nullmixer | 79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b54032fc01363b6a3dc2378196c4bc4c.exe
Size

4.8MB
MD5

b54032fc01363b6a3dc2378196c4bc4c
SHA1

c8d3b054ace51f4d59d5f774d690b92b672ac593
SHA256

79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
SHA512

b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571
SSDEEP

98304:yurQAZvwDAU9lMnvJ7Y1f8kPon/ox2agN1LwZ+x2vc8DHI9MdoB:yMEDflMnvmf8kPIoyN1LwEkPHI2w

Score

10^/10

nullmixer privateloader redline sectoprat smokeloader vidar 706 pub1 pub6 aspackv2 backdoor dropper infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

nullmixer

http://sornx.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub1

viacetequn.site:80

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/5080-109-0x0000000004BD0000-0x0000000004BF2000-memory.dmp	family_redline
behavioral2/memory/5080-117-0x0000000004DE0000-0x0000000004E00000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/5080-109-0x0000000004BD0000-0x0000000004BF2000-memory.dmp	family_sectoprat
behavioral2/memory/5080-117-0x0000000004DE0000-0x0000000004E00000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/612-151-0x0000000004110000-0x00000000041AD000-memory.dmp	family_vidar
behavioral2/memory/612-161-0x0000000000400000-0x0000000002402000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023206-53.dat	aspack_v212_v242
behavioral2/files/0x000700000002320f-59.dat	aspack_v212_v242
behavioral2/files/0x000700000002320f-61.dat	aspack_v212_v242
behavioral2/files/0x0008000000023206-57.dat	aspack_v212_v242
behavioral2/files/0x000700000002320d-55.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	b54032fc01363b6a3dc2378196c4bc4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Mon17a1622b32c19d79.exe

Executes dropped EXE 14 IoCs

pid	Process
4908	setup_installer.exe
4988	setup_install.exe
1408	Mon17a1622b32c19d79.exe
5008	Mon17adba8184e.exe
4620	Mon1729d1f65d.exe
2312	Mon176198e28ea2.exe
612	Mon1775222792.exe
4604	Mon1739ea489bd.exe
5080	Mon17fc3714aa3427.exe
1000	Mon179660fc887.exe
2604	Mon178e2a4bb3.exe
3756	Mon17a1622b32c19d79.exe
1876	Prendero.exe.com
2468	Prendero.exe.com

Loads dropped DLL 6 IoCs

pid	Process
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Mon179660fc887.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2868	4988	WerFault.exe	92
4516	612	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon1729d1f65d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2184	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	powershell.exe
3520	powershell.exe
4620	Mon1729d1f65d.exe
4620	Mon1729d1f65d.exe
3520	powershell.exe
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4620	Mon1729d1f65d.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	Mon17adba8184e.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4604	Mon1739ea489bd.exe
Token: SeDebugPrivilege	5080	Mon17fc3714aa3427.exe
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found
Token: SeShutdownPrivilege	3392	Process not Found
Token: SeCreatePagefilePrivilege	3392	Process not Found

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1876	Prendero.exe.com
1876	Prendero.exe.com
1876	Prendero.exe.com
2468	Prendero.exe.com
2468	Prendero.exe.com
2468	Prendero.exe.com
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found
3392	Process not Found

