amadey | 2d7fddd25a9bac1ad50e479cded38aebb623ce2a7a77e058b5a735fa4628f089

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-10-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hdoqgihvw.exe
Size

557KB
MD5

edf87c3498772bd5a73af0baa1fb637a
SHA1

b7b2c8fdd06cad300c721e3cad2dc69bca3bbcdb
SHA256

90ffbc37f8b47bf0d7c629a33e25828c42791133afc754380f1559f2f01f522a
SHA512

a38857b7905210d862ba08f6de0c8a88e9a8a35a82bd61886d6613835f4204d2c12f26c319d720a7b2f6af9c86a35feac2ba621baeb81eb2fdd3ed402b7640ba
SSDEEP

12288:EB1rZEH5kKHBbjfxhEHrtZHw817hA5MWM1jZIxTXxSYGKuX04lxplu+edBZuwRZq:EBIEHrXw8hhcrM1d+BqXhUZq

Score

10^/10

amadey rhadamanthys sectoprat discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6

https://185.196.11.237:9697/f002171ab05c7/73434jqg.jxviu

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1008-401-0x0000000001100000-0x00000000011C6000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1980 created 2936	1980	hdoqgihvw.exe	49
PID 4764 created 2936	4764	explorer.exe	49
PID 4948 created 2936	4948	explorer.exe	49

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
128	vlc.exe
1388	vlc.exe
3132	msn.exe
4892	msn.exe
3348	msn.exe
3580	msn.exe
1672	VBoxTestOGL.exe
1952	VBoxTestOGL.exe

Loads dropped DLL 38 IoCs

pid	Process
128	vlc.exe
128	vlc.exe
1388	vlc.exe
1388	vlc.exe
3132	msn.exe
3132	msn.exe
3132	msn.exe
4892	msn.exe
4892	msn.exe
4892	msn.exe
4892	msn.exe
3348	msn.exe
3348	msn.exe
3348	msn.exe
3348	msn.exe
3580	msn.exe
3580	msn.exe
3580	msn.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1672	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 1980	5012	hdoqgihvw.exe	77
PID 1388 set thread context of 4596	1388	vlc.exe	88
PID 4892 set thread context of 1628	4892	msn.exe	94
PID 3580 set thread context of 3636	3580	msn.exe	102
PID 1952 set thread context of 3956	1952	VBoxTestOGL.exe	111
PID 3636 set thread context of 1008	3636	cmd.exe	114

