ffdroider | 6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

918769eceacd168684def1b316ff3198_JaffaCakes118.exe
Size

3.3MB
MD5

918769eceacd168684def1b316ff3198
SHA1

044df161143e5e5c255b4edea7199364703776ed
SHA256

6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
SHA512

b0f4dc956b8aeee77724d0424d6c5f8c5b7c503e184ef54caf9bb47bd509205e843d91784329327010726e73fc28140d63a7e461b61fe86278caa86fc4530a17
SSDEEP

98304:xHCvLUBsg//y/FkpXd/00WuDu8gSX0zIqqr9u/ieKJLDGwtOR:xkLUCgnE600WX8gSXrnrEaeqDi

Score

10^/10

ffdroider nullmixer privateloader aspackv2 discovery dropper evasion loader spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

nullmixer

http://watira.xyz/

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/4832-83-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral2/memory/4832-606-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023b7c-20.dat	aspack_v212_v242
behavioral2/files/0x000a000000023b7e-28.dat	aspack_v212_v242
behavioral2/files/0x000b000000023b78-25.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	918769eceacd168684def1b316ff3198_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1a693a205739887.exe

Executes dropped EXE 9 IoCs

pid	Process
2036	setup_install.exe
4028	6eee9f336da6fcf1.exe
1556	01a389215e4.exe
4988	9e27a03aab64665.exe
4436	1a693a205739887.exe
4832	efd22e6e99d7ee86.exe
60	c98f61652.exe
4328	626c1e3ded0b288.exe
652	1a693a205739887.exe

