amadey | c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd

Analysis

max time kernel
38s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe
Size

559KB
MD5

0edd091e2448140892af233184924bf5
SHA1

754987a26b17659e0d06f55642e54e16a09ff7a9
SHA256

c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd
SHA512

5bf78dbd3f55760330ff7ba4bfaa0666348de6666262e91740b5690782dfe7357edf9f8ca8ed37547c920c59cc015454a5e6d2446b82c48c57da4a4665a14dfb
SSDEEP

12288:qMrMy905SCgJEG7zgyj8sc0+B2ETxADgU:qyz+MgsDcxB7TiDgU

Score

10^/10

amadey healer redline smokeloader vidar 1112224312 @oleh_ps c2438bb36e46960f59a09a0a267eeb74 maxik backdoor dropper evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Extracted

Family

redline

Botnet

maxik

77.91.124.156:19071

Attributes

auth_value
a7714e1bc167c67e3fc8f9e368352269

Extracted

Family

redline

Botnet

1112224312

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

@oleh_ps

176.123.9.85:16482

Attributes

auth_value
24848220823af15a5e52db502394fad3

Extracted

Family

vidar

Version

Botnet

c2438bb36e46960f59a09a0a267eeb74

https://t.me/versozaline

https://steamcommunity.com/profiles/76561199532186526

Attributes

profile_id_v2
c2438bb36e46960f59a09a0a267eeb74
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0

Extracted

Family

smokeloader

Version

2022

https://anydesk-my.com/faq/

http://anydesk-my.com/faq/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320f-152.dat	healer
behavioral1/files/0x000700000002320f-153.dat	healer
behavioral1/memory/3244-154-0x00000000000F0000-0x00000000000FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p7449948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p7449948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p7449948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p7449948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p7449948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p7449948.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4672	z6757254.exe
1612	z6601469.exe
3244	p7449948.exe
1524	r4397453.exe
2768	legosa.exe
3328	s6090394.exe
2104	4312.exe
3040	Gammatraff.exe
552	stell.exe
4236	ucejekudcp.exe
3980	setuox63.exe
1456	legosa.exe
3436	nNC0F21PVf7hKUD.exe
4252	buildntai1.exe

Loads dropped DLL 2 IoCs

pid	Process
4252	buildntai1.exe
4252	buildntai1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p7449948.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6601469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6757254.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	api.ipify.org
35	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 3588	2104	4312.exe	108
PID 4236 set thread context of 3536	4236	ucejekudcp.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1136	4236	WerFault.exe	111

