiler.exeexplorer.exe

pid process

1656 aspnet_compiler.exe
2456
2456
2456
2456
2456
2456
2456
2456
2456
2456
724 explorer.exe
724 explorer.exe
2456
2456

pid	process
2456

pid	process
1656	aspnet_compiler.exe
2456
2456
2456
2456
2456
2456
2456
2456
2456
2456
724	explorer.exe
724	explorer.exe
2456
2456

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAppLaunch.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeDebugPrivilege	908	AppLaunch.exe
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeDebugPrivilege	1556	AppLaunch.exe
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456
Token: SeShutdownPrivilege	2456
Token: SeCreatePagefilePrivilege	2456

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_Soft.exepowershell.execmd.exe7E78.exe8550.exenbveek.exe835B.execmd.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 1860	3992	Setup_Soft.exe	powershell.exe
PID 3992 wrote to memory of 1860	3992	Setup_Soft.exe	powershell.exe
PID 3992 wrote to memory of 1860	3992	Setup_Soft.exe	powershell.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 1860 wrote to memory of 1656	1860	powershell.exe	aspnet_compiler.exe
PID 2456 wrote to memory of 2504	2456		NOTEPAD.EXE
PID 2456 wrote to memory of 2504	2456		NOTEPAD.EXE
PID 2456 wrote to memory of 1304	2456		cmd.exe
PID 2456 wrote to memory of 1304	2456		cmd.exe
PID 1304 wrote to memory of 1968	1304	cmd.exe	cacls.exe
PID 1304 wrote to memory of 1968	1304	cmd.exe	cacls.exe
PID 1304 wrote to memory of 4072	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 4072	1304	cmd.exe	powershell.exe
PID 2456 wrote to memory of 3484	2456		7E78.exe
PID 2456 wrote to memory of 3484	2456		7E78.exe
PID 2456 wrote to memory of 3484	2456		7E78.exe
PID 3484 wrote to memory of 908	3484	7E78.exe	AppLaunch.exe
PID 3484 wrote to memory of 908	3484	7E78.exe	AppLaunch.exe
PID 3484 wrote to memory of 908	3484	7E78.exe	AppLaunch.exe
PID 3484 wrote to memory of 908	3484	7E78.exe	AppLaunch.exe
PID 2456 wrote to memory of 1344	2456		835B.exe
PID 2456 wrote to memory of 1344	2456		835B.exe
PID 3484 wrote to memory of 908	3484	7E78.exe	AppLaunch.exe
PID 2456 wrote to memory of 936	2456		8550.exe
PID 2456 wrote to memory of 936	2456		8550.exe
PID 2456 wrote to memory of 936	2456		8550.exe
PID 2456 wrote to memory of 3164	2456		explorer.exe
PID 2456 wrote to memory of 3164	2456		explorer.exe
PID 2456 wrote to memory of 3164	2456		explorer.exe
PID 2456 wrote to memory of 3164	2456		explorer.exe
PID 936 wrote to memory of 3624	936	8550.exe	nbveek.exe
PID 936 wrote to memory of 3624	936	8550.exe	nbveek.exe
PID 936 wrote to memory of 3624	936	8550.exe	nbveek.exe
PID 2456 wrote to memory of 1100	2456		explorer.exe
PID 2456 wrote to memory of 1100	2456		explorer.exe
PID 2456 wrote to memory of 1100	2456		explorer.exe
PID 3624 wrote to memory of 1040	3624	nbveek.exe	schtasks.exe
PID 3624 wrote to memory of 1040	3624	nbveek.exe	schtasks.exe
PID 3624 wrote to memory of 1040	3624	nbveek.exe	schtasks.exe
PID 3624 wrote to memory of 5076	3624	nbveek.exe	cmd.exe
PID 3624 wrote to memory of 5076	3624	nbveek.exe	cmd.exe
PID 3624 wrote to memory of 5076	3624	nbveek.exe	cmd.exe
PID 1344 wrote to memory of 4084	1344	835B.exe	cmd.exe
PID 1344 wrote to memory of 4084	1344	835B.exe	cmd.exe
PID 5076 wrote to memory of 4568	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 4568	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 4568	5076	cmd.exe	cmd.exe
PID 2456 wrote to memory of 4340	2456		explorer.exe
PID 2456 wrote to memory of 4340	2456		explorer.exe
PID 2456 wrote to memory of 4340	2456		explorer.exe
PID 2456 wrote to memory of 4340	2456		explorer.exe
PID 5076 wrote to memory of 1960	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1960	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1960	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1628	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1628	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1628	5076	cmd.exe	cacls.exe
PID 4084 wrote to memory of 4308	4084	cmd.exe	choice.exe
PID 4084 wrote to memory of 4308	4084	cmd.exe	choice.exe
PID 1304 wrote to memory of 4144	1304	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\SetupSoft(x64,x32)\Setup_Soft.exe
"C:\Users\Admin\AppData\Local\Temp\SetupSoft(x64,x32)\Setup_Soft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
  2⤵
  - DcRat
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1656

