amadey | 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34468074c946943518ab33be24c01ef9.bin.exe
Size

442KB
MD5

34468074c946943518ab33be24c01ef9
SHA1

742cf7ff13dcab6a99b372dc99f362f45be3d69c
SHA256

339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
SHA512

b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b
SSDEEP

6144:9qIH8p8GgMyYRhuPTMCGzlmJDZWgECsFjKdJtH3s5ZBjnA:9d8p8GgAWP4CYE4BCsmdJFij0

Score

10^/10

amadey redline logsdiller cloud (telegram: @logsdillabot)discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

5.42.65.68:29093

Extracted

Family

amadey

Version

4.18

Attributes

strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4136-75-0x0000000002D50000-0x0000000002DA8000-memory.dmp	family_redline
behavioral2/memory/996-82-0x0000000005860000-0x00000000058B6000-memory.dmp	family_redline

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

40 4548 rundll32.exe
53 4324 rundll32.exe
Downloads MZ/PE file

flow	pid	process
40	4548	rundll32.exe
53	4324	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34468074c946943518ab33be24c01ef9.bin.exeDctooux.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	34468074c946943518ab33be24c01ef9.bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Dctooux.exe

Executes dropped EXE 5 IoCs

Processes:

Dctooux.exenativecrypt6.exenativecrypt6.exeDctooux.exeDctooux.exe

pid process

1768 Dctooux.exe
4136 nativecrypt6.exe
996 nativecrypt6.exe
1856 Dctooux.exe
2004 Dctooux.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4552 rundll32.exe
4548 rundll32.exe
4324 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

34468074c946943518ab33be24c01ef9.bin.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 34468074c946943518ab33be24c01ef9.bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1768	Dctooux.exe
4136	nativecrypt6.exe
996	nativecrypt6.exe
1856	Dctooux.exe
2004	Dctooux.exe

pid	process
4552	rundll32.exe
4548	rundll32.exe
4324	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	34468074c946943518ab33be24c01ef9.bin.exe

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4972	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
3692	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
2392	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
2356	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
3836	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
5020	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
3356	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
4956	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
4948	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
4612	3576	WerFault.exe	34468074c946943518ab33be24c01ef9.bin.exe
4552	1768	WerFault.exe	Dctooux.exe
3276	1768	WerFault.exe	Dctooux.exe
2540	1768	WerFault.exe	Dctooux.exe
2496	1768	WerFault.exe	Dctooux.exe
3088	1768	WerFault.exe	Dctooux.exe
1764	1768	WerFault.exe	Dctooux.exe
2916	1768	WerFault.exe	Dctooux.exe
4128	1768	WerFault.exe	Dctooux.exe
4552	1768	WerFault.exe	Dctooux.exe
4492	1768	WerFault.exe	Dctooux.exe
5112	1768	WerFault.exe	Dctooux.exe
4064	1768	WerFault.exe	Dctooux.exe
4692	1768	WerFault.exe	Dctooux.exe
4248	1768	WerFault.exe	Dctooux.exe
5008	1768	WerFault.exe	Dctooux.exe
4452	1768	WerFault.exe	Dctooux.exe
4320	1768	WerFault.exe	Dctooux.exe
2408	1768	WerFault.exe	Dctooux.exe
1100	1768	WerFault.exe	Dctooux.exe
2488	1856	WerFault.exe	Dctooux.exe
864	1768	WerFault.exe	Dctooux.exe
2156	2004	WerFault.exe	Dctooux.exe
1056	1768	WerFault.exe	Dctooux.exe
2548	1768	WerFault.exe	Dctooux.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

nativecrypt6.exenativecrypt6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	nativecrypt6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	nativecrypt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	nativecrypt6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	nativecrypt6.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

rundll32.exepowershell.exenativecrypt6.exenativecrypt6.exe

pid	process
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
4136	nativecrypt6.exe
996	nativecrypt6.exe
4136	nativecrypt6.exe
996	nativecrypt6.exe
996	nativecrypt6.exe
996	nativecrypt6.exe
996	nativecrypt6.exe
996	nativecrypt6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exenativecrypt6.exenativecrypt6.exe

description pid process

Token: SeDebugPrivilege 1100 powershell.exe
Token: SeDebugPrivilege 4136 nativecrypt6.exe
Token: SeDebugPrivilege 996 nativecrypt6.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

34468074c946943518ab33be24c01ef9.bin.exe

pid process

3576 34468074c946943518ab33be24c01ef9.bin.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	4136	nativecrypt6.exe
Token: SeDebugPrivilege	996	nativecrypt6.exe

pid	process
3576	34468074c946943518ab33be24c01ef9.bin.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