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1348	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3392	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	p7449948.exe
3244	p7449948.exe
3588	InstallUtil.exe
3588	InstallUtil.exe
3536	AppLaunch.exe
3040	Gammatraff.exe
3040	Gammatraff.exe
3536	AppLaunch.exe
4252	buildntai1.exe
4252	buildntai1.exe
4252	buildntai1.exe
4252	buildntai1.exe
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
4252	buildntai1.exe
4252	buildntai1.exe
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found
1112	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3040	Gammatraff.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	p7449948.exe
Token: SeDebugPrivilege	3588	InstallUtil.exe
Token: SeDebugPrivilege	3536	AppLaunch.exe
Token: SeShutdownPrivilege	1112	Process not Found
Token: SeCreatePagefilePrivilege	1112	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4672	4764	c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe	86
PID 4764 wrote to memory of 4672	4764	c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe	86
PID 4764 wrote to memory of 4672	4764	c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe	86
PID 4672 wrote to memory of 1612	4672	z6757254.exe	87
PID 4672 wrote to memory of 1612	4672	z6757254.exe	87
PID 4672 wrote to memory of 1612	4672	z6757254.exe	87
PID 1612 wrote to memory of 3244	1612	z6601469.exe	88
PID 1612 wrote to memory of 3244	1612	z6601469.exe	88
PID 1612 wrote to memory of 1524	1612	z6601469.exe	93
PID 1612 wrote to memory of 1524	1612	z6601469.exe	93
PID 1612 wrote to memory of 1524	1612	z6601469.exe	93
PID 1524 wrote to memory of 2768	1524	r4397453.exe	94
PID 1524 wrote to memory of 2768	1524	r4397453.exe	94
PID 1524 wrote to memory of 2768	1524	r4397453.exe	94
PID 4672 wrote to memory of 3328	4672	z6757254.exe	95
PID 4672 wrote to memory of 3328	4672	z6757254.exe	95
PID 4672 wrote to memory of 3328	4672	z6757254.exe	95
PID 2768 wrote to memory of 1348	2768	legosa.exe	96
PID 2768 wrote to memory of 1348	2768	legosa.exe	96
PID 2768 wrote to memory of 1348	2768	legosa.exe	96
PID 2768 wrote to memory of 1080	2768	legosa.exe	97
PID 2768 wrote to memory of 1080	2768	legosa.exe	97
PID 2768 wrote to memory of 1080	2768	legosa.exe	97
PID 1080 wrote to memory of 2680	1080	cmd.exe	101
PID 1080 wrote to memory of 2680	1080	cmd.exe	101
PID 1080 wrote to memory of 2680	1080	cmd.exe	101
PID 1080 wrote to memory of 2800	1080	cmd.exe	100
PID 1080 wrote to memory of 2800	1080	cmd.exe	100
PID 1080 wrote to memory of 2800	1080	cmd.exe	100
PID 1080 wrote to memory of 3432	1080	cmd.exe	102
PID 1080 wrote to memory of 3432	1080	cmd.exe	102
PID 1080 wrote to memory of 3432	1080	cmd.exe	102
PID 1080 wrote to memory of 5112	1080	cmd.exe	103
PID 1080 wrote to memory of 5112	1080	cmd.exe	103
PID 1080 wrote to memory of 5112	1080	cmd.exe	103
PID 1080 wrote to memory of 2212	1080	cmd.exe	104
PID 1080 wrote to memory of 2212	1080	cmd.exe	104
PID 1080 wrote to memory of 2212	1080	cmd.exe	104
PID 1080 wrote to memory of 1876	1080	cmd.exe	105
PID 1080 wrote to memory of 1876	1080	cmd.exe	105
PID 1080 wrote to memory of 1876	1080	cmd.exe	105
PID 2768 wrote to memory of 2104	2768	legosa.exe	106
PID 2768 wrote to memory of 2104	2768	legosa.exe	106
PID 2768 wrote to memory of 2104	2768	legosa.exe	106
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2104 wrote to memory of 3588	2104	4312.exe	108
PID 2768 wrote to memory of 3040	2768	legosa.exe	109
PID 2768 wrote to memory of 3040	2768	legosa.exe	109
PID 2768 wrote to memory of 3040	2768	legosa.exe	109
PID 2768 wrote to memory of 552	2768	legosa.exe	110
PID 2768 wrote to memory of 552	2768	legosa.exe	110
PID 2768 wrote to memory of 4236	2768	legosa.exe	111
PID 2768 wrote to memory of 4236	2768	legosa.exe	111
PID 2768 wrote to memory of 4236	2768	legosa.exe	111
PID 4236 wrote to memory of 3536	4236	ucejekudcp.exe	113
PID 4236 wrote to memory of 3536	4236	ucejekudcp.exe	113
PID 4236 wrote to memory of 3536	4236	ucejekudcp.exe	113
PID 4236 wrote to memory of 3536	4236	ucejekudcp.exe	113

C:\Users\Admin\AppData\Local\Temp\c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe
"C:\Users\Admin\AppData\Local\Temp\c27159c3ef2eca70dfdb148ab8b7f0bd54464dba6b33437d1a5b41957320f2dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6757254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6757254.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6601469.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6601469.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7449948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7449948.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4397453.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4397453.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legosa.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legosa.exe" /P "Admin:N"&&CACLS "legosa.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legosa.exe" /P "Admin:N"
        7⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legosa.exe" /P "Admin:R" /E
        7⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        7⤵
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\1000001001\4312.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\4312.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\1000002001\Gammatraff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\Gammatraff.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe"
        6⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\1000004001\ucejekudcp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\ucejekudcp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 584
        7⤵
        Program crash
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\1000005001\setuox63.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\setuox63.exe"
        6⤵
        Executes dropped EXE
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\1000006001\nNC0F21PVf7hKUD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\nNC0F21PVf7hKUD.exe"
        6⤵
        Executes dropped EXE
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe" & exit
        7⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:3392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6090394.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6090394.exe
    3⤵
    - Executes dropped EXE
    PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4236 -ip 4236
1⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
1⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\4312.exe

