amadey | 7ae3d2164fd38eec98477b6b1c89bbf4adf709477efbe1ea4b7482ff0077620c

Analysis

max time kernel
68s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.0MB
MD5

c4b49f766394903f86c495dcb4c4609d
SHA1

aef887b3ff017d474506aa6089cedc675e78bdc1
SHA256

7ae3d2164fd38eec98477b6b1c89bbf4adf709477efbe1ea4b7482ff0077620c
SHA512

c26989cb8144e4f98ab29da4970385b10aa7194b0a2116abf0e310a3604e80ce962784a2eb6c9e09d0d2f664ed894f069fd5034b8274cf8892a53a03804d27a0
SSDEEP

98304:SJ3wJW9uaoMgeeDI6l1AdeAERLipZM/dFAyNCb:SJA5aoMgeR6lyeAERLEM/Cb

Score

10^/10

amadey dcrat smokeloader backdoor collection discovery infostealer rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3000-167-0x0000000002CF0000-0x0000000002CF9000-memory.dmp	family_smokeloader

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 1220 rundll32.exe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

51 4528 rundll32.exe
54 4528 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

llpb1133.exeChromeSetup.exewj.exePlayer3.exenbveek.exewj.exe6F5.exenbveek.exe

pid process

4232 llpb1133.exe
3000 ChromeSetup.exe
2540 wj.exe
2976 Player3.exe
3620 nbveek.exe
228 wj.exe
1936 6F5.exe
4296 nbveek.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1220	rundll32.exe

flow	pid	process
51	4528	rundll32.exe
54	4528	rundll32.exe

pid	process
4232	llpb1133.exe
3000	ChromeSetup.exe
2540	wj.exe
2976	Player3.exe
3620	nbveek.exe
228	wj.exe
1936	6F5.exe
4296	nbveek.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe	vmprotect
behavioral2/memory/4232-141-0x0000000140000000-0x0000000140623000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Player3.exewj.exenbveek.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4972 rundll32.exe
4528 rundll32.exe
4528 rundll32.exe
1912 rundll32.exe
3180 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4972	rundll32.exe
4528	rundll32.exe
4528	rundll32.exe
1912	rundll32.exe
3180	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1000 4972 WerFault.exe rundll32.exe
4840 1936 WerFault.exe 6F5.exe
4388 3180 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1000	4972	WerFault.exe	rundll32.exe
4840	1936	WerFault.exe	6F5.exe
4388	3180	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChromeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2288 schtasks.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2288	schtasks.exe

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ChromeSetup.exe

pid	process
3000	ChromeSetup.exe
3000	ChromeSetup.exe
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2688
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ChromeSetup.exe

pid process

3000 ChromeSetup.exe

pid	process
2688

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeDebugPrivilege	4528	rundll32.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