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EnableAdd.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B4A.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3
  2⤵
  PID:4144
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Telegram.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM brave.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3
  2⤵
  PID:4132

C:\Users\Admin\AppData\Local\Temp\7E78.exe
C:\Users\Admin\AppData\Local\Temp\7E78.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908

C:\Users\Admin\AppData\Local\Temp\835B.exe
C:\Users\Admin\AppData\Local\Temp\835B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\835B.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 0
    3⤵
    PID:4308

C:\Users\Admin\AppData\Local\Temp\8550.exe
C:\Users\Admin\AppData\Local\Temp\8550.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\8682d6c68d" /P "Admin:N"&&CACLS "..\8682d6c68d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\8682d6c68d" /P "Admin:R" /E
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\8682d6c68d" /P "Admin:N"
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:116
- - C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe
    "C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe"
    3⤵
    - Executes dropped EXE
    PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe
      4⤵
      PID:2092
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:1692
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4368
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3488
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3488 -s 688
        5⤵
        Program crash
        
        PID:3760
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1788

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3488 -ip 3488
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Roaming\twevwes
C:\Users\Admin\AppData\Roaming\twevwes
1⤵
- Executes dropped EXE
PID:716

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
09f87ebf033076d4019bf0a9ee1eb2e9

SHA1
b6f912c024056fd8b8353010f948dcbf3836e54a

SHA256
e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a

SHA512
c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe

Filesize
2.4MB

MD5
c8d41bff43978aa92a111ac2cc975611

SHA1
53909ac1ad9f0af169ce89b53e75e06c005b525a

SHA256
19b67847a3eba01bee3a6f8473698d00e1e2d8085e8e92dbb273ad3c6569b1ba

SHA512
212f8f26b2d68397def91e29af51f29b468190a1bcfd8aa3a186b9ec766d6cc7c45d68f6cdaf2551fffcb18dcc2ebd70b449aec80e633d905afdaa9671e5dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\cook.exe

Filesize
2.4MB

MD5
c8d41bff43978aa92a111ac2cc975611

SHA1
53909ac1ad9f0af169ce89b53e75e06c005b525a

SHA256
19b67847a3eba01bee3a6f8473698d00e1e2d8085e8e92dbb273ad3c6569b1ba

SHA512
212f8f26b2d68397def91e29af51f29b468190a1bcfd8aa3a186b9ec766d6cc7c45d68f6cdaf2551fffcb18dcc2ebd70b449aec80e633d905afdaa9671e5dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B4A.bat

Filesize
998B

MD5
03ad944d6ba8497c2e69598371b03852

SHA1
fd768cc75ac280b6c0275ee97320916fcc6737a8

SHA256
fc5cd844cdaa40e4f8a522316fcc1d1120877014490aa20a2e0555064fea05fe

SHA512
6ae9f80aa827dfbadaa8f5ab6862beb2d1f937ba9135a180bcf278b1d364ff998eb99f4e8f2cd4f1c61370fdcdab6ce03aebf3d2dc046724aa35e34cc059ef00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E78.exe

Filesize
276KB

MD5
c220488eb5cf2dc2c98735314f2d02ee

SHA1
c14201b84b30c56647ecde5b1e388c09f58f7a5b

SHA256
a44b73e8d5d9d8caf9bda215d9c5e03fe4437677ee05bfbf9c5f577f8e35d738

SHA512
42304b588dfa5e6682138b8c67501b3fd96119495563da7c40c6c24d3461767696db6f7b03559de4959d994be3fbf563fb00396ec2bba2b5b35f9a4cc3ebdbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E78.exe

Filesize
276KB

MD5
c220488eb5cf2dc2c98735314f2d02ee

SHA1
c14201b84b30c56647ecde5b1e388c09f58f7a5b

SHA256
a44b73e8d5d9d8caf9bda215d9c5e03fe4437677ee05bfbf9c5f577f8e35d738

SHA512
42304b588dfa5e6682138b8c67501b3fd96119495563da7c40c6c24d3461767696db6f7b03559de4959d994be3fbf563fb00396ec2bba2b5b35f9a4cc3ebdbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\835B.exe