34468074c946943518ab33be24c01ef9.bin.exeDctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3576 wrote to memory of 1768	3576	34468074c946943518ab33be24c01ef9.bin.exe	Dctooux.exe
PID 3576 wrote to memory of 1768	3576	34468074c946943518ab33be24c01ef9.bin.exe	Dctooux.exe
PID 3576 wrote to memory of 1768	3576	34468074c946943518ab33be24c01ef9.bin.exe	Dctooux.exe
PID 1768 wrote to memory of 4788	1768	Dctooux.exe	Dctooux.exe
PID 1768 wrote to memory of 4788	1768	Dctooux.exe	Dctooux.exe
PID 1768 wrote to memory of 4788	1768	Dctooux.exe	Dctooux.exe
PID 1768 wrote to memory of 4136	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 4136	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 4136	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 996	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 996	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 996	1768	Dctooux.exe	nativecrypt6.exe
PID 1768 wrote to memory of 4552	1768	Dctooux.exe	rundll32.exe
PID 1768 wrote to memory of 4552	1768	Dctooux.exe	rundll32.exe
PID 1768 wrote to memory of 4552	1768	Dctooux.exe	rundll32.exe
PID 4552 wrote to memory of 4548	4552	rundll32.exe	rundll32.exe
PID 4552 wrote to memory of 4548	4552	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 2928	4548	rundll32.exe	netsh.exe
PID 4548 wrote to memory of 2928	4548	rundll32.exe	netsh.exe
PID 4548 wrote to memory of 1100	4548	rundll32.exe	WerFault.exe
PID 4548 wrote to memory of 1100	4548	rundll32.exe	WerFault.exe
PID 1768 wrote to memory of 4324	1768	Dctooux.exe	rundll32.exe
PID 1768 wrote to memory of 4324	1768	Dctooux.exe	rundll32.exe
PID 1768 wrote to memory of 4324	1768	Dctooux.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\34468074c946943518ab33be24c01ef9.bin.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 764
  2⤵
  - Program crash
  PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 832
  2⤵
  - Program crash
  PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 872
  2⤵
  - Program crash
  PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 920
  2⤵
  - Program crash
  PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 928
  2⤵
  - Program crash
  PID:3836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 960
  2⤵
  - Program crash
  PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1132
  2⤵
  - Program crash
  PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1152
  2⤵
  - Program crash
  PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1240
  2⤵
  - Program crash
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 552
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 596
    3⤵
    - Program crash
    PID:3276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 616
    3⤵
    - Program crash
    PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 680
    3⤵
    - Program crash
    PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
    3⤵
    - Program crash
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 888
    3⤵
    - Program crash
    PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
    3⤵
    - Program crash
    PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
    3⤵
    - Program crash
    PID:4128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 952
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 944
    3⤵
    - Program crash
    PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1148
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1016
    3⤵
    - Program crash
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
    "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1116
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1624
    3⤵
    - Program crash
    PID:5008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688
    3⤵
    - Program crash
    PID:4452
- - C:\Users\Admin\1000071002\nativecrypt6.exe
    "C:\Users\Admin\1000071002\nativecrypt6.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe
    "C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1668
    3⤵
    - Program crash
    PID:4320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1688
    3⤵
    - Program crash
    PID:2408
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1412
    3⤵
    - Program crash
    PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1744
    3⤵
    - Program crash
    PID:864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1200
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1028
    3⤵
    - Program crash
    PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1308
  2⤵
  - Program crash
  PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3576 -ip 3576
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3576 -ip 3576
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3576 -ip 3576
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3576 -ip 3576
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3576 -ip 3576
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3576 -ip 3576
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3576 -ip 3576
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1768 -ip 1768
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1768 -ip 1768
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1768 -ip 1768
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1768 -ip 1768
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1768 -ip 1768
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1768 -ip 1768
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1768 -ip 1768
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1768 -ip 1768
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1768 -ip 1768
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1768 -ip 1768
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1768 -ip 1768
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1768 -ip 1768
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1768 -ip 1768
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1768 -ip 1768
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 444
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1856 -ip 1856
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1768 -ip 1768
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 440
  2⤵
  - Program crash
  PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2004 -ip 2004
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1768 -ip 1768
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1768 -ip 1768
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000071002\nativecrypt6.exe

Filesize
447KB

MD5
ef4b0d33ed0eb8ec64c7073ea8409cad

SHA1
b3c1b0b7e282a26bcc4ddb84cfac0437e3cff209

SHA256
37c593afa2791249363f27cb2818fe560338c9abdfb2b270b26a88696a87c3e9

SHA512
21076c222c0ee27ad88b682639bc82d8be50a0d369a5eec7a66023b0a8ced6cc9348b5b6cc7794c22269adc9b9faa38503276ba4b2d7e922beb1ce0e575a6228

