ta505 | hxxps://download[.]tuhunaer[.]com/download/whatschapp/index[.]html

Resubmissions

20-04-2024 17:31

240420-v3smjsdf99 10

20-04-2024 17:29

240420-v2p52adf84 10

Analysis

max time kernel
48s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tuhunaer.com/download/whatschapp/index.html

Score

10^/10

ta505 upx vmprotect

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Executes dropped EXE 3 IoCs

pid	Process
2816	irsetup.exe
4836	upload.exe
3396	upload.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aa3b-134.dat	upx
behavioral1/memory/4836-135-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/3396-175-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/4836-253-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/3396-445-0x0000000000400000-0x000000000053F000-memory.dmp	upx

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/4836-162-0x0000000003530000-0x0000000003F76000-memory.dmp	vmprotect
behavioral1/memory/4836-170-0x0000000003530000-0x0000000003F76000-memory.dmp	vmprotect
behavioral1/memory/4836-171-0x0000000003530000-0x0000000003F76000-memory.dmp	vmprotect
behavioral1/memory/3396-198-0x0000000002210000-0x0000000002C56000-memory.dmp	vmprotect
behavioral1/memory/3396-207-0x0000000002210000-0x0000000002C56000-memory.dmp	vmprotect
behavioral1/memory/3396-206-0x0000000002210000-0x0000000002C56000-memory.dmp	vmprotect
behavioral1/memory/4640-219-0x0000000010000000-0x0000000010A46000-memory.dmp	vmprotect
behavioral1/memory/4640-250-0x0000000010000000-0x0000000010A46000-memory.dmp	vmprotect
behavioral1/memory/4836-438-0x0000000003530000-0x0000000003F76000-memory.dmp	vmprotect
behavioral1/memory/3396-639-0x0000000002210000-0x0000000002C56000-memory.dmp	vmprotect

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NetSarangX\upload.dat	irsetup.exe
File created	C:\Program Files (x86)\NetSarangX\upload.dat	irsetup.exe
File created	C:\Program Files (x86)\NetSarangX\upload.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\NetSarangX\upload.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WhatsApp.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
708	msedge.exe
708	msedge.exe
568	msedge.exe
568	msedge.exe
4724	msedge.exe
4724	msedge.exe
3388	msedge.exe
3388	msedge.exe
1260	identity_helper.exe
1260	identity_helper.exe
4836	upload.exe
4836	upload.exe
4836	upload.exe
4836	upload.exe
4836	upload.exe
4836	upload.exe
3396	upload.exe
3396	upload.exe
3396	upload.exe
3396	upload.exe
4640	msiexec.exe
4640	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3532	whats.exe
2816	irsetup.exe
2816	irsetup.exe
2816	irsetup.exe
2816	irsetup.exe
4836	upload.exe
4836	upload.exe
4836	upload.exe
3396	upload.exe
3396	upload.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 236	568	msedge.exe	80
PID 568 wrote to memory of 236	568	msedge.exe	80
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 4264	568	msedge.exe	81
PID 568 wrote to memory of 708	568	msedge.exe	82
PID 568 wrote to memory of 708	568	msedge.exe	82
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83
PID 568 wrote to memory of 4900	568	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.tuhunaer.com/download/whatschapp/index.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb85753cb8,0x7ffb85753cc8,0x7ffb85753cd8
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3073133189073916077,17536851796372118084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\Temp1_WhatsApp.zip\whats.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WhatsApp.zip\whats.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3532
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5836146 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Temp1_WhatsApp.zip\whats.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2718508534-2116753757-2794822388-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2816
- - C:\Program Files (x86)\NetSarangX\upload.exe
    "C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://web.whatsapp.com/
    3⤵
    PID:1332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb85753cb8,0x7ffb85753cc8,0x7ffb85753cd8
      4⤵
      PID:2396

C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3396
- \??\c:\windows\SysWOW64\msiexec.exe
  "c:\windows\sysWoW64\msiexec.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetSarangX\upload.dat

Filesize
74KB

MD5
ed5ce3c2d78ace16956117ab67d77c2c

SHA1
d9ba439f9e723c04bd12a33c6455d0eff70fc2ba

SHA256
fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22

SHA512
b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2

Download Submit
C:\Program Files (x86)\NetSarangX\upload.exe

Filesize
474KB

MD5
9050ac019b4c8dddbc5e250bb87cf9f2

SHA1
241f50bf6100bd84a14bd927a28bba5bc7df30f3

SHA256
83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9

SHA512
2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
5.9MB

MD5
61249aa512751e328c913fe40dafbc65

SHA1
3fe1b0401aa41bdfc3499d1088c17523ba6f062d

SHA256
271bebb9b9d3a0418087f80c9aa43c64ef3dacf7cffff34ad2be1bdd78d649a2

SHA512
af1172023939939abfab11997c3f0edc0fc34f380dbe558e184936a29fb2a3144dbe174632f48f0b224a71299c43b663d6acec6b737b4d7d3f95d7eba7c90cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
6c9a497e4b4dabb3f7ff05d42dc04098

