amadey | 2d7fddd25a9bac1ad50e479cded38aebb623ce2a7a77e058b5a735fa4628f089

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hdoqgihvw.exe
Size

557KB
MD5

edf87c3498772bd5a73af0baa1fb637a
SHA1

b7b2c8fdd06cad300c721e3cad2dc69bca3bbcdb
SHA256

90ffbc37f8b47bf0d7c629a33e25828c42791133afc754380f1559f2f01f522a
SHA512

a38857b7905210d862ba08f6de0c8a88e9a8a35a82bd61886d6613835f4204d2c12f26c319d720a7b2f6af9c86a35feac2ba621baeb81eb2fdd3ed402b7640ba
SSDEEP

12288:EB1rZEH5kKHBbjfxhEHrtZHw817hA5MWM1jZIxTXxSYGKuX04lxplu+edBZuwRZq:EBIEHrXw8hhcrM1d+BqXhUZq

Score

10^/10

amadey rhadamanthys sectoprat discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6

https://185.196.11.237:9697/f002171ab05c7/73434jqg.jxviu

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3612-426-0x0000000000BB0000-0x0000000000C76000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 924 created 2924	924	hdoqgihvw.exe	50
PID 628 created 2924	628	explorer.exe	50
PID 3928 created 2924	3928	explorer.exe	50

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	hdoqgihvw.exe

Executes dropped EXE 8 IoCs

pid	Process
4836	vlc.exe
320	vlc.exe
1948	msn.exe
4848	msn.exe
868	msn.exe
224	msn.exe
4072	VBoxTestOGL.exe
3496	VBoxTestOGL.exe

Loads dropped DLL 37 IoCs

pid	Process
4836	vlc.exe
4836	vlc.exe
320	vlc.exe
320	vlc.exe
1948	msn.exe
1948	msn.exe
1948	msn.exe
4848	msn.exe
4848	msn.exe
4848	msn.exe
4848	msn.exe
868	msn.exe
868	msn.exe
868	msn.exe
868	msn.exe
224	msn.exe
224	msn.exe
224	msn.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
4072	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 924	1940	hdoqgihvw.exe	93
PID 320 set thread context of 428	320	vlc.exe	110
PID 4848 set thread context of 396	4848	msn.exe	116
PID 224 set thread context of 4224	224	msn.exe	127
PID 3496 set thread context of 3020	3496	VBoxTestOGL.exe	138
PID 4224 set thread context of 3612	4224	cmd.exe	141