Filesize
2.4MB

MD5
c8d41bff43978aa92a111ac2cc975611

SHA1
53909ac1ad9f0af169ce89b53e75e06c005b525a

SHA256
19b67847a3eba01bee3a6f8473698d00e1e2d8085e8e92dbb273ad3c6569b1ba

SHA512
212f8f26b2d68397def91e29af51f29b468190a1bcfd8aa3a186b9ec766d6cc7c45d68f6cdaf2551fffcb18dcc2ebd70b449aec80e633d905afdaa9671e5dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\835B.exe

Filesize
2.4MB

MD5
c8d41bff43978aa92a111ac2cc975611

SHA1
53909ac1ad9f0af169ce89b53e75e06c005b525a

SHA256
19b67847a3eba01bee3a6f8473698d00e1e2d8085e8e92dbb273ad3c6569b1ba

SHA512
212f8f26b2d68397def91e29af51f29b468190a1bcfd8aa3a186b9ec766d6cc7c45d68f6cdaf2551fffcb18dcc2ebd70b449aec80e633d905afdaa9671e5dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8550.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8550.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe

Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll

Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll

Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll

Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll

Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll

Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\twevwes

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Roaming\twevwes

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
memory/116-203-0x0000000000000000-mapping.dmp

Download
memory/716-291-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/724-252-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/724-222-0x0000000000000000-mapping.dmp

Download
memory/724-226-0x0000000001230000-0x000000000123D000-memory.dmp

Filesize
52KB

Download
memory/724-237-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/868-241-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/868-253-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/868-236-0x0000000000000000-mapping.dmp

Download
memory/868-240-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/908-168-0x0000000000422000-0x000000000043D000-memory.dmp

Filesize
108KB

Download
memory/908-182-0x0000000004900000-0x0000000004912000-memory.dmp

Filesize
72KB

Download
memory/908-247-0x0000000008340000-0x000000000886C000-memory.dmp

Filesize
5.2MB

Download
memory/908-183-0x0000000004960000-0x000000000499C000-memory.dmp

Filesize
240KB

Download
memory/908-246-0x00000000065D0000-0x0000000006792000-memory.dmp

Filesize
1.8MB

Download
memory/908-181-0x0000000004A10000-0x0000000004B1A000-memory.dmp

Filesize
1.0MB

Download
memory/908-169-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/908-179-0x0000000004EE0000-0x00000000054F8000-memory.dmp

Filesize
6.1MB

Download
memory/908-166-0x0000000000000000-mapping.dmp

Download
memory/936-175-0x0000000000000000-mapping.dmp

Download
memory/1040-190-0x0000000000000000-mapping.dmp

Download
memory/1100-194-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/1100-195-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/1100-249-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/1100-189-0x0000000000000000-mapping.dmp

Download
memory/1148-208-0x0000000000000000-mapping.dmp

Download
memory/1304-152-0x0000000000000000-mapping.dmp

Download
memory/1344-170-0x0000000000000000-mapping.dmp

Download
memory/1344-178-0x0000000000950000-0x0000000001135000-memory.dmp

Filesize
7.9MB

Download
memory/1344-193-0x0000000000950000-0x0000000001135000-memory.dmp

Filesize
7.9MB

Download
memory/1556-230-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1556-229-0x0000000000000000-mapping.dmp

Download
memory/1628-200-0x0000000000000000-mapping.dmp

Download
memory/1656-148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-211-0x0000000000000000-mapping.dmp

Download
memory/1656-147-0x0000000000000000-mapping.dmp

Download
memory/1656-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-150-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1692-244-0x0000000000000000-mapping.dmp

Download
memory/1788-223-0x0000000000C30000-0x0000000000C3B000-memory.dmp

Filesize
44KB

Download
memory/1788-221-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/1788-214-0x0000000000000000-mapping.dmp

Download
memory/1788-251-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/1852-210-0x0000000000000000-mapping.dmp

Download
memory/1860-140-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/1860-137-0x0000000002680000-0x00000000026B6000-memory.dmp

Filesize
216KB

Download
memory/1860-141-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/1860-142-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/1860-143-0x0000000006FA0000-0x0000000006FE4000-memory.dmp

Filesize
272KB

Download
memory/1860-144-0x0000000007330000-0x00000000073A6000-memory.dmp

Filesize
472KB

Download
memory/1860-136-0x0000000000000000-mapping.dmp

Download
memory/1860-139-0x0000000005010000-0x0000000005032000-memory.dmp

Filesize
136KB

Download
memory/1860-138-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/1860-146-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/1860-145-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/1960-199-0x0000000000000000-mapping.dmp