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
1012	powershell.exe
392	powershell.exe
4920	powershell.exe
4388	powershell.exe
312	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4176	1980	WerFault.exe	77
4536	1980	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdoqgihvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdoqgihvw.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
1980	hdoqgihvw.exe
1980	hdoqgihvw.exe
2000	openwith.exe
2000	openwith.exe
2000	openwith.exe
2000	openwith.exe
312	powershell.exe
312	powershell.exe
128	vlc.exe
1388	vlc.exe
1388	vlc.exe
2668	powershell.exe
2668	powershell.exe
3132	msn.exe
4596	cmd.exe
4596	cmd.exe
4892	msn.exe
4892	msn.exe
1012	powershell.exe
1012	powershell.exe
392	powershell.exe
392	powershell.exe
3348	msn.exe
3580	msn.exe
3580	msn.exe
1628	cmd.exe
1628	cmd.exe
4920	powershell.exe
4920	powershell.exe
4388	powershell.exe
4388	powershell.exe
1672	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
1952	VBoxTestOGL.exe
3636	cmd.exe
3636	cmd.exe
3956	cmd.exe
3956	cmd.exe
4764	explorer.exe
4764	explorer.exe
968	openwith.exe
968	openwith.exe
968	openwith.exe
968	openwith.exe
1008	MSBuild.exe
1008	MSBuild.exe
4948	explorer.exe
4948	explorer.exe
4792	openwith.exe
4792	openwith.exe
4792	openwith.exe
4792	openwith.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
1008	MSBuild.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
1388	vlc.exe
4892	msn.exe
3580	msn.exe
4596	cmd.exe
1952	VBoxTestOGL.exe
1628	cmd.exe
3636	cmd.exe
3636	cmd.exe
3956	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	1008	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 5012 wrote to memory of 1980	5012	hdoqgihvw.exe	77
PID 1980 wrote to memory of 2000	1980	hdoqgihvw.exe	78
PID 1980 wrote to memory of 2000	1980	hdoqgihvw.exe	78
PID 1980 wrote to memory of 2000	1980	hdoqgihvw.exe	78
PID 1980 wrote to memory of 2000	1980	hdoqgihvw.exe	78
PID 1980 wrote to memory of 2000	1980	hdoqgihvw.exe	78
PID 5012 wrote to memory of 312	5012	hdoqgihvw.exe	84
PID 5012 wrote to memory of 312	5012	hdoqgihvw.exe	84
PID 5012 wrote to memory of 128	5012	hdoqgihvw.exe	86
PID 5012 wrote to memory of 128	5012	hdoqgihvw.exe	86
PID 128 wrote to memory of 1388	128	vlc.exe	87
PID 128 wrote to memory of 1388	128	vlc.exe	87
PID 1388 wrote to memory of 4596	1388	vlc.exe	88
PID 1388 wrote to memory of 4596	1388	vlc.exe	88
PID 1388 wrote to memory of 4596	1388	vlc.exe	88
PID 1388 wrote to memory of 4596	1388	vlc.exe	88
PID 5012 wrote to memory of 2668	5012	hdoqgihvw.exe	90
PID 5012 wrote to memory of 2668	5012	hdoqgihvw.exe	90
PID 5012 wrote to memory of 3132	5012	hdoqgihvw.exe	92
PID 5012 wrote to memory of 3132	5012	hdoqgihvw.exe	92
PID 5012 wrote to memory of 3132	5012	hdoqgihvw.exe	92
PID 3132 wrote to memory of 4892	3132	msn.exe	93
PID 3132 wrote to memory of 4892	3132	msn.exe	93
PID 3132 wrote to memory of 4892	3132	msn.exe	93
PID 4892 wrote to memory of 1628	4892	msn.exe	94
PID 4892 wrote to memory of 1628	4892	msn.exe	94
PID 4892 wrote to memory of 1628	4892	msn.exe	94
PID 5012 wrote to memory of 1012	5012	hdoqgihvw.exe	96
PID 5012 wrote to memory of 1012	5012	hdoqgihvw.exe	96
PID 5012 wrote to memory of 1012	5012	hdoqgihvw.exe	96
PID 4892 wrote to memory of 1628	4892	msn.exe	94
PID 5012 wrote to memory of 392	5012	hdoqgihvw.exe	98
PID 5012 wrote to memory of 392	5012	hdoqgihvw.exe	98
PID 5012 wrote to memory of 3348	5012	hdoqgihvw.exe	100
PID 5012 wrote to memory of 3348	5012	hdoqgihvw.exe	100
PID 5012 wrote to memory of 3348	5012	hdoqgihvw.exe	100
PID 3348 wrote to memory of 3580	3348	msn.exe	101
PID 3348 wrote to memory of 3580	3348	msn.exe	101
PID 3348 wrote to memory of 3580	3348	msn.exe	101
PID 3580 wrote to memory of 3636	3580	msn.exe	102
PID 3580 wrote to memory of 3636	3580	msn.exe	102
PID 3580 wrote to memory of 3636	3580	msn.exe	102
PID 4596 wrote to memory of 4764	4596	cmd.exe	104
PID 4596 wrote to memory of 4764	4596	cmd.exe	104
PID 4596 wrote to memory of 4764	4596	cmd.exe	104
PID 5012 wrote to memory of 4920	5012	hdoqgihvw.exe	105
PID 5012 wrote to memory of 4920	5012	hdoqgihvw.exe	105
PID 5012 wrote to memory of 4920	5012	hdoqgihvw.exe	105
PID 3580 wrote to memory of 3636	3580	msn.exe	102
PID 4596 wrote to memory of 4764	4596	cmd.exe	104
PID 5012 wrote to memory of 4388	5012	hdoqgihvw.exe	107
PID 5012 wrote to memory of 4388	5012	hdoqgihvw.exe	107
PID 5012 wrote to memory of 1672	5012	hdoqgihvw.exe	109
PID 5012 wrote to memory of 1672	5012	hdoqgihvw.exe	109