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe
1680	powershell.exe
2992	powershell.exe
4644	powershell.exe
3640	powershell.exe
4632	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5052	924	WerFault.exe	93
756	924	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdoqgihvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdoqgihvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
924	hdoqgihvw.exe
924	hdoqgihvw.exe
5060	openwith.exe
5060	openwith.exe
5060	openwith.exe
5060	openwith.exe
3640	powershell.exe
3640	powershell.exe
4836	vlc.exe
320	vlc.exe
320	vlc.exe
4632	powershell.exe
4632	powershell.exe
1948	msn.exe
4848	msn.exe
428	cmd.exe
428	cmd.exe
4848	msn.exe
4120	powershell.exe
4120	powershell.exe
1680	powershell.exe
1680	powershell.exe
868	msn.exe
224	msn.exe
224	msn.exe
396	cmd.exe
396	cmd.exe
396	cmd.exe
396	cmd.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4072	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
3496	VBoxTestOGL.exe
4224	cmd.exe
4224	cmd.exe
4224	cmd.exe
4224	cmd.exe
3020	cmd.exe
3020	cmd.exe
3020	cmd.exe
3020	cmd.exe
628	explorer.exe
628	explorer.exe
4632	openwith.exe
4632	openwith.exe
4632	openwith.exe
4632	openwith.exe
3928	explorer.exe
3928	explorer.exe
392	openwith.exe
392	openwith.exe
392	openwith.exe
392	openwith.exe
3612	MSBuild.exe
3612	MSBuild.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
320	vlc.exe
4848	msn.exe
224	msn.exe
428	cmd.exe
3496	VBoxTestOGL.exe
396	cmd.exe
4224	cmd.exe
4224	cmd.exe
3020	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	3612	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3612	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 1940 wrote to memory of 924	1940	hdoqgihvw.exe	93
PID 924 wrote to memory of 5060	924	hdoqgihvw.exe	97
PID 924 wrote to memory of 5060	924	hdoqgihvw.exe	97
PID 924 wrote to memory of 5060	924	hdoqgihvw.exe	97
PID 924 wrote to memory of 5060	924	hdoqgihvw.exe	97
PID 924 wrote to memory of 5060	924	hdoqgihvw.exe	97
PID 1940 wrote to memory of 3640	1940	hdoqgihvw.exe	104
PID 1940 wrote to memory of 3640	1940	hdoqgihvw.exe	104
PID 1940 wrote to memory of 4836	1940	hdoqgihvw.exe	108
PID 1940 wrote to memory of 4836	1940	hdoqgihvw.exe	108
PID 4836 wrote to memory of 320	4836	vlc.exe	109
PID 4836 wrote to memory of 320	4836	vlc.exe	109
PID 320 wrote to memory of 428	320	vlc.exe	110
PID 320 wrote to memory of 428	320	vlc.exe	110
PID 320 wrote to memory of 428	320	vlc.exe	110
PID 320 wrote to memory of 428	320	vlc.exe	110
PID 1940 wrote to memory of 4632	1940	hdoqgihvw.exe	112
PID 1940 wrote to memory of 4632	1940	hdoqgihvw.exe	112
PID 1940 wrote to memory of 1948	1940	hdoqgihvw.exe	114
PID 1940 wrote to memory of 1948	1940	hdoqgihvw.exe	114
PID 1940 wrote to memory of 1948	1940	hdoqgihvw.exe	114
PID 1948 wrote to memory of 4848	1948	msn.exe	115
PID 1948 wrote to memory of 4848	1948	msn.exe	115
PID 1948 wrote to memory of 4848	1948	msn.exe	115
PID 4848 wrote to memory of 396	4848	msn.exe	116
PID 4848 wrote to memory of 396	4848	msn.exe	116
PID 4848 wrote to memory of 396	4848	msn.exe	116
PID 1940 wrote to memory of 4120	1940	hdoqgihvw.exe	118
PID 1940 wrote to memory of 4120	1940	hdoqgihvw.exe	118
PID 1940 wrote to memory of 4120	1940	hdoqgihvw.exe	118
PID 4848 wrote to memory of 396	4848	msn.exe	116
PID 1940 wrote to memory of 1680	1940	hdoqgihvw.exe	123
PID 1940 wrote to memory of 1680	1940	hdoqgihvw.exe	123
PID 1940 wrote to memory of 868	1940	hdoqgihvw.exe	125
PID 1940 wrote to memory of 868	1940	hdoqgihvw.exe	125
PID 1940 wrote to memory of 868	1940	hdoqgihvw.exe	125
PID 868 wrote to memory of 224	868	msn.exe	126
PID 868 wrote to memory of 224	868	msn.exe	126
PID 868 wrote to memory of 224	868	msn.exe	126
PID 224 wrote to memory of 4224	224	msn.exe	127
PID 224 wrote to memory of 4224	224	msn.exe	127
PID 224 wrote to memory of 4224	224	msn.exe	127
PID 1940 wrote to memory of 2992	1940	hdoqgihvw.exe	131
PID 1940 wrote to memory of 2992	1940	hdoqgihvw.exe	131
PID 1940 wrote to memory of 2992	1940	hdoqgihvw.exe	131
PID 428 wrote to memory of 628	428	cmd.exe	133
PID 428 wrote to memory of 628	428	cmd.exe	133
PID 428 wrote to memory of 628	428	cmd.exe	133
PID 224 wrote to memory of 4224	224	msn.exe	127
PID 1940 wrote to memory of 4644	1940	hdoqgihvw.exe	134
PID 1940 wrote to memory of 4644	1940	hdoqgihvw.exe	134
PID 1940 wrote to memory of 4072	1940	hdoqgihvw.exe	136
PID 1940 wrote to memory of 4072	1940	hdoqgihvw.exe	136
PID 428 wrote to memory of 628	428	cmd.exe	133