SHA1
312fc5a47a5051fe2f85c535dcb86d7c86653f28

SHA256
fb0dd900d407961008b074fd14ee8dae529cb6ffcf7551e3aecd7b7a9cfdd9bf

SHA512
71b55cfd2471fceb1bb40c4c4e541442a499f0457d600132e2b5c0c715cb7fd382d34d4acda730388dc36d760e71e4af89ee0bf4b61280cf4e6881462b0cadea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
6cbad28e5f9b07916c5a8872e7e28561

SHA1
579e11ef2ab9fa22d2983798bb7e0048b2fb4732

SHA256
52e257f89bbf81541c6f2140ed8f15719b7a09e941fa78a634dbf53a9b455527

SHA512
6b4df1c1f2539544279c25367f81ca33c5eebef22fc5cb7bdb8c5792008ec1e39e764fef6fe464ab8a986095aa7b9d43b36afc14ddccacd5e4bb4735ac33c977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d2374a0e266029dc13d2957ec061895

SHA1
e21d302a0fbd77024c73e5a8b08120c7773ed674

SHA256
49c9248acd49b8798dfc53468ab2922b330bda68868a70eadec566a1ff84dc47

SHA512
c4b4a4eebd127ec7b820721aca2990822ede4a29f3153cf08bff70cc27cb3a5e4fa7d7c1b299731ff532bdeb5214d4fab133c076318fe4a661684c8f943f45e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
727c1748ac861d5b2e7246992a328f33

SHA1
ac59a4264f0892bac83418c4ebfef5849309bf21

SHA256
3bc2a25d71b86d2509835e236e755375792c505f2712881cd88930594197a69e

SHA512
e64c94ca4eac2d6e9a5283c10823ddf7f90065804b00ba6e35cb39a0ce8d5925746aaef987f92e7c2500e7ddff6101cff6a66f563955a412ee5069c6aca3b164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b560feb26203b306cfa95581df9c61c

SHA1
80c6e5b9289874daf6b55fbca09420e132c8154e

SHA256
96b7187bd20f96f0910c63c850694dbc506062ece0528176417a9b9deff81e92

SHA512
7bffeaad21e42c1a5c84aa342de111bb4d23d242cc502d89efd56cb08358e77c82563c3d6a33cb55cff891141608ed930fd8f51a8e905798d84fc661694eaf65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ee41aaf38dbb4be410ae4b43cfd00d6f

SHA1
d9ab78a4ab196f52940a58ba63c42d23494091d5

SHA256
25d28dd63301bb174960a61ddc9f76fbdca0e608645e291ab173d0426fb5bb0a

SHA512
e333aacdcd92c8db2906a9adda2eaf60756f3efc721ab70bced8be33230a4fa2b763429111e13f10576345dc5a34c0daa86a91e0ea226470a31f6376093555f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\49c79a61-9493-4c17-bcd7-d29aeb8d3ee0\index-dir\the-real-index

Filesize
72B

MD5
8e016e84b68168b20be2cc6d22bf66c5

SHA1
0b02f7bc770eeb97b93be95f4fecc888acbf3c81

SHA256
75936b341458567fa5c546c0fce3536cafdafea7c004454f864bd4af8cf7765c

SHA512
206ff9b1d8aa33260493fbfbf4eb0f4ee59787a7eaa4efda789fdf6c6e73c3734600a44ba3e1c20a7c39442b43ea8b8fa945c2c005e6359daf3e3f8f84638d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\49c79a61-9493-4c17-bcd7-d29aeb8d3ee0\index-dir\the-real-index~RFe5805f6.TMP

Filesize
48B

MD5
9390e1414b006075c5b6989bd01441d8

SHA1
dd903663e8890964cad2b2ddec3e3ce74e7f8a8d

SHA256
b2373692f63c385afb12bc71fa061aa0ea8ceaedbe3bdc17c4c662a5ce4caac0

SHA512
1fa6dfb9a2b00d9a7a49e8ad267ea489b314f1ca7e83452bf8c8b73571e9ec782085a7cca7a0dbe35c64e311400b9216923d18fb2657f616a6a329cbcde98c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\9521cd86-775c-437f-a715-48db5815464a\index-dir\the-real-index