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2936
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
"C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe
  "C:\Users\Admin\AppData\Local\Temp\hdoqgihvw.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 456
    3⤵
    - Program crash
    PID:4176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 452
    3⤵
    - Program crash
    PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
  "C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:128
- - C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
    C:\Users\Admin\AppData\Local\UpdateWatcher_Fv_beta_v4\vlc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\ProgramData\downloaddemo_test\msn.exe
    C:\ProgramData\downloaddemo_test\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1628
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\ProgramData\Svclocalv4\msn.exe
    C:\ProgramData\Svclocalv4\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
  "C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- - C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
    C:\Users\Admin\AppData\Local\ggu_Notepad\VBoxTestOGL.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3956
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1980 -ip 1980
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b58e6de9cf9aa1c43c15c4e5bacebd1

SHA1
706600fc3b8d7551ff18452f1025e8a0480b3e6d

SHA256
e04e22e7bcc9ddb67fb534f1eb10e4af31d9f07d0c6f2b54d133dd5996ba0be9

SHA512
dbef32d4a09bb46e999a7bee2aec0e54431dec644f54aa9a1e9833a1b0ee340589ee76cd32e2b5fddb6fc64e641777c96e43cc93d2e805f8443d58ef5a4095fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e40b61b377cb484afda94f3877f7a82

SHA1
6b0bc316c54fe7ab0d3c2de016742718bcb7571a

SHA256
e7cb313e0fe42ca5221e36c3baa8f3ee5d4fa0b35a2e712a0c804abcc911ca00

SHA512
a476333712e64550a694615411dd7f990fd81ab415dba5466b7d83535789d5e4563daaad2d1262ee8603526bf20346b10c1d56b86b6ce498031fcdc5ac1599f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
799cc63b5c9cdca789882b66eb748766

SHA1
82a7e0f7c83af37a685125972922d5152af0d674

SHA256
e97e3d2412a9624bd30f1478cd35b7d3829e9d410a1c8ff70c8c2333b2cfc54c

SHA512
83f744282ccd3694d58b5f668ced067931b44505c1e309ff5d5bd7125d5805ee623833ee5656ee0f2ca585d7dead2c8d7cdc7195a7ffedf206e82f1f30b11f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip

Filesize
2.8MB

MD5
f169e93956f90c9b4fee4800e4fb655f

SHA1
fb0005f2d2213f1e486c3d1c2992cf35b8450591

SHA256
61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1

SHA512
ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq

Filesize
57KB

MD5
b23152452b6c798ee1b57352cc5ebce1

SHA1
219a30751cda0df049fecc8247daf34fe57d1f4a

SHA256
c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a

SHA512
c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm

Filesize
896KB

MD5
d272096a4ad0ba0c3001c21804b11835

SHA1
3b3933a81cf97301e1e1a4f3c37df2dbb32d3679

SHA256
975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f

SHA512
6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll

Filesize
186KB

MD5
4b262612db64f26ea1168ca569811110

SHA1
8e59964d1302a3109513cd4fd22c1f313e79654c

SHA256
a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f

SHA512
9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll

Filesize
2.7MB

MD5
c39b26fd913f74e1b80df54a3c58cfb7

SHA1
d81a62a78fbe5294c9298721e588ed9b38aafd9e

SHA256
eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68

SHA512
4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe.zip

Filesize
4.4MB

MD5
03138e3ecc2df5643bfb9dc41722d6cf

SHA1
d8d52a348adb94ef66a285e976876396dcde0634

SHA256
48ede0e3a4e2b696205f639bb5f826825d83f587c5b86d5b6fea31ef5ae4e1dc

SHA512
c53f09588fe9fd7bd5328140f0b235686b36be30fa09a430015fa319c1e3dbb20ab58e84ec4ed7515c39c1168e316d808a744875ac3f375c443786a9b584f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\MSNCore.dll

