healer | e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea

Resubmissions

12-02-2024 15:14

240212-smedwaae93 10

18-01-2024 16:04

27-11-2023 17:24

27-11-2023 17:23

07-09-2023 17:34

07-09-2023 17:29

Analysis

max time kernel
126s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Size

473KB
MD5

5ae1281ef3fd32f975133cd880be9ba8
SHA1

11f3e8bfb5443fe516ff6922e72ae005e1431e13
SHA256

e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea
SHA512

c7a2df58fc7b97ed642b4671ea2af9573ea9f6e8806c3251703b4d594a24a0463380eafcb7757dc4d732655c5f08d28776cf6d0e5597ea2377463c106de4e587
SSDEEP

12288:zMr0y904pAEvdXQzqmrQAQlMmHeNwwrGfI:XyxTNQzdZanQwwrGfI

Score

10^/10

healer redline mrak bootkit dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022e40-19.dat	healer
behavioral1/files/0x0007000000022e40-20.dat	healer
behavioral1/memory/936-21-0x0000000000630000-0x000000000063A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g5140893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g5140893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 14 IoCs

pid	Process
520	x8180539.exe
4760	x8801353.exe
936	g5140893.exe
3084	i5032787.exe
4052	MEMZ.exe
5064	MEMZ.exe
3076	MEMZ.exe
5352	MEMZ.exe
5484	MEMZ.exe
5516	MEMZ.exe
5556	MEMZ.exe
5584	MEMZ.exe
5628	MEMZ.exe
5704	MEMZ.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	g5140893.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8180539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8801353.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
936	g5140893.exe
936	g5140893.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe
5484	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	g5140893.exe
Token: SeDebugPrivilege	3008	firefox.exe
Token: SeDebugPrivilege	3008	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
5516	MEMZ.exe
5556	MEMZ.exe
5584	MEMZ.exe
5628	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 520	3976	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	84
PID 3976 wrote to memory of 520	3976	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	84
PID 3976 wrote to memory of 520	3976	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	84
PID 520 wrote to memory of 4760	520	x8180539.exe	86
PID 520 wrote to memory of 4760	520	x8180539.exe	86
PID 520 wrote to memory of 4760	520	x8180539.exe	86
PID 4760 wrote to memory of 936	4760	x8801353.exe	87
PID 4760 wrote to memory of 936	4760	x8801353.exe	87
PID 4760 wrote to memory of 3084	4760	x8801353.exe	94
PID 4760 wrote to memory of 3084	4760	x8801353.exe	94
PID 4760 wrote to memory of 3084	4760	x8801353.exe	94
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 4032 wrote to memory of 3008	4032	firefox.exe	99
PID 3008 wrote to memory of 3836	3008	firefox.exe	101
PID 3008 wrote to memory of 3836	3008	firefox.exe	101
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102
PID 3008 wrote to memory of 2828	3008	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
"C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      4⤵
      Executes dropped EXE
      PID:3084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.0.1334881036\403976186" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1868 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd17050-4c0c-4bc5-9034-3d0348f40d04} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1976 1fa195ce158 gpu
    3⤵
    PID:3836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.1.351620126\1397881884" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbc076c1-ea5e-4323-87d0-b565c9d1fb23} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 2380 1fa1912f558 socket
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.2.1724290852\1029704728" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3168 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {963526fa-3ed0-41a0-a0bf-83975b30c97f} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 2808 1fa1d68dd58 tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.3.1253443683\372318167" -childID 2 -isForBrowser -prefsHandle 1268 -prefMapHandle 904 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f9af53-1fbb-4c25-a24d-6f3ea67d3f55} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1040 1fa1e42a158 tab
    3⤵
    PID:1376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.4.421526439\171377292" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {303f8712-5108-453c-94e5-56c31645382f} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 3760 1fa1cf7eb58 tab
    3⤵
    PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.5.845967827\1792765082" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5084 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8bcf64-b620-4410-b79a-faa46faef1aa} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5108 1fa1f5fb058 tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.7.2017436448\290344484" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5d2cfb-639a-42a6-a9f6-6c6c7e652b49} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5464 1fa1fa78458 tab
    3⤵
    PID:4820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.6.1924576088\969194800" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d346b83-253d-403c-83d9-4d507aa46b63} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5256 1fa1fa77b58 tab
    3⤵
    PID:4052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.8.2095685089\231415250" -childID 7 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {849c025a-c261-4078-8285-94a945eddeca} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5976 1fa213e7058 tab
    3⤵
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.9.12339542\1135108392" -parentBuildID 20221007134813 -prefsHandle 3304 -prefMapHandle 2520 -prefsLen 26831 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3441e59e-f9ec-4ba5-906e-e4e7d4ef24f7} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 3352 1fa21b40e58 rdd
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.10.1875100564\353651233" -childID 8 -isForBrowser -prefsHandle 4264 -prefMapHandle 1284 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d86cb255-c0e4-4aa1-aa60-361abd17d44e} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 3548 1fa21b40258 tab
    3⤵
    PID:5744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.11.525982300\233090910" -childID 9 -isForBrowser -prefsHandle 5400 -prefMapHandle 4740 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9b4fa32-9188-48ca-af04-5d309c385977} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 4744 1fa21ef9f58 tab
    3⤵
    PID:3052
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Executes dropped EXE
    PID:4052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
PID:3076