Filesize
144B

MD5
9f537c75405f7996ba28ab540c0205bf

SHA1
e5d34ad14e0b75b6fd358e4746aada795eac244e

SHA256
cdea9f6993c5699d85e50daed17b64b4b9669ae2ce33ce6abb3f58793cb7a002

SHA512
11fd027712e70ba0e41402aad8ec7ddbc33d6479707b7193b14f9d6d980e6c50da0ddbb6ae530744374c09e6e18f455a47caa61a3a8bd304585921041f0130ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\9521cd86-775c-437f-a715-48db5815464a\index-dir\the-real-index~RFe5805d7.TMP

Filesize
48B

MD5
aee196b4f62ed51ef7aab7123180d902

SHA1
fb75e78ea5a56519c1bd466492349853e8e42f3f

SHA256
9065ea7d176cab760a19888dcf7460920b2f3eeac9fc3e72522352cb1092d1fc

SHA512
272eb210ac5e2c175edf6f453ea9198bb70b8e06b1823c99afcf358d20a78962b9a2cbd38bdae195700814e7f800d8269ede03b07c9f598d5076986ccae4ec9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\index.txt

Filesize
171B

MD5
6bc398eca79d215bba291ce3db055b33

SHA1
5d4dde728324ba60a987ceee7f083f9e669a8ee1

SHA256
5e300776dacc857c8a8dcc833f075676c7cea2033d9f751ba141be47c447883a

SHA512
c9209a852110a09b68e618127b701cdf7db0d9f7744331c05bef9570649e74c4ee47162efa333c95df431f624b9ef469da54e634728ec246545135db70505f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\index.txt

Filesize
226B

MD5
f571df203e3bee0d81e40d50b3ca7d63

SHA1
3dc2d6d2cf7fb0e9fc2d3ecbcd3f75f1a3b3d62c

SHA256
c80b6861f283012530a02e660c0e2494316fa0f51e798c8aa40478f52aeda19f

SHA512
7a682b459266064aee19ad201b01c064fb1c3fc1ac282a97f0d20f705d3bfea61ceac37adb57ce26b91d66ddaff4b48bfc08c7bde18f2c4925fdac809ad3bd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\index.txt

Filesize
220B

MD5
0ce338a33f838f374c71e3e06ba8b61d

SHA1
c8d2444ba13194d5d7f3cfbccbeda5654f0aedd2

SHA256
2aebe707ae3cd5391c6b9e6ee6b2eaafe2b2258d39c649a18c86f71b116ab491

SHA512
c0741b3330d7ce634fac39f24ff48da02e47900a3666fe16d21bdf04571afede7ccdcf525a3915cc8d5dd85b20572b832836b8cf43deee45e04bf05d5fc6489e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0bf6ab7f94a21cdc9c1649f884333ec20f40a544\index.txt~RFe57e918.TMP

Filesize
111B

MD5
b02589bb12b068ec85e9bb122c474b8b

SHA1
f6281adb037cf21d15bc13072bda03b3233f8376

SHA256
d6f41c7c1c23b2145493a25c4980d3fee09444bb834fe93a4ba1bf96b3d890d9

SHA512
b9fbcab41d828bcbf079b30d4959bddcd577a94ddb16c5c2725690d7c4b1264fbfcce2cf8bfaf5ccd96c4771f0880ba31d28c98eea425a3f590697ece109e9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
0541d62b02b8049c82030c133a3b31fc

SHA1
63ab9b9ceada265790785cca8539ec6e126d27d6

SHA256
3311d562b80fb3b9d63868968f28b07efc54137ca485597c073f928004f5041a

SHA512
9387de324e299c921d2cf0f53117e45f6345458cb847488278821c72989695692f4e675c58950198660c2a18fa895d5609c70272c06de5403938360afa30abbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5805d7.TMP

Filesize
48B

MD5
3e63e0067d89a1dae9110e5661014d6c

SHA1
a81621bcbeb298146e19db40286f04ed9c4a22bc

SHA256
5ec9c07e3056e13f32107c8822809bfb63b52dbf9d0a8708d31c79e9110d2893

SHA512
bb618b603bcae7bd1232eb7f9cd98667b01c9934df54716b669fae4e6f31cb1696b1c36dde35b9bbc134a505741df2e7f323c37236e96f2a579b606ccd2cebff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c04203e487e3edef1a6cdf0cdd9de91

SHA1
b7f5050d646e94937979d3f2178b8879e43b2772

SHA256
0d58a8055b1f8dcac2a6a111e845862da04c9bdbb3adb6beaad0d56bdbe55d2a

SHA512
af152aa4205f9a0706d3a9b873ed64da05bdf7d8d2f18373241858decf87c11575b38ace03d0760dace4224d7317fb98a2e43dc2c364906f8ce9fc8e78030449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
619318c63dc6fe42eb31fdca0f030714