Filesize
991KB

MD5
deaa38a71c85d2f9d4ba71343d1603da

SHA1
bdbb492512cee480794e761d1bea718db14013ec

SHA256
1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65

SHA512
87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\bqbr

Filesize
896KB

MD5
0180c5a2f5b002e8755c60a3786c4975

SHA1
64bcbe91e3dd1dcd21709cbf189c032bb47501a2

SHA256
6eff0ca0c63ce6c712dc5f1f892b68d43894d13b681f75ab585b6c611dc16476

SHA512
8dbdfef7906be474ecadb7848042f3736483ef9b4ea05f4f60a3ae049a99bf1a8bcd57507b334e229c972784b6355b9dcf647c5992e56518a35d9ff0d639e1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\gld

Filesize
88KB

MD5
06a62106f0d01ed3a971415b57366a8b

SHA1
9d905a38a4f53961a3828b2f759062b428dd25a9

SHA256
6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93

SHA512
4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msidcrl40.dll

Filesize
784KB

MD5
f1f8d156bbdd5945a4f933ac7fa7cc41

SHA1
e581235e9f1a3a8a63b8a470eaed882bc93b9085

SHA256
344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a

SHA512
86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000550261\taskexec323Ewe\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000631141\AddUsers.ps1

Filesize
42B

MD5
a60bfbb12614cbc931e3b427054b1e0c

SHA1
a44ca11bf0cf1eb0ed7c1fb25db7be381772188a

SHA256
e67c9b0a7133b40d4119b02b79366e9e526651682d28d80f66a2ffaffe0985cc

SHA512
c2f273b49a77c2c2582ed9cf8a080ce503af585dfc616d92ba9ce24b6f038c859809866601d91c8231e04977aa81bdc0e53f0fc9b7faee8fd8e2d615a99c9fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip

Filesize
4.7MB

MD5
2b304594003a38de9d5bbdafcd5428bd

SHA1
8d65aa7dd39c6d180f4211d9633bc8d0f42ece0f

SHA256
dc083a97abcc87f3d153b21cf4b0ff19ca7cadc3f698b9ecfd1402b93884ac58

SHA512
f8f2ded019926010b264daa2887b591a7118c9c059e631c565d131bc3ea3727374f989c9bda92cab2427666193f796de6417a1a90333acd48db11009758be6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg\bqbr

Filesize
1.2MB

MD5
3a05d26d5f082069d4c556b9858c5fdc

SHA1
37c11326ee5279ce552261f145fe49e1fc49d05c

SHA256
a4da5697b73c5d24e98dfeeaae89ae41c18d5105d0b130562c48b75f7e3a0b39

SHA512
1bdc73e784894d9934834b1c9416313b25eab515f010c48df08efe5b7b570cd10766cceb672268daf7fdf916672f086dcb581f7a9ad237d2dc18e4f3a895beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000741141\Prg.ps1

Filesize
48B

MD5
1576644cd260cd1d79d00d014d3cc23b

SHA1
bc944bfe0ac7c4e1c87c8917b9c902f47aaed571

SHA256
dd6a49c132fceccf999c30a7f6d7ee9d0ce2dc8a14d9155200741373a0a7101a

SHA512
f6a78ccb2ba72476387988308d64478ddce4861b979f0755c289b5ceb125a76191f817c68b6dfb33de95a0b9e82d81d05426bca6e2d20acf1f4e06250c1af540

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip

Filesize
8.5MB

MD5
e0a6c369447034f1b7f2749620c420cc

SHA1
15b88a23dca33d84bdb2c256e67aee6705a4f122

SHA256
3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603

SHA512
374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a

Download Submit
C:\Users\Admin\AppData\Local\Temp\780bba76

Filesize
1.1MB

MD5
cd85d1730b041a0787347414b970582c

SHA1
41732caed5e98b4249eb43e73071192d7ca9a53f

SHA256
294d49577a4511b81b6216c60ab07d2a95bf3574f315ac55d9e921b51ee644b5

SHA512
16723d71da421709f7b2461162ee72fb47fe5b8377e281b7efc5948b16cd1e233da26857582dbe576c05d17cb5f6c655238fe97b4412371c48419c1168592560