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5352
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5516
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5556
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5584
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5628
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:5704
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
7d5b152f08e43850bdeeb595416cee7c

SHA1
93e22f5e743dc0f32a76e19ea808671e82d0aedf

SHA256
dec187e5806b00056cd8d025c5b397042942d5fb8db088ec7a3dacfe1ab6e96d

SHA512
448ec2e129e3e1323c0e710bcdedabcdbdf7e57d67c558448ded211dd847421ae41ca424e3d4dcfafa2a081941b0dee331528a374952dcf9b23732c38a4d1dcf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\cache2\doomed\16038

Filesize
10KB

MD5
f4f75db68ff534bfaf0971557d31f5f0

SHA1
29cd710afb13f33490789298cad09b84ab5df513

SHA256
4e60557e2c9bd74c6e0a93889ce067ab8254dbf6305ca564caf78a8312a362a8

SHA512
87196c0b963ba4e9734e518296bdc900f1df1bd3fc6aa73a28c45f0fef59003f397915b18ed0f3f9aa7ce3eed892a916f4cc1870149b5ebe3c44cabeacbf21d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js

Filesize
7KB

MD5
6d7310c1e82f313d80b641566f31efde

SHA1
e76e793527d01e5097ef9be92db569ef7259390c

SHA256
fce23adfca84e32ccb2d5982af9118ad20549d6f8a19e2cf39e194f8aac6cfdf

SHA512
cd0b998ec327595f3a6cba0ed9d8d45f1692f2dae5ba984c36ca1ac282626da2489a42411672fb5570aa17a304641fd9b3093ac1ab3fc1026a6ab0638770ec16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js

Filesize
6KB

MD5
5a2b977b684e326977c5bdb6f70c1851

SHA1
b57c361fff9ba9d9874494ef6ca6f25a9ce11bc5

SHA256
1c9be817e4057bf1170fc0cb90b0f1a810addca6d1eccc3e37037dbde1b3cdd5

SHA512
505abf97367db059fb7cb93f225888f4fffd46a367de5b9728a695188f87b3e4c91efec5f4a62a2d7c8e72b4314157efcfd4538eb9fbe37b9e395039d8a4f604

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1e83b9a979600693e15d19ea714d4af9

SHA1
e8e0ff6924edd7df2e39145ffdd8a8279c0ca6a9

SHA256
04c5cceaac59214dbbe0b6f1e5284d7754b4c311bc6e99c992d1776972dabc91

SHA512
8cc7ce092e36cf00ded5cf695f55a696c485c5c8cf360a2e4ff1bfe45ba482cd5cc6eb600800df82b711cd5483175443280f255aa28e28cc001e784834ab931d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f56ecc614cdc5f59e6a55fbfe6fd7059

SHA1
39344f4ed4644151c6d9f8cbe96c933b81a36937

SHA256
732335de1391acb0f51de86060f72a8c1ee57310a3c4d6d32af39c86222b8f0d

SHA512
69e94301f0d480ad6e0afff1a808b81c25063eb0d20a79a0d3bd8f629053e97e59524047166c90554e83b29167a10fcb7609e902ac799a3c1f608e7184313494

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9f64f35e8886782d6203ed4366ba4ec1

SHA1
2652c6bc2d9c5ddb7e2e7b8e9445a5d5590cf620

SHA256
c44b89f2ff4dfe29b20575c5379bef6972fc62b7d5b5f9bb031950af26da3fe9

SHA512
cb4702dc8c12a12ab7155401099384c8d3380c4c45cf2bb9da8d4d2e24b0601a95519a23ba63fcaa204830b64422934c91019efce2a8033272de5adf0b47ef16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
696e953a88c303ad90f3e069eff2d116

SHA1
be1b70a90691e31456c002fbd213eac58e1b741b

SHA256
17100a189359b3197bee7b107e6d1a7d3c50e57260cf06cdfa07bbba9c549c3d

SHA512
89224f388f3c7af1f7a8ada753d446bdd8d9a6b073bbd3964ff99b69fa1b3f8fbf75e1f8631dd441eb67b47e7257ec7ce92fcbfd81db7c9763d3160a3e795f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
a097f5a69efc2172b4cd67d19b9d4c0c

SHA1
b7cf67abc8e749cc2c75eee7fd9fddd3a80f25fe

SHA256
789404e1e53990648c9403fbdb9e79dda737820c1099df289711ad68e0bad4e6

SHA512
2dea805d94b83503ebab9c348337af527e8bbf9965cbfd1b2b48e3935d260cb7a706150da50e40508109707c44ca97f81483fc79ad1f195cf2197da9b9c1a642

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/936-24-0x00007FF8954D0000-0x00007FF895F91000-memory.dmp

Filesize
10.8MB

Download
memory/936-21-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/936-22-0x00007FF8954D0000-0x00007FF895F91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-71-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download
memory/3084-249-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3084-157-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3084-28-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/3084-30-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/3084-66-0x0000000005730000-0x000000000576C000-memory.dmp

Filesize
240KB

Download
memory/3084-64-0x0000000005690000-0x00000000056A2000-memory.dmp

Filesize
72KB

Download
memory/3084-65-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3084-57-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-29-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3084-41-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download