SHA1
9b870625c073bb8cb03284f4da1377181b7e1337

SHA256
b935e8cadfeefff50f5b373f85c67372e9cd56614bf53db8d47be8fd63072041

SHA512
c0adc39a434afcc30e2ffeff748ff5bf38766b6dc87ae83c70eb4b89c8a353085ddd2a8531acd7c8b08a6387f15baf20363bd2d47b59482d2627fc4268674c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
424779b2ea7729ceb11af1de2cecd1db

SHA1
de489cf70836b906dfe0ca3abc6afb0b9e4add8e

SHA256
3a5e2e737eff0225eeab2561a30a8e9a29518989c01d3409151cd1978ca2e5f7

SHA512
73b17f907336b18d361d0b930f60aa2e5844fcb862fc6be87640bb7b18d841660a1434025834ff179b8e602f1157e6b4e871726a2998aeb97f340f5f0eae119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
14KB

MD5
d37ee584bac42fed63e7ebb5fd064a08

SHA1
cc121af87b76ac886a537a43be06931330cbb505

SHA256
94f2415371bad33c51df3010f5733ddb0fd4874714f154a9db79bbf5a5d6c77f

SHA512
709a9b9d485dd14adc80a7ed10a509ae1a2e63bfb3109da55106a42a0074e5c045a22f8590adc878d57b3e5fa6ca8fa80b4d905524a9732f6560116197a36162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
d33dd57c830b9b52ec844d713ea1a1da

SHA1
51fc3d3316bb308e164a981d364181ae6cadbd1b

SHA256
b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3

SHA512
9b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
52a0b3c36a01a89187342803bc11709d

SHA1
8f17c48ecfb5f798cfe565b8f370a86cf8efb091

SHA256
af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0

SHA512
830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 639074.crdownload

Filesize
8.8MB

MD5
58f89a681e7912bc405890e5dd036ea5

SHA1
656fc59a30678dc36834ede459a0d305ff25f42c

SHA256
4e27d60ba9265e00cb7fa0f46efba0439caac4f1021ccdfca0ecfe3b064d214d

SHA512
02fa8270ef500c6d8e40903261bf92121a301c0b4dbd4fa8801c969e16d35c95a79f9c5dc4d78780e4b00285506771aef267b4492698151ca7379a927c21195d

Download Submit
C:\Users\Admin\Downloads\WhatsApp.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
13KB

MD5
29b994bbbfa6110402d25849acd61baa

SHA1
e3dae0632750d70cb38a1a7a741fc1a91f28580d

SHA256
165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe

SHA512
98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat

Filesize
4B

MD5
67bf1f80834081fc794c6ed1f7c2fed5

SHA1
4d73fbec18037110be3248e97a555b7f9e458777

SHA256
54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2

SHA512
fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae

Download Submit
memory/3396-206-0x0000000002210000-0x0000000002C56000-memory.dmp

Filesize
10.3MB

Download
memory/3396-194-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/3396-639-0x0000000002210000-0x0000000002C56000-memory.dmp

Filesize
10.3MB

Download
memory/3396-207-0x0000000002210000-0x0000000002C56000-memory.dmp

Filesize
10.3MB

Download
memory/3396-175-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3396-205-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/3396-445-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3396-198-0x0000000002210000-0x0000000002C56000-memory.dmp

Filesize
10.3MB

Download
memory/4640-249-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4640-250-0x0000000010000000-0x0000000010A46000-memory.dmp

Filesize
10.3MB

Download
memory/4640-218-0x0000000000E00000-0x00000000013E6000-memory.dmp

Filesize
5.9MB

Download
memory/4640-219-0x0000000010000000-0x0000000010A46000-memory.dmp

Filesize
10.3MB

Download
memory/4836-135-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4836-156-0x0000000002CB0000-0x0000000002CB2000-memory.dmp

Filesize
8KB

Download
memory/4836-170-0x0000000003530000-0x0000000003F76000-memory.dmp

Filesize
10.3MB

Download
memory/4836-169-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/4836-171-0x0000000003530000-0x0000000003F76000-memory.dmp

Filesize
10.3MB

Download
memory/4836-438-0x0000000003530000-0x0000000003F76000-memory.dmp

Filesize
10.3MB

Download
memory/4836-253-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4836-157-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/4836-161-0x0000000002E00000-0x00000000033E6000-memory.dmp

Filesize
5.9MB

Download
memory/4836-162-0x0000000003530000-0x0000000003F76000-memory.dmp

Filesize
10.3MB

Download