tmp.exePlayer3.exewj.exenbveek.execmd.exerundll32.exe6F5.exerundll32.exe

description	pid	process	target process
PID 4896 wrote to memory of 4232	4896	tmp.exe	llpb1133.exe
PID 4896 wrote to memory of 4232	4896	tmp.exe	llpb1133.exe
PID 4896 wrote to memory of 3000	4896	tmp.exe	ChromeSetup.exe
PID 4896 wrote to memory of 3000	4896	tmp.exe	ChromeSetup.exe
PID 4896 wrote to memory of 3000	4896	tmp.exe	ChromeSetup.exe
PID 4896 wrote to memory of 2540	4896	tmp.exe	wj.exe
PID 4896 wrote to memory of 2540	4896	tmp.exe	wj.exe
PID 4896 wrote to memory of 2540	4896	tmp.exe	wj.exe
PID 4896 wrote to memory of 2976	4896	tmp.exe	Player3.exe
PID 4896 wrote to memory of 2976	4896	tmp.exe	Player3.exe
PID 4896 wrote to memory of 2976	4896	tmp.exe	Player3.exe
PID 2976 wrote to memory of 3620	2976	Player3.exe	nbveek.exe
PID 2976 wrote to memory of 3620	2976	Player3.exe	nbveek.exe
PID 2976 wrote to memory of 3620	2976	Player3.exe	nbveek.exe
PID 2540 wrote to memory of 228	2540	wj.exe	wj.exe
PID 2540 wrote to memory of 228	2540	wj.exe	wj.exe
PID 2540 wrote to memory of 228	2540	wj.exe	wj.exe
PID 3620 wrote to memory of 2288	3620	nbveek.exe	schtasks.exe
PID 3620 wrote to memory of 2288	3620	nbveek.exe	schtasks.exe
PID 3620 wrote to memory of 2288	3620	nbveek.exe	schtasks.exe
PID 3620 wrote to memory of 972	3620	nbveek.exe	cmd.exe
PID 3620 wrote to memory of 972	3620	nbveek.exe	cmd.exe
PID 3620 wrote to memory of 972	3620	nbveek.exe	cmd.exe
PID 972 wrote to memory of 2192	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 2192	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 2192	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 460	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 460	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 460	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 2484	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 2484	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 2484	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 3480	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 3480	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 3480	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 1916	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 1916	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 1916	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 4364	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 4364	972	cmd.exe	cacls.exe
PID 972 wrote to memory of 4364	972	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4972	3364	rundll32.exe	rundll32.exe
PID 3364 wrote to memory of 4972	3364	rundll32.exe	rundll32.exe
PID 3364 wrote to memory of 4972	3364	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 1936	2688		6F5.exe
PID 2688 wrote to memory of 1936	2688		6F5.exe
PID 2688 wrote to memory of 1936	2688		6F5.exe
PID 1936 wrote to memory of 4528	1936	6F5.exe	rundll32.exe
PID 1936 wrote to memory of 4528	1936	6F5.exe	rundll32.exe
PID 1936 wrote to memory of 4528	1936	6F5.exe	rundll32.exe
PID 3620 wrote to memory of 1912	3620	nbveek.exe	rundll32.exe
PID 3620 wrote to memory of 1912	3620	nbveek.exe	rundll32.exe
PID 3620 wrote to memory of 1912	3620	nbveek.exe	rundll32.exe
PID 1912 wrote to memory of 3180	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 3180	1912	rundll32.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
"C:\Users\Admin\AppData\Local\Temp\llpb1133.exe"
2⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3000

C:\Users\Admin\AppData\Local\Temp\wj.exe
"C:\Users\Admin\AppData\Local\Temp\wj.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\wj.exe
"C:\Users\Admin\AppData\Local\Temp\wj.exe" --v
3⤵
- Executes dropped EXE
PID:228

C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
4⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2192

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
5⤵
PID:460

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
5⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3480

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
5⤵
PID:1916

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
5⤵
PID:4364

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
- Loads dropped DLL
PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3180 -s 688
6⤵
- Program crash
PID:4388

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 600
3⤵
- Program crash
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4972 -ip 4972
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\6F5.exe
C:\Users\Admin\AppData\Local\Temp\6F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4184

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 404
2⤵
- Program crash
PID:4840

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1936 -ip 1936
1⤵
PID:1720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3180 -ip 3180
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\8260.exe
C:\Users\Admin\AppData\Local\Temp\8260.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
2⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Users\Admin\AppData\Roaming\uaewrif
C:\Users\Admin\AppData\Roaming\uaewrif
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F5.exe
Filesize
3.2MB

MD5
84093234acbf6f9934fbc4b512e1a375

SHA1
d07c29dbd51f43196b8fa191ddec3018e3d7f790

SHA256
1fdeec873babd4913470ed2054da10581a6547dc6b59d567bfb3a69a8065d2e3

SHA512
a4b871e0436f014551c22915b297ee643f4bc5a7e4f4a3c43cccdbf6199045f6dba4c32174ae8808c6b03057ed78f6e989ccb63bb225345aa95ca56e5cca666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F5.exe
Filesize
3.2MB

MD5
84093234acbf6f9934fbc4b512e1a375

SHA1
d07c29dbd51f43196b8fa191ddec3018e3d7f790

SHA256
1fdeec873babd4913470ed2054da10581a6547dc6b59d567bfb3a69a8065d2e3

SHA512
a4b871e0436f014551c22915b297ee643f4bc5a7e4f4a3c43cccdbf6199045f6dba4c32174ae8808c6b03057ed78f6e989ccb63bb225345aa95ca56e5cca666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8260.exe
Filesize
1.7MB