Loads dropped DLL 7 IoCs

pid	Process
2036	setup_install.exe
2036	setup_install.exe
2036	setup_install.exe
2036	setup_install.exe
2036	setup_install.exe
2036	setup_install.exe
2036	setup_install.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000a000000023b87-75.dat	vmprotect
behavioral2/memory/4832-79-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4832-83-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/memory/4832-606-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	efd22e6e99d7ee86.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	iplogger.org
32	iplogger.org
34	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
12	ipinfo.io
20	api.db-ip.com
21	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
4548	2036	WerFault.exe	83
4108	60	WerFault.exe	96
4572	4988	WerFault.exe	95
3640	4988	WerFault.exe	95
2680	4988	WerFault.exe	95
3648	4988	WerFault.exe	95
1948	4988	WerFault.exe	95
1184	4988	WerFault.exe	95
1656	4988	WerFault.exe	95
3560	4988	WerFault.exe	95
4408	4988	WerFault.exe	95
2532	4988	WerFault.exe	95
1728	4988	WerFault.exe	95
3516	4988	WerFault.exe	95
1976	4988	WerFault.exe	95
4244	4988	WerFault.exe	95
4076	4988	WerFault.exe	95
2776	4988	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98f61652.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01a389215e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a693a205739887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efd22e6e99d7ee86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a693a205739887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e27a03aab64665.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	918769eceacd168684def1b316ff3198_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe
1556	01a389215e4.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	6eee9f336da6fcf1.exe
Token: SeDebugPrivilege	4328	626c1e3ded0b288.exe
Token: SeManageVolumePrivilege	4832	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	4832	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	4832	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	4832	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	4832	efd22e6e99d7ee86.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2036	5112	918769eceacd168684def1b316ff3198_JaffaCakes118.exe	83
PID 5112 wrote to memory of 2036	5112	918769eceacd168684def1b316ff3198_JaffaCakes118.exe	83
PID 5112 wrote to memory of 2036	5112	918769eceacd168684def1b316ff3198_JaffaCakes118.exe	83
PID 2036 wrote to memory of 776	2036	setup_install.exe	86
PID 2036 wrote to memory of 776	2036	setup_install.exe	86
PID 2036 wrote to memory of 776	2036	setup_install.exe	86
PID 2036 wrote to memory of 1352	2036	setup_install.exe	87
PID 2036 wrote to memory of 1352	2036	setup_install.exe	87
PID 2036 wrote to memory of 1352	2036	setup_install.exe	87
PID 2036 wrote to memory of 100	2036	setup_install.exe	88
PID 2036 wrote to memory of 100	2036	setup_install.exe	88
PID 2036 wrote to memory of 100	2036	setup_install.exe	88
PID 2036 wrote to memory of 436	2036	setup_install.exe	89
PID 2036 wrote to memory of 436	2036	setup_install.exe	89
PID 2036 wrote to memory of 436	2036	setup_install.exe	89
PID 2036 wrote to memory of 448	2036	setup_install.exe	90
PID 2036 wrote to memory of 448	2036	setup_install.exe	90
PID 2036 wrote to memory of 448	2036	setup_install.exe	90
PID 2036 wrote to memory of 1140	2036	setup_install.exe	91
PID 2036 wrote to memory of 1140	2036	setup_install.exe	91
PID 2036 wrote to memory of 1140	2036	setup_install.exe	91
PID 2036 wrote to memory of 4932	2036	setup_install.exe	92
PID 2036 wrote to memory of 4932	2036	setup_install.exe	92
PID 2036 wrote to memory of 4932	2036	setup_install.exe	92
PID 2036 wrote to memory of 5000	2036	setup_install.exe	93
PID 2036 wrote to memory of 5000	2036	setup_install.exe	93
PID 2036 wrote to memory of 5000	2036	setup_install.exe	93
PID 776 wrote to memory of 4028	776	cmd.exe	94
PID 776 wrote to memory of 4028	776	cmd.exe	94
PID 100 wrote to memory of 1556	100	cmd.exe	98
PID 100 wrote to memory of 1556	100	cmd.exe	98
PID 100 wrote to memory of 1556	100	cmd.exe	98
PID 448 wrote to memory of 4988	448	cmd.exe	95
PID 448 wrote to memory of 4988	448	cmd.exe	95
PID 448 wrote to memory of 4988	448	cmd.exe	95
PID 1140 wrote to memory of 4436	1140	cmd.exe	97
PID 1140 wrote to memory of 4436	1140	cmd.exe	97
PID 1140 wrote to memory of 4436	1140	cmd.exe	97
PID 4932 wrote to memory of 4832	4932	cmd.exe	99
PID 4932 wrote to memory of 4832	4932	cmd.exe	99
PID 4932 wrote to memory of 4832	4932	cmd.exe	99
PID 5000 wrote to memory of 4328	5000	cmd.exe	128
PID 5000 wrote to memory of 4328	5000	cmd.exe	128
PID 1352 wrote to memory of 60	1352	cmd.exe	96
PID 1352 wrote to memory of 60	1352	cmd.exe	96
PID 1352 wrote to memory of 60	1352	cmd.exe	96
PID 4436 wrote to memory of 652	4436	1a693a205739887.exe	106
PID 4436 wrote to memory of 652	4436	1a693a205739887.exe	106
PID 4436 wrote to memory of 652	4436	1a693a205739887.exe	106

C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe
      6eee9f336da6fcf1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c98f61652.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
      c98f61652.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:60
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 356
        5⤵
        Program crash
        
        PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 01a389215e4.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
      01a389215e4.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c APPNAME33.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
      9e27a03aab64665.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 824
        5⤵
        Program crash
        
        PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 832
        5⤵
        Program crash
        
        PID:3640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 856
        5⤵
        Program crash
        
        PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 864
        5⤵
        Program crash
        
        PID:3648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1028
        5⤵
        Program crash
        
        PID:1948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1080
        5⤵
        Program crash
        
        PID:1184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1504
        5⤵
        Program crash
        
        PID:1656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1580
        5⤵
        Program crash
        
        PID:3560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1792
        5⤵
        Program crash
        
        PID:4408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1604
        5⤵
        Program crash
        
        PID:2532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1656
        5⤵
        Program crash
        
        PID:1728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1592
        5⤵
        Program crash
        
        PID:3516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584
        5⤵
        Program crash
        
        PID:1976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1612
        5⤵
        Program crash
        
        PID:4244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584
        5⤵
        Program crash
        
        PID:4076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1048
        5⤵
        Program crash
        
        PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 1a693a205739887.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
      1a693a205739887.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe" -a
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
      efd22e6e99d7ee86.exe
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe
      626c1e3ded0b288.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 548
    3⤵
    - Program crash
    PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 60 -ip 60
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4988 -ip 4988
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4988 -ip 4988
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4988 -ip 4988
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
1⤵
PID:4844

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4988 -ip 4988
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 4988
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 4988
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe

Filesize
1.6MB

MD5
0965da18bfbf19bafb1c414882e19081

SHA1
e4556bac206f74d3a3d3f637e594507c30707240

SHA256
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

SHA512
fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe

Filesize
179KB

MD5
c5437a135b1a8803c24cae117c5c46a4

SHA1
eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf

SHA256
7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1

SHA512
07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe

Filesize
8KB

MD5
5b8639f453da7c204942d918b40181de

SHA1
2daed225238a9b1fe2359133e6d8e7e85e7d6995

SHA256
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

SHA512
cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe

Filesize
582KB

MD5
80a85c4bf6c8500431c195eecb769363

SHA1
72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb

SHA256
ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6

SHA512
f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe

Filesize
215KB

MD5
3d82323e7a84a2692208024901cd2857

SHA1
9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c

SHA256
38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4

SHA512
8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d

Filesize
14.0MB

MD5
b44ce00d46602c4d2a015dd5db458c88

SHA1
0cbb5607a0482bbc6cd1ab998114fe9a43e5d50f

SHA256
e3c8755f757a6bea206d2c280fedfca400fa05a92c3d07b0e1a6c13d98a23935

SHA512
56bb6df65836bfd3233ec7d330f061fdec371b18a77acca5c610315991103a116b7f1e34f7b78daa51401909892c5e3c2e3388063cc8e7e37bf97e2857b70c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d

Filesize
14.0MB

MD5
de57255cc2f6aea876fb73d25dbfe565

SHA1
c4d754ca8a042bd01a4294055525f7f2588e775a

SHA256
fa65fc683351b29411035ea458fc57d2d2d3c9e810fd36ee4a83fb4da59ed7c0

SHA512
dff3fc63e703a5a60c1beb3fb66019812e0756658966d37fba11f8e04cf0387fc4a1130d5eb162ecd6c0214b103d1b86d8f487038d35b7a2e3986b02ff2ad3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.INTEG.RAW

Filesize
52KB

MD5
ba611121b1f64f3cbed9adefd7915d9a

SHA1
051add3ba1dc370f293c269a3416063f7eeb1acb

SHA256
9aea3e4b365c9d2dc2595e9935b792d2420ecf18f0ba4be6b3c598f196fd833d

SHA512
9871aacfa856114632686fcf21403db1938d75b81a9e30d5d6b962363dcdd1544b90f9978bc776a626a3c013419dd39773f3c4791960c8980191dc6555dc8064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
e1a020d805e396cdcd5d688ae7d1dcd2

SHA1
78eac9c73d63732de800999b86fd9a436b717dd6

SHA256
3791abda1ea3b4e818b5df133bb9c161df20bad4f03b8537dda5613dab66a1c8

SHA512
0ae32193e73e4fa6dbaad925c7f1aebee322a92d15a627807bfda8144412ebbb602724531df9e17b74b01253afe47e83a2abd92e76d950b78f859377f25e86c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
540b7a94377e6c635858e55a70290526

SHA1
650b7c8d39d1f40d49f4599185f6cf83fbc73002

SHA256
95015276c49fabdf7c372aaaa81badfc9f0e332e0dadc03646ce503af2688fa1

SHA512
0234b23a0911b30ca6d59d5e03d2a8dc702ea857d2493733720236e26b72433347895c71a2e586c81bf8978f51dd013d8a47732bfc13d531c6b2393575904cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
e7feb0864adddb6f063bd8f5ad493118

SHA1
9b278c19af975109c9c1af58164f1ade098dd070

SHA256
6fc485d9a16022c11e0967aa7f89a72ebd967cf47d5488a035f85b83c0888631

SHA512
ec4a7cac49d46f77e11fa2d313b61ee9e959d8195da72841c756a4724b1813f17bcc295cf950dce2a7f110c6330afdea1ea8af4db104f26fb6692058596c1361