Filesize
1.2MB

MD5
e18c09fae2ed2f0f511d836032b9a6c9

SHA1
1329d986595034bb02fb6811149ed92b8daf10f6

SHA256
aeaaf6c0e6b0f401ddf8705f9e15a11c758db69716784be53f6b619f86d74894

SHA512
3537a2a0fdced6ca040a6908dfa194e62585c0741b79bd4fe8c9c50c77bd625a9dc6b81ba5a24d070f659d28dd63d8c9c2741d344b731cba94855bb96e87e791

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\4312.exe

Filesize
1.2MB

MD5
e18c09fae2ed2f0f511d836032b9a6c9

SHA1
1329d986595034bb02fb6811149ed92b8daf10f6

SHA256
aeaaf6c0e6b0f401ddf8705f9e15a11c758db69716784be53f6b619f86d74894

SHA512
3537a2a0fdced6ca040a6908dfa194e62585c0741b79bd4fe8c9c50c77bd625a9dc6b81ba5a24d070f659d28dd63d8c9c2741d344b731cba94855bb96e87e791

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\4312.exe

Filesize
1.2MB

MD5
e18c09fae2ed2f0f511d836032b9a6c9

SHA1
1329d986595034bb02fb6811149ed92b8daf10f6

SHA256
aeaaf6c0e6b0f401ddf8705f9e15a11c758db69716784be53f6b619f86d74894

SHA512
3537a2a0fdced6ca040a6908dfa194e62585c0741b79bd4fe8c9c50c77bd625a9dc6b81ba5a24d070f659d28dd63d8c9c2741d344b731cba94855bb96e87e791

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\Gammatraff.exe

Filesize
288KB

MD5
120cbb2cca4d4036d54253165cd428d5

SHA1
16ca58673b25bd18af4e3fc0bc719601e4c9ca0a

SHA256
b048a1bfca1c0f1a364faeef88c9decda4fa71a66e3dd3225abe70e267b0b36b

SHA512
ce9023ec8374a439d344024d834a7a9ff6d04b0d1d95a20d0958353846492a5290d6978b19bf4a159c700dd98c467c4ca18ffd356673925ffa52bc1bb8a2f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\Gammatraff.exe

Filesize
288KB

MD5
120cbb2cca4d4036d54253165cd428d5

SHA1
16ca58673b25bd18af4e3fc0bc719601e4c9ca0a

SHA256
b048a1bfca1c0f1a364faeef88c9decda4fa71a66e3dd3225abe70e267b0b36b

SHA512
ce9023ec8374a439d344024d834a7a9ff6d04b0d1d95a20d0958353846492a5290d6978b19bf4a159c700dd98c467c4ca18ffd356673925ffa52bc1bb8a2f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\Gammatraff.exe

Filesize
288KB

MD5
120cbb2cca4d4036d54253165cd428d5

SHA1
16ca58673b25bd18af4e3fc0bc719601e4c9ca0a

SHA256
b048a1bfca1c0f1a364faeef88c9decda4fa71a66e3dd3225abe70e267b0b36b

SHA512
ce9023ec8374a439d344024d834a7a9ff6d04b0d1d95a20d0958353846492a5290d6978b19bf4a159c700dd98c467c4ca18ffd356673925ffa52bc1bb8a2f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe

Filesize
733KB

MD5
9e9d3ca2bb0dca4602f6230c63af9885

SHA1
5e2cc25105932363c2034f9062fbe4ca4aa6aba4

SHA256
db0671a8aa2824d479000a440fefdf5baec097ab171212b161865d7383897815

SHA512
2b6348d28a6df539379d9ffa4556c1627dd47fa90d4df041379fd0b9693637bc822fde71fe919104544d6c62632a95858506aa0dd06b81e0c349fdd84e3c041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe