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1876	Prendero.exe.com
1876	Prendero.exe.com
1876	Prendero.exe.com
2468	Prendero.exe.com
2468	Prendero.exe.com
2468	Prendero.exe.com
3392	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3392	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4908	4536	b54032fc01363b6a3dc2378196c4bc4c.exe	91
PID 4536 wrote to memory of 4908	4536	b54032fc01363b6a3dc2378196c4bc4c.exe	91
PID 4536 wrote to memory of 4908	4536	b54032fc01363b6a3dc2378196c4bc4c.exe	91
PID 4908 wrote to memory of 4988	4908	setup_installer.exe	92
PID 4908 wrote to memory of 4988	4908	setup_installer.exe	92
PID 4908 wrote to memory of 4988	4908	setup_installer.exe	92
PID 4988 wrote to memory of 4384	4988	setup_install.exe	95
PID 4988 wrote to memory of 4384	4988	setup_install.exe	95
PID 4988 wrote to memory of 4384	4988	setup_install.exe	95
PID 4988 wrote to memory of 3988	4988	setup_install.exe	96
PID 4988 wrote to memory of 3988	4988	setup_install.exe	96
PID 4988 wrote to memory of 3988	4988	setup_install.exe	96
PID 4988 wrote to memory of 3848	4988	setup_install.exe	97
PID 4988 wrote to memory of 3848	4988	setup_install.exe	97
PID 4988 wrote to memory of 3848	4988	setup_install.exe	97
PID 4988 wrote to memory of 1624	4988	setup_install.exe	98
PID 4988 wrote to memory of 1624	4988	setup_install.exe	98
PID 4988 wrote to memory of 1624	4988	setup_install.exe	98
PID 4988 wrote to memory of 1400	4988	setup_install.exe	99
PID 4988 wrote to memory of 1400	4988	setup_install.exe	99
PID 4988 wrote to memory of 1400	4988	setup_install.exe	99
PID 4988 wrote to memory of 3260	4988	setup_install.exe	100
PID 4988 wrote to memory of 3260	4988	setup_install.exe	100
PID 4988 wrote to memory of 3260	4988	setup_install.exe	100
PID 4988 wrote to memory of 3712	4988	setup_install.exe	101
PID 4988 wrote to memory of 3712	4988	setup_install.exe	101
PID 4988 wrote to memory of 3712	4988	setup_install.exe	101
PID 4988 wrote to memory of 316	4988	setup_install.exe	102
PID 4988 wrote to memory of 316	4988	setup_install.exe	102
PID 4988 wrote to memory of 316	4988	setup_install.exe	102
PID 4988 wrote to memory of 4968	4988	setup_install.exe	103
PID 4988 wrote to memory of 4968	4988	setup_install.exe	103
PID 4988 wrote to memory of 4968	4988	setup_install.exe	103
PID 4988 wrote to memory of 4836	4988	setup_install.exe	104
PID 4988 wrote to memory of 4836	4988	setup_install.exe	104
PID 4988 wrote to memory of 4836	4988	setup_install.exe	104
PID 3988 wrote to memory of 1408	3988	cmd.exe	106
PID 3988 wrote to memory of 1408	3988	cmd.exe	106
PID 3988 wrote to memory of 1408	3988	cmd.exe	106
PID 4836 wrote to memory of 5008	4836	cmd.exe	107
PID 4836 wrote to memory of 5008	4836	cmd.exe	107
PID 3848 wrote to memory of 4620	3848	cmd.exe	108
PID 3848 wrote to memory of 4620	3848	cmd.exe	108
PID 3848 wrote to memory of 4620	3848	cmd.exe	108
PID 4384 wrote to memory of 3520	4384	cmd.exe	105
PID 4384 wrote to memory of 3520	4384	cmd.exe	105
PID 4384 wrote to memory of 3520	4384	cmd.exe	105
PID 3260 wrote to memory of 5080	3260	cmd.exe	113
PID 3260 wrote to memory of 5080	3260	cmd.exe	113
PID 3260 wrote to memory of 5080	3260	cmd.exe	113
PID 3712 wrote to memory of 2312	3712	cmd.exe	114
PID 3712 wrote to memory of 2312	3712	cmd.exe	114
PID 3712 wrote to memory of 2312	3712	cmd.exe	114
PID 1400 wrote to memory of 612	1400	cmd.exe	109
PID 1400 wrote to memory of 612	1400	cmd.exe	109
PID 1400 wrote to memory of 612	1400	cmd.exe	109
PID 1624 wrote to memory of 2604	1624	cmd.exe	110
PID 1624 wrote to memory of 2604	1624	cmd.exe	110
PID 316 wrote to memory of 4604	316	cmd.exe	111
PID 316 wrote to memory of 4604	316	cmd.exe	111
PID 4968 wrote to memory of 1000	4968	cmd.exe	112
PID 4968 wrote to memory of 1000	4968	cmd.exe	112
PID 4968 wrote to memory of 1000	4968	cmd.exe	112
PID 1000 wrote to memory of 2984	1000	Mon179660fc887.exe	117