Download Submit
C:\Users\Admin\AppData\Local\Temp\973800497271

Filesize
81KB

MD5
ac3587c579ee7bd49b6ddd5f8f1e7474

SHA1
92e383cd666d0add99dfdf232382a1b38114604a

SHA256
025c4e229034e369972d2cf524354810a670507752c82f8e16eb1ead7fedf210

SHA512
f27ad4bb1c27988e3ca5f4eb8db1f32f4f899ad0c040b0df9bcc6e734cbbbeece5e708fbb59ab4b109190291a86d0612de65a2a3f2122faefcadc1afe0a09fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otquwfzz.cdd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\afd74d97

Filesize
1.1MB

MD5
5f57c8cd46cce093754b43558dff7cc1

SHA1
d706b86e5cd0136abc06cabae06dc8f27f4595af

SHA256
fe66d9ec713cf89eb1d73577c01ec48e5765c22427392bc237252ebcefa34ca4

SHA512
ad185de7d9d739490cb11d9f593d2d5c9df74863039c95e18e18e93ff31cf8a90b8ce5b35e2b11adf1544ade670139fb69ee26c8ffbd1ef5f93dacebc37fb1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA41E.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
memory/128-72-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp

Filesize
1.5MB

Download
memory/128-82-0x00007FFB59CE0000-0x00007FFB59D14000-memory.dmp

Filesize
208KB

Download
memory/128-81-0x00007FF7DBD50000-0x00007FF7DBE48000-memory.dmp

Filesize
992KB

Download
memory/128-83-0x00007FFB51710000-0x00007FFB519C5000-memory.dmp

Filesize
2.7MB

Download
memory/312-49-0x000001A4E7200000-0x000001A4E7212000-memory.dmp

Filesize
72KB

Download
memory/312-50-0x000001A4E70D0000-0x000001A4E70DA000-memory.dmp

Filesize
40KB

Download
memory/312-45-0x000001A4CEB50000-0x000001A4CEB72000-memory.dmp

Filesize
136KB

Download
memory/968-396-0x0000000077660000-0x00000000778B2000-memory.dmp

Filesize
2.3MB

Download
memory/968-394-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/968-393-0x0000000002950000-0x0000000002D50000-memory.dmp

Filesize
4.0MB

Download
memory/1008-406-0x00000000058F0000-0x0000000005940000-memory.dmp

Filesize
320KB

Download
memory/1008-403-0x0000000005E20000-0x00000000063C6000-memory.dmp

Filesize
5.6MB

Download
memory/1008-404-0x0000000005A40000-0x0000000005C02000-memory.dmp

Filesize
1.8MB

Download
memory/1008-405-0x0000000005870000-0x00000000058E6000-memory.dmp

Filesize
472KB

Download
memory/1008-402-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/1008-407-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/1008-408-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download
memory/1008-409-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/1008-398-0x0000000071A30000-0x0000000072D47000-memory.dmp

Filesize
19.1MB

Download
memory/1008-428-0x0000000008280000-0x000000000828A000-memory.dmp

Filesize
40KB

Download
memory/1008-401-0x0000000001100000-0x00000000011C6000-memory.dmp

Filesize
792KB

Download
memory/1008-449-0x0000000005960000-0x0000000005972000-memory.dmp

Filesize
72KB

Download
memory/1008-450-0x0000000005CD0000-0x0000000005D0C000-memory.dmp

Filesize
240KB

Download
memory/1012-189-0x0000000006BF0000-0x0000000006C24000-memory.dmp

Filesize
208KB

Download
memory/1012-203-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

Filesize
40KB

Download
memory/1012-210-0x0000000006F90000-0x0000000006FA5000-memory.dmp

Filesize
84KB

Download
memory/1012-209-0x0000000006F80000-0x0000000006F8E000-memory.dmp

Filesize
56KB

Download
memory/1012-171-0x00000000021F0000-0x0000000002226000-memory.dmp

Filesize
216KB

Download
memory/1012-172-0x0000000004C70000-0x000000000529A000-memory.dmp

Filesize
6.2MB

Download
memory/1012-173-0x0000000004B70000-0x0000000004B92000-memory.dmp

Filesize
136KB

Download
memory/1012-174-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1012-175-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1012-184-0x00000000054B0000-0x0000000005807000-memory.dmp

Filesize
3.3MB

Download
memory/1012-208-0x0000000006F50000-0x0000000006F61000-memory.dmp

Filesize
68KB

Download
memory/1012-186-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/1012-187-0x0000000005A10000-0x0000000005A5C000-memory.dmp