Filesize
733KB

MD5
9e9d3ca2bb0dca4602f6230c63af9885

SHA1
5e2cc25105932363c2034f9062fbe4ca4aa6aba4

SHA256
db0671a8aa2824d479000a440fefdf5baec097ab171212b161865d7383897815

SHA512
2b6348d28a6df539379d9ffa4556c1627dd47fa90d4df041379fd0b9693637bc822fde71fe919104544d6c62632a95858506aa0dd06b81e0c349fdd84e3c041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\stell.exe

Filesize
733KB

MD5
9e9d3ca2bb0dca4602f6230c63af9885

SHA1
5e2cc25105932363c2034f9062fbe4ca4aa6aba4

SHA256
db0671a8aa2824d479000a440fefdf5baec097ab171212b161865d7383897815

SHA512
2b6348d28a6df539379d9ffa4556c1627dd47fa90d4df041379fd0b9693637bc822fde71fe919104544d6c62632a95858506aa0dd06b81e0c349fdd84e3c041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\ucejekudcp.exe

Filesize
1.3MB

MD5
2ddbd7e7fdf9bf2edfa375ad6fe2f6f5

SHA1
7f8fb773d3c17d05dcf46802b33f024b53c48c96

SHA256
9354c11be1fbde7607e1139a9fecff5269d7f8dba8f6fbe35c950074bc0cdefe

SHA512
7c4224441c5b497635294866c999d9d601248ff16272b2cf4f3f2b91c6e08ab51d2d273b91cac24eafcea4018daa339d0ff62b33b1540fbf9aaa4e7b9f3e1c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\ucejekudcp.exe

Filesize
1.3MB

MD5
2ddbd7e7fdf9bf2edfa375ad6fe2f6f5

SHA1
7f8fb773d3c17d05dcf46802b33f024b53c48c96

SHA256
9354c11be1fbde7607e1139a9fecff5269d7f8dba8f6fbe35c950074bc0cdefe

SHA512
7c4224441c5b497635294866c999d9d601248ff16272b2cf4f3f2b91c6e08ab51d2d273b91cac24eafcea4018daa339d0ff62b33b1540fbf9aaa4e7b9f3e1c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\ucejekudcp.exe

Filesize
1.3MB

MD5
2ddbd7e7fdf9bf2edfa375ad6fe2f6f5

SHA1
7f8fb773d3c17d05dcf46802b33f024b53c48c96

SHA256
9354c11be1fbde7607e1139a9fecff5269d7f8dba8f6fbe35c950074bc0cdefe

SHA512
7c4224441c5b497635294866c999d9d601248ff16272b2cf4f3f2b91c6e08ab51d2d273b91cac24eafcea4018daa339d0ff62b33b1540fbf9aaa4e7b9f3e1c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setuox63.exe

Filesize
1.6MB

MD5
0874189f078f8e3fcb59e2900e078b7e

SHA1
ff1638a53e3a403c1e63245fef1f3775b67bfd37

SHA256
5cef817d00f7176aaff7d48722b45d82a0587e010655f9c678e75be7beedde77

SHA512
2cfb391365a1ebc94f4386f6f9013f6f66e193161fc471935ed5655f7d6f6dc2f325daab6d6a6b0b27f6ba220f4c5c8a8002275587d0dfc7187f1520726c0629

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setuox63.exe

Filesize
1.6MB

MD5
0874189f078f8e3fcb59e2900e078b7e

SHA1
ff1638a53e3a403c1e63245fef1f3775b67bfd37

SHA256
5cef817d00f7176aaff7d48722b45d82a0587e010655f9c678e75be7beedde77

SHA512
2cfb391365a1ebc94f4386f6f9013f6f66e193161fc471935ed5655f7d6f6dc2f325daab6d6a6b0b27f6ba220f4c5c8a8002275587d0dfc7187f1520726c0629

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setuox63.exe

Filesize
1.6MB

MD5
0874189f078f8e3fcb59e2900e078b7e

SHA1
ff1638a53e3a403c1e63245fef1f3775b67bfd37

SHA256
5cef817d00f7176aaff7d48722b45d82a0587e010655f9c678e75be7beedde77

SHA512
2cfb391365a1ebc94f4386f6f9013f6f66e193161fc471935ed5655f7d6f6dc2f325daab6d6a6b0b27f6ba220f4c5c8a8002275587d0dfc7187f1520726c0629