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2924
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:392

C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
  "C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 436
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 432
    3⤵
    - Program crash
    PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
  "C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
    C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\ProgramData\downloaddemo_test\msn.exe
    C:\ProgramData\downloaddemo_test\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:396
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3928
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\ProgramData\Svclocalv4\msn.exe
    C:\ProgramData\Svclocalv4\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
  "C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- - C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
    C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3020
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 924 -ip 924
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0912bdcdbfa8d76ed3ab2ff4d8aa479d

SHA1
5a4debb7128aff994c0f1024f62e7aa5714352c8

SHA256
00e4b652fa67392304e72b044806f909ac2ede9efed271f304e060b13ee1da1e

SHA512
f276b688c1661fcebec6750637329256ef166b57527066c5bdc70bdb9fa4959d446e240d1b0ee80ef4491c796c1afe23e18833f29f37e335083c62ccb91d90ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
445026770286e20a8cf920fad9f581a6

SHA1
bbf4f9542dbc62c0026828cb71a829a8ba2c70ea

SHA256
dbded32cb499b65562b29acea1cab7840ec0f2ecf7462bd9845914c925352c76

SHA512
ec2a16a24ead7807172d356b2e0bdb6d6acfbd54d2c38b38679ae346a144d249b79fe3ecf2abb934e1d98714ad5a5bd8a95f9a916fac85d08b412e45fab8fbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ed0ce6cdf157b8d7b3bc3f0e75e74eb6

SHA1
49a011809331fc7bcb7c8c544405b1cd50c68500

SHA256
6a7e1bfdfaade4f94b22759197953d1d5fcbbe3a30bea0eabb73e062e10dfc45

SHA512
006affc28af326b1f6e72759f2ef754745d7ae214dba0fd288fbd4df4b52ae96baf7ac696cae0694850f6ea3ef8bc0d74f35773ab5d2c18fa8d644f5c8196e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip

Filesize
2.8MB

MD5
f169e93956f90c9b4fee4800e4fb655f

SHA1
fb0005f2d2213f1e486c3d1c2992cf35b8450591

SHA256
61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1

SHA512
ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq

Filesize
57KB

MD5
b23152452b6c798ee1b57352cc5ebce1

SHA1
219a30751cda0df049fecc8247daf34fe57d1f4a

SHA256
c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a

SHA512
c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm

Filesize
896KB

MD5
d272096a4ad0ba0c3001c21804b11835

SHA1
3b3933a81cf97301e1e1a4f3c37df2dbb32d3679

SHA256
975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f

SHA512
6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll

Filesize
186KB

MD5
4b262612db64f26ea1168ca569811110

SHA1
8e59964d1302a3109513cd4fd22c1f313e79654c

SHA256
a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f

SHA512
9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll

Filesize
2.7MB

MD5
c39b26fd913f74e1b80df54a3c58cfb7

SHA1
d81a62a78fbe5294c9298721e588ed9b38aafd9e

SHA256
eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68

SHA512
4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip

Filesize
4.4MB

MD5
03138e3ecc2df5643bfb9dc41722d6cf

SHA1
d8d52a348adb94ef66a285e976876396dcde0634

SHA256
48ede0e3a4e2b696205f639bb5f826825d83f587c5b86d5b6fea31ef5ae4e1dc

SHA512
c53f09588fe9fd7bd5328140f0b235686b36be30fa09a430015fa319c1e3dbb20ab58e84ec4ed7515c39c1168e316d808a744875ac3f375c443786a9b584f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\MSNCore.dll