Download
memory/1968-154-0x0000000000000000-mapping.dmp

Download
memory/2092-242-0x0000000000000000-mapping.dmp

Download
memory/2428-204-0x0000000000000000-mapping.dmp

Download
memory/2456-266-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-271-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-280-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/2456-279-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-278-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-277-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-276-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-275-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-264-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-263-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-281-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/2456-274-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-286-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/2456-268-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-265-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-273-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-282-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/2456-272-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-284-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/2456-267-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-270-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2456-285-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/2456-269-0x00000000070F0000-0x0000000007100000-memory.dmp

Filesize
64KB

Download
memory/2504-238-0x000002233DF20000-0x000002233DF2D000-memory.dmp

Filesize
52KB

Download
memory/2504-151-0x0000000000000000-mapping.dmp

Download
memory/3164-185-0x00000000009D0000-0x00000000009D5000-memory.dmp

Filesize
20KB

Download
memory/3164-248-0x00000000009D0000-0x00000000009D5000-memory.dmp

Filesize
20KB

Download
memory/3164-180-0x0000000000000000-mapping.dmp

Download
memory/3164-188-0x00000000009C0000-0x00000000009C9000-memory.dmp

Filesize
36KB

Download
memory/3484-159-0x0000000000000000-mapping.dmp

Download
memory/3488-258-0x0000000000000000-mapping.dmp

Download
memory/3624-184-0x0000000000000000-mapping.dmp

Download
memory/3804-212-0x0000000000000000-mapping.dmp

Download
memory/3956-260-0x0000000000000000-mapping.dmp

Download
memory/3992-132-0x0000000000DF0000-0x000000000145C000-memory.dmp

Filesize
6.4MB

Download
memory/3992-135-0x00000000084B0000-0x00000000084BA000-memory.dmp

Filesize
40KB

Download
memory/3992-134-0x0000000008380000-0x0000000008412000-memory.dmp

Filesize
584KB

Download
memory/3992-133-0x0000000008890000-0x0000000008E34000-memory.dmp

Filesize
5.6MB

Download
memory/4072-163-0x0000017E2AC90000-0x0000017E2AC98000-memory.dmp

Filesize
32KB

Download
memory/4072-198-0x00007FFD09960000-0x00007FFD0A421000-memory.dmp

Filesize
10.8MB

Download
memory/4072-164-0x0000017E2ACA0000-0x0000017E2ACAA000-memory.dmp

Filesize
40KB

Download
memory/4072-165-0x00007FFD09960000-0x00007FFD0A421000-memory.dmp

Filesize
10.8MB

Download
memory/4072-158-0x0000017E2AB20000-0x0000017E2AB3C000-memory.dmp

Filesize
112KB

Download
memory/4072-156-0x0000017E2A440000-0x0000017E2A462000-memory.dmp

Filesize
136KB

Download
memory/4072-155-0x0000000000000000-mapping.dmp

Download
memory/4072-161-0x0000017E2AC80000-0x0000017E2AC8A000-memory.dmp

Filesize
40KB

Download
memory/4084-192-0x0000000000000000-mapping.dmp

Download
memory/4132-206-0x0000000000000000-mapping.dmp

Download
memory/4136-209-0x0000000000000000-mapping.dmp

Download
memory/4144-202-0x0000000000000000-mapping.dmp

Download
memory/4308-201-0x0000000000000000-mapping.dmp

Download
memory/4340-197-0x0000000000000000-mapping.dmp

Download
memory/4340-215-0x0000000000950000-0x0000000000977000-memory.dmp

Filesize
156KB

Download
memory/4340-250-0x0000000000980000-0x00000000009A2000-memory.dmp

Filesize
136KB

Download
memory/4340-213-0x0000000000980000-0x00000000009A2000-memory.dmp

Filesize
136KB

Download
memory/4352-239-0x0000000000C80000-0x0000000001465000-memory.dmp

Filesize
7.9MB

Download
memory/4352-243-0x0000000000C80000-0x0000000001465000-memory.dmp

Filesize
7.9MB

Download
memory/4352-224-0x0000000000000000-mapping.dmp

Download
memory/4368-255-0x0000000000000000-mapping.dmp

Download
memory/4532-225-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4532-216-0x0000000000000000-mapping.dmp

Download
memory/4532-217-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4532-219-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4532-220-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4532-235-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4568-196-0x0000000000000000-mapping.dmp

Download
memory/4624-205-0x0000000000000000-mapping.dmp

Download
memory/4704-207-0x0000000000000000-mapping.dmp

Download
memory/5076-191-0x0000000000000000-mapping.dmp

Download