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\nNC0F21PVf7hKUD.exe

Filesize
1.6MB

MD5
0874189f078f8e3fcb59e2900e078b7e

SHA1
ff1638a53e3a403c1e63245fef1f3775b67bfd37

SHA256
5cef817d00f7176aaff7d48722b45d82a0587e010655f9c678e75be7beedde77

SHA512
2cfb391365a1ebc94f4386f6f9013f6f66e193161fc471935ed5655f7d6f6dc2f325daab6d6a6b0b27f6ba220f4c5c8a8002275587d0dfc7187f1520726c0629

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\nNC0F21PVf7hKUD.exe

Filesize
1.6MB

MD5
0874189f078f8e3fcb59e2900e078b7e

SHA1
ff1638a53e3a403c1e63245fef1f3775b67bfd37

SHA256
5cef817d00f7176aaff7d48722b45d82a0587e010655f9c678e75be7beedde77

SHA512
2cfb391365a1ebc94f4386f6f9013f6f66e193161fc471935ed5655f7d6f6dc2f325daab6d6a6b0b27f6ba220f4c5c8a8002275587d0dfc7187f1520726c0629

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe

Filesize
467KB

MD5
df0c22316b7b50ee84b60b201fb837ae

SHA1
081aef95af7a81682d2c882b91b299cc63efcf2e

SHA256
05e67c0721526e7dd9b6ef6cdc391d656399d9346b0e9e7e563c160fd0c4fa79

SHA512
377f9b758c8d1d61ad04b56919581a055f5c61aae9edd5bcd19279e321819a3a42cd406c714f1dfdfb0c4f7ea10d277259cde13842a2870b5ea8ac7f449e876e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe

Filesize
467KB

MD5
df0c22316b7b50ee84b60b201fb837ae

SHA1
081aef95af7a81682d2c882b91b299cc63efcf2e

SHA256
05e67c0721526e7dd9b6ef6cdc391d656399d9346b0e9e7e563c160fd0c4fa79

SHA512
377f9b758c8d1d61ad04b56919581a055f5c61aae9edd5bcd19279e321819a3a42cd406c714f1dfdfb0c4f7ea10d277259cde13842a2870b5ea8ac7f449e876e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\buildntai1.exe

Filesize
467KB

MD5
df0c22316b7b50ee84b60b201fb837ae

SHA1
081aef95af7a81682d2c882b91b299cc63efcf2e

SHA256
05e67c0721526e7dd9b6ef6cdc391d656399d9346b0e9e7e563c160fd0c4fa79

SHA512
377f9b758c8d1d61ad04b56919581a055f5c61aae9edd5bcd19279e321819a3a42cd406c714f1dfdfb0c4f7ea10d277259cde13842a2870b5ea8ac7f449e876e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6757254.exe

Filesize
432KB

MD5
27a21d62aeca775d9e9592d44f631172

SHA1
91075c7d188d4d3ccd8aa5d0899dc50d6dbbfbc7

SHA256
f30a9b994c591abf4559275c3850e1746b421b33f0d2e8d2ebb3bc850c802449

SHA512
e3f4de7dd1ff43dff3c63b2263d24ced32949e44669d89a74e7f7c124ba6c8efee994ccd385a761e2873dd978e4be4c2356e9e8874f0a13e77a2edf9e85016d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6757254.exe

Filesize
432KB

MD5
27a21d62aeca775d9e9592d44f631172

SHA1
91075c7d188d4d3ccd8aa5d0899dc50d6dbbfbc7

SHA256
f30a9b994c591abf4559275c3850e1746b421b33f0d2e8d2ebb3bc850c802449

SHA512
e3f4de7dd1ff43dff3c63b2263d24ced32949e44669d89a74e7f7c124ba6c8efee994ccd385a761e2873dd978e4be4c2356e9e8874f0a13e77a2edf9e85016d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6090394.exe