Download Submit
C:\Users\Admin\1000071002\nativecrypt6.exe

Filesize
235KB

MD5
d6ec14d4006c215ddf5f25e757b6a0d2

SHA1
d18387a6a2ab4513708d2460c2f889af2181d959

SHA256
52eb5cc828a0a8e6df0578bdec79ae42cb44409b6386caad0f3a1c59025374b4

SHA512
30a9305d1530c0b38b570339b4db2dacc1760de0eb05ed6b09706479a71c4292e19825fbe5123ed0267a4bb3c45ef3dc4ab9fe8abe129f033e220f0e4de32b9e

Download Submit
C:\Users\Admin\1000071002\nativecrypt6.exe

Filesize
176KB

MD5
d861509fb4c8a898ec17fe11f46f891b

SHA1
ca985d8833e78683a3252d7374eed1f985fa6668

SHA256
8ecb93da4817ca5e198151ef894492d76c984ee6f4cc024bdcb9b45f7338ce83

SHA512
10d5accc5d404e39f0cf7590bc970b6e8771c16e2afd49721bc0103c6e724b28b65c0f5f32b79fabe674592e8d0412124ba08cc1a097b31c7f72d01879d359ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nativecrypt6.exe.log

Filesize
2KB

MD5
e34b053c93dcb4160094249280888117

SHA1
bd7cd93042c200c5fb012bccf3cd9f72d7e79cef

SHA256
2bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8

SHA512
f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
442KB

MD5
34468074c946943518ab33be24c01ef9

SHA1
742cf7ff13dcab6a99b372dc99f362f45be3d69c

SHA256
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99

SHA512
b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b

Download Submit
C:\Users\Admin\AppData\Local\Temp\808065738166

Filesize
81KB

MD5
4a31957fcc6a12c7f3712f94c819972a

SHA1
cf6d343b57f93351c28ee8fa52b66cc93576e40a

SHA256
4744156cf8d830a386449b871e48a577e6fe3673526f2663ab34030124f374b4

SHA512
a0453268d32a9038337ea30d62c51ef421910c0e1b6c6697a3c61c2bbad1e252680538d14b7abb991200499480d87c0b98fc76a9de61f516c18a99ab67e13ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5FAF.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f55scjh.z4n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

Filesize
250KB

MD5
1ba155e110194b1bd5c3a0fafb22efb1

SHA1
f0ca22993de08e42aca63d2ba61fb508887d9063

SHA256
a33b4d15c3704e9ae986a88192cc569290d9e7533c790ba7736840c8a5d93782

SHA512
583c34880322b943e484a50cc76269888ef2a9207cf8252cf1df5ab7f4fedaf277e668819a32585a482975f01304ce5aea0a0fe370fa5e626b2d20a7e51f0ee5

Download Submit
C:\Users\Admin\AppData\Roaming\1000072000\nativecrypt6.exe

Filesize
224KB

MD5
ed56868f8ebed80e3b21042f95dc7e8a

SHA1
246a89723f0a891a38e13f50c54fddbd58202cb9

SHA256
9da26dd076198e05ce2927db85cd3072b6a174c2b07ab85efcd7e3f766982753

SHA512
008ac4ccc314b2f5e12a468a65a9e119750ba08122af0e797f84d6d2813bc69894a0b489e7732b0ff07bb869916c1856f7127a696a9287e5d07aa16e4ae8c242

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
758KB

MD5
d7c1ce5b7af6d9aa0d802381fe9a0662

SHA1
95b8176ad64ae9f0e3a59cb8305e9c36b397c8dc

SHA256
757253bcca7fd7b8af775e895354ec005722e335fd9cd43ace4e7ec59a34fec7

SHA512
de80de49a76f72d93d71573310d23d95cd7130c679e1afcac08f7acb3f71e1d3aee2d203beb0593a2ab5d33c1a8bf7b7163e8d9956857a6fec9dddbefc4f29e1

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
483KB

MD5
389b16e8c79f728ae26d054305e9e9fe

SHA1
5a849b5a890368b64de0c8617919489413c9ef1b

SHA256
b11c0973de4a1292a5ea8dfebf749c20ccbb09b76ae05dfc11597b16363ed66f

SHA512
9266e0e85f993d21ad3cfa6e14fd88d6190d2890edbdd87b0937933daa71e0288378c476a4e597bf68f49e3cfa0995683ffa4fd195aadd26fc4645434be54fe6

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
741KB

MD5
264996a9e67e97b9d84517aaffe7db7f

SHA1
8167c6752d065b3ec57118fc2705b38e4d61fe06

SHA256
babee9cf7cd304c182da1e854602469d577abe5da37ea2e0b9f29dc90f31b7b3

SHA512
7a87ffd7ad36f35c566f682413281ff73613de6a88596f066c1ff4ea3523b6c02c896b5f1ee99078f68d5d3265882368799db0930a9fa07e09b1bbc580067244

