amadey | 9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3

Analysis

max time kernel
84s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

222KB
MD5

74373e8d3a11c2492024db10560a6bca
SHA1

9c0b3771dfae907fb741619b0daab3c3c46c4c27
SHA256

9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3
SHA512

a77239ba231896fa3c5f36ce6798b27e868fc480d63430fb40e27704a77285d244751e3aff696c9e22c996734919fe574853a5b4b39838550dc8e6e19a3ba293
SSDEEP

3072:c/ce/JtDZ71IvlffRMB/xlPqG5hrNh6WbdbtLBtOAy/D+AUV2Ed7bcdgjaaSpGqp:CceRtDZ7ulYDfjNhjdb7tOvZOo59p7

Score

10^/10

amadey redline smokeloader zgrat logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

amadey

Version

4.17

http://185.196.10.34

Attributes

install_dir
eff1401c19
install_file
Dctooux.exe
strings_key
6e23b5eadc27bb0b2eaebdd4fed1beb2
url_paths
/b8sdjsdkS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 28 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2724-73-0x0000000005280000-0x000000000534A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-75-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-77-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-80-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-82-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-84-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-86-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-88-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-90-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-92-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-94-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-96-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-98-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-100-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-102-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-104-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-106-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-108-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-110-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-112-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-114-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-116-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-118-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-120-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-122-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-124-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/2724-126-0x0000000005280000-0x0000000005343000-memory.dmp	family_zgrat_v1
behavioral2/memory/3288-2094-0x000001EDA4FD0000-0x000001EDA510C000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/32-43-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3472
Executes dropped EXE 6 IoCs

Processes:

1E51.exe3A17.exe53BB.exeAB80.exeAB80.exeAB80.exe

pid process

4152 1E51.exe
2392 3A17.exe
440 53BB.exe
2724 AB80.exe
4948 AB80.exe
552 AB80.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

53BB.exeAB80.exe

description pid process target process

PID 440 set thread context of 32 440 53BB.exe RegAsm.exe
PID 2724 set thread context of 552 2724 AB80.exe AB80.exe
Drops file in Windows directory 1 IoCs

Processes:

AB80.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job AB80.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3472

pid	process
4152	1E51.exe
2392	3A17.exe
440	53BB.exe
2724	AB80.exe
4948	AB80.exe
552	AB80.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

description	pid	process	target process
PID 440 set thread context of 32	440	53BB.exe	RegAsm.exe
PID 2724 set thread context of 552	2724	AB80.exe	AB80.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	AB80.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exefile.exe1E51.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1E51.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1E51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1E51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{3CD7064E-3A19-4322-9256-7B9497181B0C}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1248	file.exe
1248	file.exe
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exe1E51.exe

pid process

1248 file.exe
4152 1E51.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

RegAsm.exeAB80.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	32	RegAsm.exe
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeDebugPrivilege	2724	AB80.exe
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe
Token: SeShutdownPrivilege	2172	explorer.exe
Token: SeCreatePagefilePrivilege	2172	explorer.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

explorer.exeAB80.exe

pid	process
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
552	AB80.exe
2172	explorer.exe
2172	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe
2172	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

53BB.exeAB80.exe

description	pid	process	target process
PID 3472 wrote to memory of 4152	3472		1E51.exe
PID 3472 wrote to memory of 4152	3472		1E51.exe
PID 3472 wrote to memory of 4152	3472		1E51.exe
PID 3472 wrote to memory of 2392	3472		3A17.exe
PID 3472 wrote to memory of 2392	3472		3A17.exe
PID 3472 wrote to memory of 2392	3472		3A17.exe
PID 3472 wrote to memory of 440	3472		53BB.exe
PID 3472 wrote to memory of 440	3472		53BB.exe
PID 3472 wrote to memory of 440	3472		53BB.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 440 wrote to memory of 32	440	53BB.exe	RegAsm.exe
PID 3472 wrote to memory of 2724	3472		AB80.exe
PID 3472 wrote to memory of 2724	3472		AB80.exe
PID 3472 wrote to memory of 2724	3472		AB80.exe
PID 2724 wrote to memory of 4948	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 4948	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 4948	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe
PID 2724 wrote to memory of 552	2724	AB80.exe	AB80.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1248

C:\Users\Admin\AppData\Local\Temp\1E51.exe
C:\Users\Admin\AppData\Local\Temp\1E51.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4152

C:\Users\Admin\AppData\Local\Temp\3A17.exe
C:\Users\Admin\AppData\Local\Temp\3A17.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\53BB.exe
C:\Users\Admin\AppData\Local\Temp\53BB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Users\Admin\AppData\Local\Temp\AB80.exe
C:\Users\Admin\AppData\Local\Temp\AB80.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\AB80.exe
C:\Users\Admin\AppData\Local\Temp\AB80.exe
2⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\AB80.exe
C:\Users\Admin\AppData\Local\Temp\AB80.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
2⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
2⤵
PID:2076

C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
"C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe"
3⤵
PID:3288