Filesize
176KB

MD5
e3c5437d5947e3c14b3ca0d7b9827034

SHA1
61b7c7448014ff415b4936b60f1e8623daf79193

SHA256
6f090debc376f9699a7636c5ec3a7549f85e0a5a3680e47a02a04c9c2baf086c

SHA512
c4780437a710d3d98bf194a4f50da3c74a0de0aaaf4727c9ab162d3d508645899f5c5cabfa3e4fe73e88a747c8541d328c255b3aade8b1838fa1a62515584e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6090394.exe

Filesize
176KB

MD5
e3c5437d5947e3c14b3ca0d7b9827034

SHA1
61b7c7448014ff415b4936b60f1e8623daf79193

SHA256
6f090debc376f9699a7636c5ec3a7549f85e0a5a3680e47a02a04c9c2baf086c

SHA512
c4780437a710d3d98bf194a4f50da3c74a0de0aaaf4727c9ab162d3d508645899f5c5cabfa3e4fe73e88a747c8541d328c255b3aade8b1838fa1a62515584e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6601469.exe

Filesize
277KB

MD5
261f9b027da51882ef851296cba75fd3

SHA1
e2ccf2ff79546b5359a7545d1ac606fd15ff4c08

SHA256
30b9a11000b9d786fddb42855258d83d50a22a38b9c733429faaf2069e305f2b

SHA512
f74e01fe39836b4f80826fd57b279c21ec2c9819746e4acbc727ebdc8f9d99744b48c7cab307e1072b3650815dfeb9e6c84f94e5353ae85b003b67f868e9e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6601469.exe

Filesize
277KB

MD5
261f9b027da51882ef851296cba75fd3

SHA1
e2ccf2ff79546b5359a7545d1ac606fd15ff4c08

SHA256
30b9a11000b9d786fddb42855258d83d50a22a38b9c733429faaf2069e305f2b

SHA512
f74e01fe39836b4f80826fd57b279c21ec2c9819746e4acbc727ebdc8f9d99744b48c7cab307e1072b3650815dfeb9e6c84f94e5353ae85b003b67f868e9e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7449948.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7449948.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4397453.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r4397453.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
memory/1112-377-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/2104-195-0x0000000000510000-0x000000000069F000-memory.dmp

Filesize
1.6MB

Download
memory/2104-198-0x0000000000510000-0x000000000069F000-memory.dmp

Filesize
1.6MB

Download
memory/3040-332-0x0000000002870000-0x0000000002885000-memory.dmp

Filesize
84KB

Download
memory/3040-384-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/3040-333-0x0000000002480000-0x0000000002489000-memory.dmp

Filesize
36KB

Download
memory/3040-328-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/3244-157-0x00007FFC7DDB0000-0x00007FFC7E871000-memory.dmp

Filesize
10.8MB

Download
memory/3244-155-0x00007FFC7DDB0000-0x00007FFC7E871000-memory.dmp

Filesize
10.8MB

Download
memory/3244-154-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/3328-177-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/3328-178-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/3328-173-0x0000000000F00000-0x0000000000F30000-memory.dmp

Filesize
192KB

Download
memory/3328-175-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/3328-174-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3328-264-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/3328-179-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/3328-257-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3328-176-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3436-307-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3436-385-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3536-336-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3536-265-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/3536-263-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3536-373-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3536-371-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/3536-256-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3588-238-0x0000000006660000-0x00000000066D6000-memory.dmp

Filesize
472KB

Download
memory/3588-226-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download
memory/3588-303-0x0000000008280000-0x00000000082D0000-memory.dmp

Filesize
320KB

Download
memory/3588-306-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3588-229-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/3588-308-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3588-214-0x0000000006180000-0x0000000006342000-memory.dmp

Filesize
1.8MB

Download
memory/3588-200-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3588-199-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3588-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3588-230-0x0000000006540000-0x00000000065D2000-memory.dmp

Filesize
584KB

Download
memory/3588-231-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/3588-335-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3588-250-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/3980-282-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3980-288-0x0000000005410000-0x0000000005466000-memory.dmp

Filesize
344KB

Download
memory/3980-286-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/3980-287-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3980-374-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3980-285-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/3980-283-0x00000000007C0000-0x000000000096C000-memory.dmp

Filesize
1.7MB

Download
memory/3980-383-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4236-258-0x0000000000530000-0x000000000067F000-memory.dmp

Filesize
1.3MB

Download
memory/4252-337-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download