Filesize
991KB

MD5
deaa38a71c85d2f9d4ba71343d1603da

SHA1
bdbb492512cee480794e761d1bea718db14013ec

SHA256
1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65

SHA512
87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\bqbr

Filesize
896KB

MD5
0180c5a2f5b002e8755c60a3786c4975

SHA1
64bcbe91e3dd1dcd21709cbf189c032bb47501a2

SHA256
6eff0ca0c63ce6c712dc5f1f892b68d43894d13b681f75ab585b6c611dc16476

SHA512
8dbdfef7906be474ecadb7848042f3736483ef9b4ea05f4f60a3ae049a99bf1a8bcd57507b334e229c972784b6355b9dcf647c5992e56518a35d9ff0d639e1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\gld

Filesize
88KB

MD5
06a62106f0d01ed3a971415b57366a8b

SHA1
9d905a38a4f53961a3828b2f759062b428dd25a9

SHA256
6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93

SHA512
4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msidcrl40.dll

Filesize
784KB

MD5
f1f8d156bbdd5945a4f933ac7fa7cc41

SHA1
e581235e9f1a3a8a63b8a470eaed882bc93b9085

SHA256
344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a

SHA512
86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1

Filesize
42B

MD5
a60bfbb12614cbc931e3b427054b1e0c

SHA1
a44ca11bf0cf1eb0ed7c1fb25db7be381772188a

SHA256
e67c9b0a7133b40d4119b02b79366e9e526651682d28d80f66a2ffaffe0985cc

SHA512
c2f273b49a77c2c2582ed9cf8a080ce503af585dfc616d92ba9ce24b6f038c859809866601d91c8231e04977aa81bdc0e53f0fc9b7faee8fd8e2d615a99c9fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip

Filesize
4.7MB

MD5
2b304594003a38de9d5bbdafcd5428bd

SHA1
8d65aa7dd39c6d180f4211d9633bc8d0f42ece0f

SHA256
dc083a97abcc87f3d153b21cf4b0ff19ca7cadc3f698b9ecfd1402b93884ac58

SHA512
f8f2ded019926010b264daa2887b591a7118c9c059e631c565d131bc3ea3727374f989c9bda92cab2427666193f796de6417a1a90333acd48db11009758be6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\bqbr

Filesize
1.2MB

MD5
3a05d26d5f082069d4c556b9858c5fdc

SHA1
37c11326ee5279ce552261f145fe49e1fc49d05c

SHA256
a4da5697b73c5d24e98dfeeaae89ae41c18d5105d0b130562c48b75f7e3a0b39

SHA512
1bdc73e784894d9934834b1c9416313b25eab515f010c48df08efe5b7b570cd10766cceb672268daf7fdf916672f086dcb581f7a9ad237d2dc18e4f3a895beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1

Filesize
48B

MD5
1576644cd260cd1d79d00d014d3cc23b

SHA1
bc944bfe0ac7c4e1c87c8917b9c902f47aaed571

SHA256
dd6a49c132fceccf999c30a7f6d7ee9d0ce2dc8a14d9155200741373a0a7101a

SHA512
f6a78ccb2ba72476387988308d64478ddce4861b979f0755c289b5ceb125a76191f817c68b6dfb33de95a0b9e82d81d05426bca6e2d20acf1f4e06250c1af540

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip

Filesize
8.5MB

MD5
e0a6c369447034f1b7f2749620c420cc

SHA1
15b88a23dca33d84bdb2c256e67aee6705a4f122

SHA256
3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603

SHA512
374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a

Download Submit
C:\Users\Admin\AppData\Local\Temp\386e1c43

Filesize
1.1MB

MD5
7764f11da1384e4966b23481b9ba9774

SHA1
be799fe9e79fe7d9cb1efbfb2a564fe83a7c05d3

SHA256
bf0fe6f0d0a7302dacf28cbcaff75c404b4ea5d2bf4e3aa84c4e8a613c031d63

SHA512
405e245e740c27bb5126c5cf55cb50726bc54c4d09c3a3cc958005f944e62ad30543393bf59139aef769fd2b119535e3ac0c2f3ee0f313a7d5903d6befa0d800