C:\Users\Admin\AppData\Roaming\fiirtdc
C:\Users\Admin\AppData\Roaming\fiirtdc
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
13257e40f392766b28ca260a1a7e304a

SHA1
e1965dd778bf9ab13f58b32952b0a28b12109370

SHA256
3382cb26f535244e0fc99b96966948b9aaa9081662960038527dbfb64fcc5644

SHA512
fd2e4809cd2eb83bc83d4c18edd64ae2cb4c3324541220c15fb5a2cd96ad90771f82e2efbebd5452372830d610f2abd2cdf77f49c62c545cb31b52d67e768551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
ac2de6c6adb2a5dd5307dc244544b6ba

SHA1
758264f273173d5c05c66af8a4df34d1c2827299

SHA256
b9b30a4acc52dfba442d403854b4604430bc043a814ccd161f008ede76a46959

SHA512
b922a31afd7479e03ea5c6a8a2c21b7d46371a54dcc16dfae4b5ec935068a2b357273189f04eb173ef1a8a3225be027fa5fb26b0f903d7544ffb21c0df8b202c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0A55C1OB\microsoft.windows[1].xml
Filesize
97B

MD5
291a3f3ebf21195c8af7c2f120ca4dfc

SHA1
1cade2dac000db3bca92e2daee371beffd2c0bee

SHA256
fbe32bda6ca669397ca6d02b329f235aee87a8f36b09a589548e969c19cb78de

SHA512
ed2dea282f97d25171e0e95fe718103e04e37f13a1edf79373af204ac344cdb9a0fca34d82e45d3475a9845ee92644a99a1c2733f8858fe384e3b6958331f287

Download Submit
C:\Users\Admin\AppData\Local\Temp\073191680435
Filesize
75KB

MD5
56eabce50757388e90b4eedb1b28f4ae

SHA1
0b0e7ee20aa999144ff039e2546e54e5026736ba

SHA256
8a421e25011bf7643cce59ffbddd5bb209acd86971e6ae4db26e19eae55c7046

SHA512
d5ef3e6378c45b22d0da2b29f626e6fd6f30b9ae93d0720150efdf6c41e50954ef1cc35e060f915c66eba35fdc2c928407a8c3281b1a1fddd6b8804c62d5b4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E51.exe
Filesize
222KB

MD5
74373e8d3a11c2492024db10560a6bca

SHA1
9c0b3771dfae907fb741619b0daab3c3c46c4c27

SHA256
9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3

SHA512
a77239ba231896fa3c5f36ce6798b27e868fc480d63430fb40e27704a77285d244751e3aff696c9e22c996734919fe574853a5b4b39838550dc8e6e19a3ba293

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A17.exe
Filesize
5.3MB

MD5
2b82eb950c4b07624724358abaee1e17

SHA1
35b7e43f3e60c7c9423773458715f65d010c854e

SHA256
883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727

SHA512
2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af

Download Submit
C:\Users\Admin\AppData\Local\Temp\53BB.exe
Filesize
380KB

MD5
d9ec192c82b59ae4dfae55218b19530f

SHA1
d7170975baf5f27ea0591a33f45cddb63574ac94

SHA256
52c5799b3c93ca11e9953e8a5712a82dd08b6cb0c17ff90cb1d2cb104411e7d4

SHA512
7ed6906f71ac045b2a4732935995abdfde68d88fe6041b19f114dfb95fb943450d5cbfbf1d185d3a2febb29c7d3493b9c1247a84925a5e7af41e1c710cc77838

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB80.exe
Filesize
763KB

MD5
14f7c4b98e2c837e555d030bfbe740c4

SHA1
695e50ac70754d449445343764d8a0c339323a04

SHA256
585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0

SHA512
c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
Filesize
704KB

MD5
36e62b3ceb6564b3ed7454613c0964a4

SHA1
76c5ce2c4fea02cc18d936f23c121cb16163b4ce

SHA256
9dd5e5b8a8e391b6949332815e9114a74e7a9afa821d1c6ca396689501c1dcce

SHA512
f209b92441d1428c2ecbc18857435320b05cfc96da539f960f2029ba6cd3cb61e0fbe4abc234c6de5051906127e4a65de8bb28fb3471f9396229047d445523bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
Filesize
192KB

MD5
4c09c666667d3b6568822fe4d5ad15df

SHA1
0b73a897045a24cc2c4fba6cefc9f97b89ae9388

SHA256
911557804a5c5f89edac74863861c628a136caa5ee053ec9be66cee419e800fe

SHA512
6baf17d1d1b38254f7d2e1bf9dc391ebebc62b5c9f1660c7817a095cdf26fdc35cc7de2c6d5cb39c1f741592f8a2a52518f608d7e2c4b304f90c3ee5da25c688

Download Submit
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
Filesize
1.2MB

MD5
302ac1d64dabebfeb1ecb1ddbd1f46b0

SHA1
3b44fc274eeb6b20282586f478ead732cfc74ddf

SHA256
003552c7c95845ab8bd7638e9c3365607701aff4d82220154debf9f8559171ee

SHA512
d6a6d54f66603aea20d8af271f406ca164a441d43baff316fb0f986fbb95416238484a79ffe740de5689e829716dac078fad4225bc74bb433c1d2e61e6d4cb2f