C:\Users\Admin\AppData\Local\Temp\b54032fc01363b6a3dc2378196c4bc4c.exe
"C:\Users\Admin\AppData\Local\Temp\b54032fc01363b6a3dc2378196c4bc4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC2330977\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17a1622b32c19d79.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17a1622b32c19d79.exe
        
        Mon17a1622b32c19d79.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17a1622b32c19d79.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17a1622b32c19d79.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon1729d1f65d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1729d1f65d.exe
        
        Mon1729d1f65d.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon178e2a4bb3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon178e2a4bb3.exe
        
        Mon178e2a4bb3.exe
        5⤵
        Executes dropped EXE
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon1775222792.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1775222792.exe
        
        Mon1775222792.exe
        5⤵
        Executes dropped EXE
        
        PID:612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1060
        6⤵
        Program crash
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17fc3714aa3427.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17fc3714aa3427.exe
        
        Mon17fc3714aa3427.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon176198e28ea2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon176198e28ea2.exe
        
        Mon176198e28ea2.exe
        5⤵
        Executes dropped EXE
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon1739ea489bd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1739ea489bd.exe
        
        Mon1739ea489bd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon179660fc887.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon179660fc887.exe
        
        Mon179660fc887.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        6⤵
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Mummia.wmz
        6⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
        8⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
        
        Prendero.exe.com z
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping DBXSZVGV -n 30
        8⤵
        Runs ping.exe
        
        PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon17adba8184e.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17adba8184e.exe
        
        Mon17adba8184e.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 568
      4⤵
      Program crash
      PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 612 -ip 612
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1729d1f65d.exe

Filesize
273KB

MD5
3ef04768f662e3c02e9e8c8192d5afa1

SHA1
58371bb09f637e7d42c94f6365a434ca88b3874d

SHA256
b3fb54d410655eba5e22d8aec4876060a668377e0cdb10e66265ee09ff72e132

SHA512
07c0208061b2d03cecae2e0414bda700da07139bad62a078f9c873f0396c0ee005cf6f5eab4f299ecd48d2c90380f73a6565e419f42d95f4d968508858253ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1739ea489bd.exe

Filesize
192KB

MD5
ea5d2a70de26a3f2ce92d1b02b2f3052

SHA1
66045b40d6aebc6a2930c76c6d492fb5fc81426f

SHA256
7abf7953b1532eec5dd50fb9098269a8cd7b65e9afc9d84031039ff9da63f909

SHA512
1437877ea36bf59eb74eef0415f820507fa55bb07b17b59679454e02a99bf48884bfdd0706175a168a005ce9a672b0fbdc904da7a35242402567f06bf22d322b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon176198e28ea2.exe

Filesize
1.5MB

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon1775222792.exe

Filesize
608KB

MD5
42b6c78fd88e0ce139615ca4a975bfc7

SHA1
5ec215ade32285be9a6b3e73031a9e351a5e4fdb

SHA256
73da47aba40b72752b6562114348f823e70e33ef2a2eb5cb16c914e6feffe0d0

SHA512
a7368df6e22f42c1ab60599ab4ecf2eba1fac8def2a8c411491173c881bbfafd014eb11a97067da6fbd3ded2c0daa3ae0574d259d8e13f210ecf40f16e06e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon178e2a4bb3.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon178e2a4bb3.exe

Filesize
576KB

MD5
8fe72a4f1f87915be1a1850323cc90ad

SHA1
6e1082b9922a547f9724f99403636214d84ea3c0

SHA256
07f66ef1ac859b1b730757e33682d081b3e0a99af2de5fce7f7a9d88da8956a6

SHA512
d23db20752f5eef9fdf953523527e72e5dc46d7a5f696aeaad73a7820dce16728a68b6a79c9caca85153f2ec382da4ab459168f6ec2c991b4d98d47de2b16d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon179660fc887.exe