MD5
6a94a1e18c7b6a01aaa49dc523f377be

SHA1
734fe1fc1686663374acdfcac3e64a994abf1f24

SHA256
3d153eec10415da5bd11428eafd70b13b2db77c145b3a98a4d0e1c55a3ec4af6

SHA512
96223374167e981183a8d41d734f6325ca459a1931a959af9ffe32e69cea053e117909ef3f81be4c35a35ca257d31d352aa4bd1db7d429cbc4ae7d8dce326766

Download Submit
C:\Users\Admin\AppData\Local\Temp\8260.exe
Filesize
1.7MB

MD5
6a94a1e18c7b6a01aaa49dc523f377be

SHA1
734fe1fc1686663374acdfcac3e64a994abf1f24

SHA256
3d153eec10415da5bd11428eafd70b13b2db77c145b3a98a4d0e1c55a3ec4af6

SHA512
96223374167e981183a8d41d734f6325ca459a1931a959af9ffe32e69cea053e117909ef3f81be4c35a35ca257d31d352aa4bd1db7d429cbc4ae7d8dce326766

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
Filesize
225KB

MD5
249796fa1a3ae7e8688c0cd0ff89ac1f

SHA1
24d19f4d8123218acc97dda292cedb6517671252

SHA256
896957ecc7a22c199fa41be975dff3dda6e90f7a22f2ee6b4db5f29b1a5688c2

SHA512
ba4135f3bc21a040c85afe8b5602ee65e076195fb596f4870f4ac46d69643a9388ddbc37ada76e9e987831bca985673de01323664007dab4dee64cb5b6f5312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
Filesize
225KB

MD5
249796fa1a3ae7e8688c0cd0ff89ac1f

SHA1
24d19f4d8123218acc97dda292cedb6517671252

SHA256
896957ecc7a22c199fa41be975dff3dda6e90f7a22f2ee6b4db5f29b1a5688c2

SHA512
ba4135f3bc21a040c85afe8b5602ee65e076195fb596f4870f4ac46d69643a9388ddbc37ada76e9e987831bca985673de01323664007dab4dee64cb5b6f5312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll
Filesize
4.3MB

MD5
e4f4ffb8be6dba76ddf15cece5a4bfac

SHA1
d6896ab316272379be3069afcfdba13b488ceff5

SHA256
5584e51b6a5112d25055e953f64020c9bd83c07a03ef5d850c049c6b6115c51a

SHA512
3ca80e4b6604165757f192452262f6e184bb93ca82185acd743d2540ed5e35967e794d3ba0b973df3460c0d91e6167ca6db23b99b0f35c56d23dd7da0c53fe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll
Filesize
4.3MB

MD5
e4f4ffb8be6dba76ddf15cece5a4bfac

SHA1
d6896ab316272379be3069afcfdba13b488ceff5

SHA256
5584e51b6a5112d25055e953f64020c9bd83c07a03ef5d850c049c6b6115c51a

SHA512
3ca80e4b6604165757f192452262f6e184bb93ca82185acd743d2540ed5e35967e794d3ba0b973df3460c0d91e6167ca6db23b99b0f35c56d23dd7da0c53fe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll
Filesize
4.3MB

MD5
e4f4ffb8be6dba76ddf15cece5a4bfac

SHA1
d6896ab316272379be3069afcfdba13b488ceff5

SHA256
5584e51b6a5112d25055e953f64020c9bd83c07a03ef5d850c049c6b6115c51a

SHA512
3ca80e4b6604165757f192452262f6e184bb93ca82185acd743d2540ed5e35967e794d3ba0b973df3460c0d91e6167ca6db23b99b0f35c56d23dd7da0c53fe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
cb077166b5cc181bde4c2bb30d28a99a

SHA1
800aab82a816e41ded59bc20cda364fa22dc0bcb

SHA256
40f19665b2ae343aa3838226e3393e2816a58fbb16fa4d2a3da8c602f20c9f72

SHA512
d1a9c9696f17e0ed3fe34996fef186c23ca9c0bb5cc1073a01bee88ca3d6a096dce61145f6339f88fd08fd4ac5d451105547a604c9a10fb373a78c6cf9df2811

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
0fa184f924d62e2a5ffbd35fb4185ca2

SHA1
80122822d0b2e495e6ae2ca24e279265f3c95410

SHA256
24b4317184cdd8aaa1757bef61a8688e6d13d33602b54b377240cf77f97311b6

SHA512
45be2bcb0b7909036ac839a2886c4e5e33441cdd220d59b0b96b0422ca70ada1523e363291b70d893cf9a4c51fbcc34db2598ee42f169bbec1fbc867327cee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
Filesize
3.5MB