Download Submit
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
Filesize
832KB

MD5
08f7f5c1671630595e2300d1c6e0fef7

SHA1
9753ca554af27152adf7b30e81ac5a95471c6b77

SHA256
548cd0a48745fb1521b4df18738fde2ab5a075856cc9e8043fe8fc7f0e81ba39

SHA512
2e457c684d7aebb974aaf82c027bc342aba84b38c5246142d13cb35819b3b128cea09346dd1eb8c86d6453b8ccbd438d3e03e7cd86aee97aa93e9d9d7d895b6a

Download Submit
C:\Users\Admin\AppData\Roaming\1000008000\Oscrcelw.exe
Filesize
640KB

MD5
2192f87de737892f51609c60a13aecfb

SHA1
374399186e3e1349aa437d8f3e90cfe35872f9f2

SHA256
a23129e935fd968f22e00f214aa826d5f28356911a5e281e47f15f42e9dfee20

SHA512
eea7226e51517295312375b0831c50a86ceb86916b0ebe78d550af61c09f355e53ece9244560c83b7aa2df059dfbd54237d851011db7b554ddfb058e30360646

Download Submit
memory/32-52-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/32-50-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/32-63-0x00000000085E0000-0x0000000008B0C000-memory.dmp

Filesize
5.2MB

Download
memory/32-62-0x0000000007EE0000-0x00000000080A2000-memory.dmp

Filesize
1.8MB

Download
memory/32-74-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/32-60-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/32-43-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/32-57-0x00000000059A0000-0x00000000059EC000-memory.dmp

Filesize
304KB

Download
memory/32-56-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/32-48-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/32-49-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/32-64-0x00000000083B0000-0x0000000008400000-memory.dmp

Filesize
320KB

Download
memory/32-51-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/32-55-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/32-53-0x0000000006660000-0x0000000006C78000-memory.dmp

Filesize
6.1MB

Download
memory/32-54-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/440-46-0x0000000002540000-0x0000000004540000-memory.dmp

Filesize
32.0MB

Download
memory/440-47-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/440-76-0x0000000002540000-0x0000000004540000-memory.dmp

Filesize
32.0MB

Download
memory/440-40-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/440-39-0x0000000000030000-0x0000000000094000-memory.dmp

Filesize
400KB

Download
memory/440-38-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/552-1019-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/552-1032-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1228-1083-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1228-2052-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1228-1082-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1228-2045-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1248-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-8-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/1248-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1248-2-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/1248-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2076-2054-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2392-61-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2392-32-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2392-29-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2392-58-0x0000000000EA0000-0x0000000001754000-memory.dmp

Filesize
8.7MB

Download
memory/2392-27-0x0000000000EA0000-0x0000000001754000-memory.dmp

Filesize
8.7MB

Download
memory/2392-30-0x0000000000EA0000-0x0000000001754000-memory.dmp

Filesize
8.7MB

Download
memory/2392-33-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2724-84-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-90-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-96-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-98-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-100-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-102-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-104-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-106-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-108-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-110-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-112-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-114-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-116-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-118-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-120-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-122-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-124-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-126-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-1009-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2724-1010-0x0000000005400000-0x0000000005460000-memory.dmp

Filesize
384KB

Download
memory/2724-1011-0x0000000005460000-0x00000000054AC000-memory.dmp

Filesize
304KB

Download
memory/2724-1018-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2724-92-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-94-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-88-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-86-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-82-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-80-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-78-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2724-77-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-75-0x0000000005280000-0x0000000005343000-memory.dmp

Filesize
780KB

Download
memory/2724-73-0x0000000005280000-0x000000000534A000-memory.dmp

Filesize
808KB

Download
memory/2724-72-0x0000000005190000-0x0000000005258000-memory.dmp

Filesize
800KB

Download
memory/2724-71-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2724-69-0x00000000008A0000-0x0000000000966000-memory.dmp

Filesize
792KB

Download
memory/3288-2094-0x000001EDA4FD0000-0x000001EDA510C000-memory.dmp

Filesize
1.2MB

Download
memory/3288-2090-0x000001ED8A810000-0x000001ED8A946000-memory.dmp

Filesize
1.2MB

Download
memory/3288-2091-0x00007FFA765F0000-0x00007FFA770B1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-2093-0x000001EDA4E80000-0x000001EDA4E90000-memory.dmp

Filesize
64KB

Download
memory/3288-2092-0x000001EDA4E90000-0x000001EDA4FCA000-memory.dmp

Filesize
1.2MB

Download
memory/3472-19-0x0000000007E10000-0x0000000007E26000-memory.dmp

Filesize
88KB

Download
memory/3472-4-0x0000000006C20000-0x0000000006C36000-memory.dmp

Filesize
88KB

Download
memory/4128-2056-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/4128-2057-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-2479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-17-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/4152-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download