Filesize
1.3MB

MD5
12b8842dded9134ad0cae031c4f06530

SHA1
c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e

SHA256
abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17

SHA512
967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon179660fc887.exe

Filesize
64KB

MD5
eaf7643a7a622513f6635d1b9132f958

SHA1
75c51ccc5d982b9019925665d53d82d93a218baa

SHA256
59ac7d5cc595f295f5b734075785a5dbfb17ff97b7935fde7b47cfd8d4449e10

SHA512
3d8f46cca6fcf69e8ba3e187736fc730ac533fbb4fbb81d18d34de5c6102bf28f582b370972ce850bdd076075b3266765c677c07df7e72b9b7b6ef85d7830e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17a1622b32c19d79.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17adba8184e.exe

Filesize
8KB

MD5
4ffcfe89a6f218943793ff6ea9bb5e79

SHA1
8ff66c6fe276857ba0ce6f533d383813e5ce6943

SHA256
710c8df4e791a0f4ac8a7351c0c718a6ddb685a3d57abfd2c064c398617bb9b1

SHA512
8c62a4e43657a7477acc630708205db74ecad794569408b7b0a57ee1ff111f798917b48c929133e8c199312ad797929a61fc69505a636347307edcd2eef2a5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\Mon17fc3714aa3427.exe

Filesize
248KB

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libcurl.dll

Filesize
128KB

MD5
7948863bf814852070e724e4185d5f6f

SHA1
aa934395e2cdd6b0b3a628da3f449c91fbdf095c

SHA256
ddb24f791c2c92cd143b7ad03bca41f3271e5490cc6993ebbae0654daff50dc0

SHA512
277899d72035d21dd68fcd30eea47101c1154b82b0a5d9f0c856f3156dc4b35643db14bf99a833a7f32af6a1ece48d9e2769e162e8b473885e72df6cd0c2be55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libgcc_s_dw2-1.dll

Filesize
64KB

MD5
4cbe6faf53b6ad9c5784e794080c948e

SHA1
8fe51b03c7deb52add43ec9afd0d7615bf39516f

SHA256
a822846684a82cbee25039136b09d46452c8dd20faa16507ff37a1960e9ee415

SHA512
5d8b5bd6e83c0ecf1d27ca221d9e4752e7a33c468ea0abd72a6ca789e9d3a0b0545fc2ec901c1ce66c696a151a46fe96fe9f16bb6e404e59b2951b774c37531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libstdc++-6.dll

Filesize
64KB

MD5
ad1c548ca77cecc49364855223401511

SHA1
523a06384633aadeae0b25ad1a44aab62342c69a

SHA256
7d9113e74a2adf1c93adbe5c7936f2426d1bdacd21d8b724e83c23f6219d0064

SHA512
f8570fb383b7e045af093163feb6682ece6ecc8b5bc4c0441c25bd9d91ee9e34b99a685464d698d9e536293ec4525a5e1e6e729380e8364a300ad0cc2e9ddc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\setup_install.exe

Filesize
2.1MB

MD5
e063ed1ff826d9211d72dcd9b57c6db6

SHA1
73edb0e50951df71df4eee9bdf9ecc6b0101994a

SHA256
7e594b7d01a8cbc819f8527f7d1459b02cff4bf97f1a8bc69daea608f4274108

SHA512
a8e9d84d88254f2ba4f1e99cf624d4aff1738fb52044cce69500c32f45fbffd42d2d4578bb504dad9147845bf98f5080193eaeead9e84888e35dd9fa187139ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2330977\setup_install.exe

Filesize
576KB

MD5
66230c967947625069a4841a95fd08ac

SHA1
bb33f8e64c6dacf9ddeffe6c2488704940948abd

SHA256
57407efd2e03c330c2954c7fd6eab784088a55b2a90bd317166d58f794a0daa3

SHA512
f135192398a4ba84da3474ef2e2fe91a529ef1b0d98d10622014013b14f34edab14c1bb02c980e15f452a81c8687e19707e6072773fc105c5a3d6ec6fa2532c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.wmz