MD5
0fa184f924d62e2a5ffbd35fb4185ca2

SHA1
80122822d0b2e495e6ae2ca24e279265f3c95410

SHA256
24b4317184cdd8aaa1757bef61a8688e6d13d33602b54b377240cf77f97311b6

SHA512
45be2bcb0b7909036ac839a2886c4e5e33441cdd220d59b0b96b0422ca70ada1523e363291b70d893cf9a4c51fbcc34db2598ee42f169bbec1fbc867327cee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj.exe
Filesize
72KB

MD5
834a79ee7a59547a89ef4f849829b05b

SHA1
28db68cffea38ed08db8fc3ed687a45494c38dcb

SHA256
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772

SHA512
3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj.exe
Filesize
72KB

MD5
834a79ee7a59547a89ef4f849829b05b

SHA1
28db68cffea38ed08db8fc3ed687a45494c38dcb

SHA256
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772

SHA512
3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj.exe
Filesize
72KB

MD5
834a79ee7a59547a89ef4f849829b05b

SHA1
28db68cffea38ed08db8fc3ed687a45494c38dcb

SHA256
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772

SHA512
3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
497.9MB

MD5
f2298f6b96305daa39354bcece43ee75

SHA1
11e9c06a1633b50193a2795f048381178ffa5559

SHA256
0d982d582906caf2a59199912dbf54e769b3788b4f9bb12237f1a4002d300c39

SHA512
f38fff31e8f2c8ea0cdba324afc1ec430ad078b3f6adfd72e466c3ec5d8951d6495cac4f9cb8433042d16195bd06f9b9a4e518d7d17728917e0402deb69b06bf

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Filesize
497.6MB

MD5
28574a35f722d490d36643bdef02dbd8

SHA1
23ea771ffbf1ca14c5113b87d544c24c3e4dac3f

SHA256
e20abd84bd65e68a7102df5b1b242be12befc34b643e655b09a89ec25b55d3ce

SHA512
ea46c2ff5d7ed2767c6b903aa148593f1abbd3c2dca7c18e785c2ae81cfc1b768d0dab6b0d4af21b85d1bca5fad82d6d45333f46944204b0853b83cf6f92fedd

Download Submit
C:\Users\Admin\AppData\Roaming\uaewrif
Filesize
225KB

MD5
249796fa1a3ae7e8688c0cd0ff89ac1f

SHA1
24d19f4d8123218acc97dda292cedb6517671252

SHA256
896957ecc7a22c199fa41be975dff3dda6e90f7a22f2ee6b4db5f29b1a5688c2

SHA512
ba4135f3bc21a040c85afe8b5602ee65e076195fb596f4870f4ac46d69643a9388ddbc37ada76e9e987831bca985673de01323664007dab4dee64cb5b6f5312f

Download Submit
C:\Users\Admin\AppData\Roaming\uaewrif
Filesize
225KB

MD5
249796fa1a3ae7e8688c0cd0ff89ac1f

SHA1
24d19f4d8123218acc97dda292cedb6517671252

SHA256
896957ecc7a22c199fa41be975dff3dda6e90f7a22f2ee6b4db5f29b1a5688c2

SHA512
ba4135f3bc21a040c85afe8b5602ee65e076195fb596f4870f4ac46d69643a9388ddbc37ada76e9e987831bca985673de01323664007dab4dee64cb5b6f5312f

Download Submit
memory/228-152-0x0000000000000000-mapping.dmp

Download
memory/460-157-0x0000000000000000-mapping.dmp

Download
memory/972-155-0x0000000000000000-mapping.dmp

Download
memory/1912-205-0x0000000000000000-mapping.dmp

Download
memory/1916-160-0x0000000000000000-mapping.dmp

Download
memory/1936-204-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/1936-197-0x0000000002770000-0x0000000002B27000-memory.dmp

Filesize
3.7MB

Download
memory/1936-198-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/1936-196-0x0000000002368000-0x000000000266B000-memory.dmp