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6c8ae7

Filesize
1.1MB

MD5
400f8a50a5e576877a41ccc485be3297

SHA1
6a564a70e756d967183fb83025c2822a10daa4cc

SHA256
b4f48e40e10385dc325ce80421315cf87d978c1d613892a1bd7b1cca766085e3

SHA512
7c2745d0d6214b87aceef2fcc6cba7e4c754b77fae8fbef61879ee6ee00843828daf1943ab1d0ba3f5267b52b90ed4c9a24439d2b8b78bef7eb831cdc7c37e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\932230532004

Filesize
77KB

MD5
2b15f54ac3c94aeb176c382cd56c7c36

SHA1
5a576bbb81baf5d4ee3b2f239a7274efa346dd7b

SHA256
416f6b1f61e6da40ea5564958571d5d850002a60602ca5786fe1d1e669cd6c4b

SHA512
44494c68c1bb904d0add190134511f140e8a1db4d07e886bdddd803f1a6b44b9f6346ef74cafc5a3dfbeabbc86d4e71c63b3b16cf4776261527f6fd131cf1ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zrjiv3f.p5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6AE.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/224-288-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/224-324-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/224-287-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/320-94-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp

Filesize
1.4MB

Download
memory/320-97-0x00007FF7F2500000-0x00007FF7F25F8000-memory.dmp

Filesize
992KB

Download
memory/320-95-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp

Filesize
1.4MB

Download
memory/320-98-0x00007FFC310B0000-0x00007FFC310E4000-memory.dmp

Filesize
208KB

Download
memory/320-99-0x00007FFC2F950000-0x00007FFC2FC05000-memory.dmp

Filesize
2.7MB

Download
memory/396-289-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/396-290-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/396-381-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/428-169-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/428-309-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/628-384-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/628-385-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/628-365-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/628-393-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/628-395-0x00000000041E0000-0x00000000045E0000-memory.dmp

Filesize
4.0MB

Download
memory/628-398-0x0000000075DA0000-0x0000000075FB5000-memory.dmp

Filesize
2.1MB

Download
memory/628-402-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/868-273-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/868-272-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/924-15-0x00000000037A0000-0x0000000003BA0000-memory.dmp

Filesize
4.0MB

Download
memory/924-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/924-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/924-21-0x0000000075DA0000-0x0000000075FB5000-memory.dmp

Filesize
2.1MB

Download
memory/924-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/924-16-0x00000000037A0000-0x0000000003BA0000-memory.dmp

Filesize
4.0MB

Download
memory/924-18-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/924-31-0x00000000037A0000-0x0000000003BA0000-memory.dmp

Filesize
4.0MB

Download
memory/924-19-0x00000000037A0000-0x0000000003BA0000-memory.dmp

Filesize
4.0MB

Download
memory/924-17-0x00000000037A0000-0x0000000003BA0000-memory.dmp

Filesize
4.0MB

Download
memory/924-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1948-146-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/1948-145-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/2992-320-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/2992-299-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/2992-321-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/2992-322-0x0000000007390000-0x00000000073A4000-memory.dmp

Filesize
80KB

Download
memory/2992-308-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/2992-310-0x000000006E890000-0x000000006E8DC000-memory.dmp

Filesize
304KB

Download
memory/3020-389-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/3496-382-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp

Filesize
1.4MB

Download
memory/3496-377-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp

Filesize
1.4MB

Download
memory/3612-426-0x0000000000BB0000-0x0000000000C76000-memory.dmp

Filesize
792KB

Download
memory/3612-432-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/3612-429-0x00000000054D0000-0x0000000005692000-memory.dmp