Filesize
529KB

MD5
b6c1a6534ced58ea7dd51efa6b0679e2

SHA1
58e29d76831c62982f4d4a6e073fda10ff3d9c61

SHA256
96ca4a1552f3768f189e322adf2c0ba5923af46e0b673f8a32606b4120f5da99

SHA512
b9e43cc82a7e42534f24c875ecf338bb2d9b90a5b237407248da144a2a280b2022659a17a78bec0094597de84ad4ca83a2f76036f7dc2a9aa3979d64fcce73dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mummia.wmz

Filesize
576B

MD5
6f6fe96279c933c2170e75f49cf43718

SHA1
bbe211eaebbeb120b9ca3cd204aacbbeef20cb7e

SHA256
e6919da4e2658c82ebbcca670053d77e1231a5a600bf5aeaba71e5852e09022f

SHA512
76160b79d3cbe2fca6d95b096043641a96b13007f287f8e55b94eab16cbb98691a8e8fa8d035da434e84f689bb8d36478f632976481b56c7170889553a629748

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensavo.wmz

Filesize
532KB

MD5
23ff21305e1cf68b22a05c424d7c26c8

SHA1
7022792df05b9057da17b8d050b77b704954af82

SHA256
5719f8a932f63e71a258edfe52177336542b039860a13dfc55b15b530bc79cd2

SHA512
88c58a0ec2f81a77dd5ccc0f84f753be9b66aa313e9bf1d670b2ab89269d35beac2fdcacc9d0e421776ab554fac856d2a47e84f74eb49d7fea3a9d028b15d05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com

Filesize
597KB

MD5
424febfa5e2a0f0535bd05213e9eba62

SHA1
292aa39998860fbe7d0704be0a210b822cb0bf3a

SHA256
07f71d677901f7354082558db01f5b134147f031bfe6ad01e393e890176cc064

SHA512
64e8c3a16614bd9ce47a2eeca4bd4fc9c299d99b3ca7ce857fca24ef5d563e13eb98f40118bc3d44cc4ebeea9c8dc899417567abecc947a902a0670fc0658cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com

Filesize
298KB

MD5
46b9b0623e5ecb4b2f2fb3c2c1976229

SHA1
4b8d9c3c8320b812cd685b6347360b210df1e7de

SHA256
b25f7bbe9950059982cea7897486ceac5999479fcb231d1a83c9bf4d772b165a

SHA512
dc88bb370f4794e6562d1958a20b97c80c9c1e55b22c63759f75b40509b42060ab315e804ad5c61cdb3026a0427e1cb9e15f23da09e079ce67d75f0eff5aa089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z

Filesize
628KB

MD5
4f0a8b113e7e642b5f06fee921fc45d9

SHA1
be8b9b73344bfcfd54b1c91530bbccba5c404c24

SHA256
83f5aba861cff7d04864ccf2815514cebd00c85a59c9dcf95ee2fc2de8a0915f

SHA512
d6301adf467457d42b983cf5eff1a70d202510b7e88554742d2ebd397aa581bf9f54c02fc33a6e9175bb668ee435653d4f601989d28a001000c7a6968ca35eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ipplp3zd.wax.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.6MB

MD5
7ea7d7a1fd8696e318c6f91996255d55

SHA1
f10bd4315c5fb79b74245def5d8bc5a375079c5c

SHA256
2a36f69580d720beb24dbd4cb3edff9c88a398ac486eacd1fb81dd24ec6d6b3a

SHA512
34a527e455be02b0a8bcafcfa9595944188bbd0f4829c44a354a6394a8963f3f87a3d522eeef156a49394782aaadbf0a4ee1d32d17235e17e4bec40f06e182fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
4.8MB

MD5
8e88e9762c2c7020225ef6c369f2ef0e

SHA1
15eb5c3f205e19471d3e60322efbddc2e8b2792e

SHA256
e847b7593382c56f6443caea1929e4657e8706a0e55deda227ab98231bde7667

SHA512
3bdeebd9e7f0e1895eebd6d749e9195903fa5e9dfab620e2e50fa719878680106c1f03925cf3fdb4bebbe98b72b6350ccedba6405c03f367591a8741bf8e53da