Filesize
3.0MB

Download
memory/1936-192-0x0000000000000000-mapping.dmp

Download
memory/2008-231-0x000000000234D000-0x00000000024F7000-memory.dmp

Filesize
1.7MB

Download
memory/2008-237-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2008-215-0x0000000000000000-mapping.dmp

Download
memory/2008-232-0x0000000002600000-0x00000000029D0000-memory.dmp

Filesize
3.8MB

Download
memory/2008-233-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2192-156-0x0000000000000000-mapping.dmp

Download
memory/2236-234-0x0000000000000000-mapping.dmp

Download
memory/2288-154-0x0000000000000000-mapping.dmp

Download
memory/2484-158-0x0000000000000000-mapping.dmp

Download
memory/2540-139-0x0000000000000000-mapping.dmp

Download
memory/2688-189-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2688-178-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-187-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2688-188-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2688-170-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-190-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2688-191-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2688-185-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-184-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-183-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-182-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-181-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-180-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-179-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-186-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-171-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-177-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-172-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-176-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-175-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-174-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2688-173-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2976-143-0x0000000000000000-mapping.dmp

Download
memory/3000-169-0x0000000000400000-0x0000000002BA1000-memory.dmp

Filesize
39.6MB

Download
memory/3000-166-0x0000000002F18000-0x0000000002F2B000-memory.dmp

Filesize
76KB

Download
memory/3000-167-0x0000000002CF0000-0x0000000002CF9000-memory.dmp

Filesize
36KB

Download
memory/3000-168-0x0000000000400000-0x0000000002BA1000-memory.dmp

Filesize
39.6MB

Download
memory/3000-136-0x0000000000000000-mapping.dmp

Download
memory/3168-228-0x0000000000000000-mapping.dmp

Download
memory/3180-208-0x0000000000000000-mapping.dmp

Download
memory/3480-159-0x0000000000000000-mapping.dmp

Download
memory/3612-229-0x00000285E7530000-0x00000285E77DC000-memory.dmp

Filesize
2.7MB

Download
memory/3612-222-0x00007FF60E1A6890-mapping.dmp

Download
memory/3612-223-0x00000285E8DF0000-0x00000285E8F30000-memory.dmp

Filesize
1.2MB

Download
memory/3612-224-0x00000285E8DF0000-0x00000285E8F30000-memory.dmp

Filesize
1.2MB

Download
memory/3612-225-0x00000000000C0000-0x000000000035B000-memory.dmp

Filesize
2.6MB

Download
memory/3612-226-0x00000285E7530000-0x00000285E77DC000-memory.dmp

Filesize
2.7MB

Download
memory/3620-149-0x0000000000000000-mapping.dmp

Download
memory/4184-227-0x0000000000000000-mapping.dmp

Download
memory/4232-133-0x0000000000000000-mapping.dmp

Download
memory/4232-141-0x0000000140000000-0x0000000140623000-memory.dmp

Filesize
6.1MB

Download
memory/4364-161-0x0000000000000000-mapping.dmp

Download
memory/4528-212-0x0000000004210000-0x0000000004D40000-memory.dmp

Filesize
11.2MB

Download
memory/4528-220-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4528-214-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4528-230-0x0000000004210000-0x0000000004D40000-memory.dmp

Filesize
11.2MB

Download
memory/4528-211-0x0000000004210000-0x0000000004D40000-memory.dmp

Filesize
11.2MB

Download
memory/4528-210-0x0000000004210000-0x0000000004D40000-memory.dmp

Filesize
11.2MB

Download
memory/4528-218-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4528-221-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4528-203-0x0000000002DF0000-0x000000000323E000-memory.dmp

Filesize
4.3MB

Download
memory/4528-213-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4528-199-0x0000000000000000-mapping.dmp

Download
memory/4528-219-0x0000000004E00000-0x0000000004F40000-memory.dmp

Filesize
1.2MB

Download
memory/4740-241-0x0000000002F19000-0x0000000002F2C000-memory.dmp

Filesize
76KB

Download
memory/4740-242-0x0000000000400000-0x0000000002BA1000-memory.dmp

Filesize
39.6MB

Download
memory/4740-243-0x0000000000400000-0x0000000002BA1000-memory.dmp

Filesize
39.6MB

Download
memory/4896-132-0x0000000000320000-0x000000000072E000-memory.dmp

Filesize
4.1MB

Download
memory/4972-163-0x0000000000000000-mapping.dmp

Download