Filesize
1.8MB

Download
memory/3612-430-0x0000000005250000-0x00000000052C6000-memory.dmp

Filesize
472KB

Download
memory/3612-431-0x0000000005300000-0x0000000005350000-memory.dmp

Filesize
320KB

Download
memory/3612-459-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/3612-435-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/3612-460-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/3612-433-0x00000000063E0000-0x000000000690C000-memory.dmp

Filesize
5.2MB

Download
memory/3612-427-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/3612-428-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-452-0x0000000007B90000-0x0000000007B9A000-memory.dmp

Filesize
40KB

Download
memory/3640-39-0x00007FFC2F093000-0x00007FFC2F095000-memory.dmp

Filesize
8KB

Download
memory/3640-40-0x0000027333350000-0x0000027333372000-memory.dmp

Filesize
136KB

Download
memory/3640-46-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp

Filesize
10.8MB

Download
memory/3640-51-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp

Filesize
10.8MB

Download
memory/3640-52-0x0000027333830000-0x0000027333842000-memory.dmp

Filesize
72KB

Download
memory/3640-53-0x0000027319150000-0x000002731915A000-memory.dmp

Filesize
40KB

Download
memory/3640-67-0x00007FFC2F090000-0x00007FFC2FB51000-memory.dmp

Filesize
10.8MB

Download
memory/3928-420-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/3928-390-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/3928-388-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/3928-387-0x0000000000E00000-0x0000000000E80000-memory.dmp

Filesize
512KB

Download
memory/4072-363-0x00007FFC2EA10000-0x00007FFC2EB82000-memory.dmp

Filesize
1.4MB

Download
memory/4120-192-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4120-180-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/4120-218-0x00000000071F0000-0x000000000720A000-memory.dmp

Filesize
104KB

Download
memory/4120-217-0x0000000007100000-0x0000000007114000-memory.dmp

Filesize
80KB

Download
memory/4120-216-0x00000000070F0000-0x00000000070FE000-memory.dmp

Filesize
56KB

Download
memory/4120-176-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/4120-212-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/4120-211-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/4120-210-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/4120-177-0x0000000004C90000-0x00000000052B8000-memory.dmp

Filesize
6.2MB

Download
memory/4120-209-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/4120-208-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4120-207-0x0000000006DA0000-0x0000000006E43000-memory.dmp

Filesize
652KB

Download
memory/4120-206-0x0000000006D80000-0x0000000006D9E000-memory.dmp

Filesize
120KB

Download
memory/4120-196-0x000000006EC00000-0x000000006EC4C000-memory.dmp

Filesize
304KB

Download
memory/4120-195-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4120-193-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/4120-190-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-179-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4120-219-0x0000000007130000-0x0000000007138000-memory.dmp

Filesize
32KB

Download
memory/4120-178-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/4224-378-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/4632-403-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/4632-404-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/4632-406-0x0000000075DA0000-0x0000000075FB5000-memory.dmp

Filesize
2.1MB

Download
memory/4836-85-0x00007FFC36320000-0x00007FFC36354000-memory.dmp

Filesize
208KB

Download
memory/4836-76-0x00007FFC2F7D0000-0x00007FFC2F942000-memory.dmp

Filesize
1.4MB

Download
memory/4836-86-0x00007FFC2F950000-0x00007FFC2FC05000-memory.dmp

Filesize
2.7MB

Download
memory/4836-84-0x00007FF62EDE0000-0x00007FF62EED8000-memory.dmp

Filesize
992KB

Download
memory/4848-213-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/4848-167-0x0000000073390000-0x000000007350B000-memory.dmp

Filesize
1.5MB

Download
memory/4848-168-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/5060-30-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/5060-25-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/5060-29-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/5060-26-0x00007FFC4E310000-0x00007FFC4E505000-memory.dmp

Filesize
2.0MB

Download
memory/5060-28-0x0000000075DA0000-0x0000000075FB5000-memory.dmp

Filesize
2.1MB

Download
memory/5060-24-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/5060-22-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download