Download Submit
memory/612-158-0x00000000026F0000-0x00000000027F0000-memory.dmp

Filesize
1024KB

Download
memory/612-151-0x0000000004110000-0x00000000041AD000-memory.dmp

Filesize
628KB

Download
memory/612-161-0x0000000000400000-0x0000000002402000-memory.dmp

Filesize
32.0MB

Download
memory/3392-196-0x0000000002C10000-0x0000000002C26000-memory.dmp

Filesize
88KB

Download
memory/3520-118-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/3520-209-0x0000000007650000-0x0000000007658000-memory.dmp

Filesize
32KB

Download
memory/3520-207-0x0000000007570000-0x0000000007584000-memory.dmp

Filesize
80KB

Download
memory/3520-206-0x0000000007560000-0x000000000756E000-memory.dmp

Filesize
56KB

Download
memory/3520-113-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3520-204-0x0000000007530000-0x0000000007541000-memory.dmp

Filesize
68KB

Download
memory/3520-203-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/3520-110-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3520-202-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/3520-201-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/3520-200-0x00000000079E0000-0x000000000805A000-memory.dmp

Filesize
6.5MB

Download
memory/3520-97-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/3520-182-0x0000000006FF0000-0x0000000007022000-memory.dmp

Filesize
200KB

Download
memory/3520-208-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/3520-195-0x00000000070B0000-0x0000000007153000-memory.dmp

Filesize
652KB

Download
memory/3520-194-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/3520-100-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/3520-130-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3520-184-0x000000006F020000-0x000000006F06C000-memory.dmp

Filesize
304KB

Download
memory/3520-183-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

Filesize
64KB

Download
memory/3520-136-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3520-173-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3520-212-0x0000000073260000-0x0000000073A10000-memory.dmp

Filesize
7.7MB

Download
memory/3520-154-0x0000000073260000-0x0000000073A10000-memory.dmp

Filesize
7.7MB

Download
memory/3520-152-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/3520-140-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/4604-123-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/4604-153-0x00007FF837F30000-0x00007FF8389F1000-memory.dmp

Filesize
10.8MB

Download
memory/4604-101-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/4604-108-0x00007FF837F30000-0x00007FF8389F1000-memory.dmp

Filesize
10.8MB

Download
memory/4604-112-0x000000001B820000-0x000000001B844000-memory.dmp

Filesize
144KB

Download
memory/4604-115-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/4604-98-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/4620-144-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download
memory/4620-198-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download
memory/4620-157-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/4620-139-0x00000000024C0000-0x00000000024C9000-memory.dmp

Filesize
36KB

Download
memory/4988-66-0x00000000007B0000-0x000000000083F000-memory.dmp

Filesize
572KB

Download
memory/4988-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-148-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4988-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-70-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-143-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4988-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/5008-111-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/5008-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5008-99-0x00007FF837F30000-0x00007FF8389F1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-137-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5080-121-0x0000000007F70000-0x0000000008588000-memory.dmp

Filesize
6.1MB

Download
memory/5080-124-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/5080-117-0x0000000004DE0000-0x0000000004E00000-memory.dmp

Filesize
128KB

Download
memory/5080-162-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5080-116-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/5080-135-0x0000000073260000-0x0000000073A10000-memory.dmp

Filesize
7.7MB

Download
memory/5080-156-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5080-114-0x0000000004810000-0x000000000483F000-memory.dmp

Filesize
188KB

Download
memory/5080-120-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/5080-109-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/5080-155-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/5080-122-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/5080-142-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

Filesize
1.0MB

Download
memory/5080-215-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5080-214-0x0000000073260000-0x0000000073A10000-memory.dmp

Filesize
7.7MB

Download
memory/5080-216-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5080-138-0x0000000007950000-0x000000000799C000-memory.dmp

Filesize
304KB

Download