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
757KB

MD5
5ece0da4e5b348dace429b4c35f688e5

SHA1
7c2e0fb80cb99100353139081b1e564e22d82bb0

SHA256
5261ffc545d7047d36768251d0edcb67502c06e3214dbb225ba2bf815525b598

SHA512
55f38e6aacfb6bbadfd558dc91a3ac490ea3372488842b227bc9f838524a63b3f574c6524a1b210f83063c0552a1568c2ec68bb155e7fe21cbce0137697c9b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
memory/996-82-0x0000000005860000-0x00000000058B6000-memory.dmp

Filesize
344KB

Download
memory/996-148-0x0000000006A00000-0x0000000007018000-memory.dmp

Filesize
6.1MB

Download
memory/996-68-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

Filesize
1024KB

Download
memory/996-187-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/996-70-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/996-162-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

Filesize
1024KB

Download
memory/996-72-0x0000000072B60000-0x0000000073310000-memory.dmp

Filesize
7.7MB

Download
memory/996-151-0x0000000007200000-0x000000000723C000-memory.dmp

Filesize
240KB

Download
memory/996-149-0x00000000070A0000-0x00000000071AA000-memory.dmp

Filesize
1.0MB

Download
memory/996-73-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/996-145-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/996-77-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/996-191-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/996-78-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/996-131-0x0000000005FF0000-0x0000000006066000-memory.dmp

Filesize
472KB

Download
memory/996-80-0x00000000052B0000-0x0000000005854000-memory.dmp

Filesize
5.6MB

Download
memory/996-179-0x0000000072B60000-0x0000000073310000-memory.dmp

Filesize
7.7MB

Download
memory/996-83-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/996-97-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/996-92-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/996-192-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/1100-132-0x0000022BFBEF0000-0x0000022BFBF12000-memory.dmp

Filesize
136KB

Download
memory/1100-160-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp

Filesize
10.8MB

Download
memory/1100-154-0x0000022BFBF20000-0x0000022BFBF2A000-memory.dmp

Filesize
40KB

Download
memory/1100-153-0x0000022BFC410000-0x0000022BFC422000-memory.dmp

Filesize
72KB

Download
memory/1100-143-0x0000022BFBF30000-0x0000022BFBF40000-memory.dmp

Filesize
64KB

Download
memory/1100-142-0x00007FFA03E70000-0x00007FFA04931000-memory.dmp

Filesize
10.8MB

Download
memory/1768-81-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1768-17-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/1768-161-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1768-19-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1768-76-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/1768-41-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1768-186-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1856-198-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/1856-196-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/1856-197-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/2004-221-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/2004-220-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/2004-219-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/3576-5-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/3576-20-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/3576-21-0x0000000002890000-0x00000000028FF000-memory.dmp

Filesize
444KB

Download
memory/3576-18-0x0000000000DF0000-0x0000000000EF0000-memory.dmp

Filesize
1024KB

Download
memory/3576-1-0x0000000000DF0000-0x0000000000EF0000-memory.dmp

Filesize
1024KB

Download
memory/3576-3-0x0000000000400000-0x0000000000B17000-memory.dmp

Filesize
7.1MB

Download
memory/3576-2-0x0000000002890000-0x00000000028FF000-memory.dmp

Filesize
444KB

Download
memory/4136-69-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/4136-178-0x00000000076D0000-0x0000000007720000-memory.dmp

Filesize
320KB

Download
memory/4136-177-0x00000000073B0000-0x0000000007416000-memory.dmp

Filesize
408KB

Download
memory/4136-180-0x0000000007A60000-0x0000000007C22000-memory.dmp

Filesize
1.8MB

Download
memory/4136-181-0x0000000007C40000-0x000000000816C000-memory.dmp

Filesize
5.2MB

Download
memory/4136-166-0x0000000072B60000-0x0000000073310000-memory.dmp

Filesize
7.7MB

Download
memory/4136-185-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4136-163-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/4136-152-0x0000000007260000-0x00000000072AC000-memory.dmp

Filesize
304KB

Download
memory/4136-150-0x00000000071E0000-0x00000000071F2000-memory.dmp

Filesize
72KB

Download
memory/4136-190-0x0000000000400000-0x0000000000B19000-memory.dmp

Filesize
7.1MB

Download
memory/4136-144-0x0000000000D40000-0x0000000000E40000-memory.dmp

Filesize
1024KB

Download
memory/4136-93-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4136-79-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4136-195-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4136-75-0x0000000002D50000-0x0000000002DA8000-memory.dmp

Filesize
352KB

Download
memory/4136-74-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4136-71-0x0000000072B60000-0x0000000073310000-memory.dmp

Filesize
7.7MB

Download
memory/4136-67-0x0000000000CA0000-0x0000000000CFF000-memory.dmp

Filesize
380KB

Download
memory/4136-66-0x0000000000D40000-0x0000000000E40000-memory.dmp

Filesize
1024KB

Download