Filesize
304KB

Download
memory/1012-206-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/1012-190-0x000000006F260000-0x000000006F2AC000-memory.dmp

Filesize
304KB

Download
memory/1012-199-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/1012-200-0x0000000006C30000-0x0000000006CD4000-memory.dmp

Filesize
656KB

Download
memory/1012-201-0x00000000073F0000-0x0000000007A6A000-memory.dmp

Filesize
6.5MB

Download
memory/1012-202-0x0000000006D40000-0x0000000006D5A000-memory.dmp

Filesize
104KB

Download
memory/1012-211-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/1012-212-0x0000000006FD0000-0x0000000006FD8000-memory.dmp

Filesize
32KB

Download
memory/1388-95-0x00007FFB44DE0000-0x00007FFB45095000-memory.dmp

Filesize
2.7MB

Download
memory/1388-94-0x00007FFB56BE0000-0x00007FFB56C14000-memory.dmp

Filesize
208KB

Download
memory/1388-93-0x00007FF727C50000-0x00007FF727D48000-memory.dmp

Filesize
992KB

Download
memory/1388-91-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp

Filesize
1.5MB

Download
memory/1388-90-0x00007FFB56580000-0x00007FFB566FA000-memory.dmp

Filesize
1.5MB

Download
memory/1628-284-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/1628-283-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/1628-373-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/1672-356-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp

Filesize
1.5MB

Download
memory/1952-375-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp

Filesize
1.5MB

Download
memory/1952-368-0x00007FFB560F0000-0x00007FFB5626A000-memory.dmp

Filesize
1.5MB

Download
memory/1980-17-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/1980-32-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/1980-22-0x0000000077660000-0x00000000778B2000-memory.dmp

Filesize
2.3MB

Download
memory/1980-16-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/1980-18-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/1980-19-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/1980-15-0x0000000003C70000-0x0000000004070000-memory.dmp

Filesize
4.0MB

Download
memory/1980-20-0x00007FFB654C1000-0x00007FFB655EA000-memory.dmp

Filesize
1.2MB

Download
memory/1980-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1980-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1980-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1980-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2000-30-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/2000-29-0x0000000077660000-0x00000000778B2000-memory.dmp

Filesize
2.3MB

Download
memory/2000-31-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/2000-25-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/2000-26-0x00000000020D0000-0x00000000024D0000-memory.dmp

Filesize
4.0MB

Download
memory/2000-23-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/3132-141-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/3132-140-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/3348-266-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/3348-267-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/3580-281-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/3580-282-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/3580-315-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/3636-369-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/3956-379-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-160-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-286-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/4764-372-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/4764-391-0x0000000000FD0000-0x0000000001050000-memory.dmp

Filesize
512KB

Download
memory/4764-388-0x0000000077660000-0x00000000778B2000-memory.dmp

Filesize
2.3MB

Download
memory/4764-385-0x00000000043A0000-0x00000000047A0000-memory.dmp

Filesize
4.0MB

Download
memory/4764-374-0x0000000000FD0000-0x0000000001050000-memory.dmp

Filesize
512KB

Download
memory/4764-319-0x0000000000FD0000-0x0000000001050000-memory.dmp

Filesize
512KB

Download
memory/4892-204-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/4892-163-0x0000000073940000-0x0000000073ABD000-memory.dmp

Filesize
1.5MB

Download
memory/4892-164-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/4920-301-0x0000000005990000-0x0000000005CE7000-memory.dmp

Filesize
3.3MB

Download
memory/4920-314-0x00000000073D0000-0x00000000073E5000-memory.dmp

Filesize
84KB

Download
memory/4920-313-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/4920-312-0x0000000006E50000-0x0000000006EF4000-memory.dmp

Filesize
656KB

Download
memory/4920-303-0x000000006EE30000-0x000000006EE7C000-memory.dmp

Filesize
304KB

Download
memory/4920-302-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

Filesize
304KB

Download
memory/4948-383-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download
memory/4948-381-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/4948-378-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download
memory/4948-438-0x0000000000710000-0x0000000000790000-memory.dmp

Filesize
512KB

Download