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
914ac88c754f43b6df62c852f9706ea4

SHA1
1315f1533616e4cf1e26303dac3986a673cdcc67

SHA256
8cfb9dc8f45c35fac4a121a2a2bac1aefe0714c1ddf991abe6dca2791f407ff6

SHA512
5078d045a96aa095449cdfd2545ec5290d53f39bb26f450bc2560263c3b0260e114990be15dd06095f93a83d4e46eb5733776aeb187b33885663e85124a85ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
63ad6b12caa5c53abd19c015a99ce434

SHA1
2219238a307a10cd81712ee64759d660756a0640

SHA256
ea2798504619078ea80cfd2dde5451dc1c98fde1ae519ab85bfc06d23eff6d5b

SHA512
c3ac14514122b1faaa3e0b3caca794d78b0491ab47a9b4c9476b7d05bfa99b5528d7535cad5b0e10b2a5354167fe5c102f2ecac9fc4fcd404e6b1f600d4e56d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
9c7fd5d4bbb8d020479d3002a02029d1

SHA1
8e1407c96e99d2285676157d4251d617c7ac31b9

SHA256
8b1f647b5a1fcfc88c81b5b934236d171db250847082083a5b2945b19589e6de

SHA512
34ff613d65d0d8f4f613a0319e1ff65e23b08fa9192bd5ae7665598dc02fd3eb77179a4caa29b76d9e06f68f27f19bdb8d02221ee250c58889c3694c519e53b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
9bd49fef87049784c80fa7022ae8ed51

SHA1
4c9815cda904f1b40649fc728513ad2aa87ae03e

SHA256
a3be433770b0ecae77b4bcb1c3ce7ba4169836e1dd635f7fd982b1c7096e934e

SHA512
86715971c74cf15997fbf7d8633eee8368b22c828c2e6d8fe3e4422284f142be085479ea9b09ed9827aaf447c7271382a9d8eda5278062f704636052585f4dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
200cc0f808c204ad427b58c5ff02adc4

SHA1
8756711a142c998d1df849ff51d6fb725c4f8af8

SHA256
dc968e3915768897e421965420bd5944251c31c9820a7f925dcf227fecaaec48

SHA512
ee8d9a77796f6088801f795224cc8b46f8c419702730fe43f870e6966a6b0c302e1e5e433e1a12d997296ba582af1b2aaea2df7005d8b6cebe925e4dcb148d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
2d9ddd69aef0a7311cb7ca7f154835ff

SHA1
1a0bf29d5c022964ebf94d402114fe613f3d49ba

SHA256
d101bc3f5be2350412b3a29de0ea8525b9de8bc140de591753c5369d814789b6

SHA512
13c3d394cf01d6b1dd5df31646bec8290211a781353dc4b38a606eb59b94de20195f65e3da857f6d03e5fd92b36488171ba6ad25f3066979a6c35b8bdcfa50f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
7f939d83e1baaab795950968ac99961b

SHA1
91b089176bf7c9f7deb5947b8860b5f79f251a28

SHA256
50e60bd9e282121403ea4cbedc07341189a245e07346e6f57fa6228a842d563c

SHA512
dc66d80d4cc3f0710773ff024b4cfafd53ff11f799e79af3b2d66a50d5bd3dadd7f2e3408913bb9e6b6ea49cbe5a73d321ffb1fa5800f69d00d4180e5351c07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
6b5e9c03e0808b6aabbfdc5557a05ffe

SHA1
7a8eb59fdfcd42c17ae03dccdb557b26d71b4e72

SHA256
7bd5325cda74f256641130cfc55c42b3efffbf62fc835a6f86b42aac9e80f774

SHA512
0c81d2216b96418c3cbef9141510b51ea213d5035ac1444c44ee5c43d1681fcd23c7f8fb50bd0b78dfc9f166495b2c5937a2217ea933aa4342f8e38f513c83a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
e8f8033f24eb8eb0837936c19ceffa7c

SHA1
68d550e66cb359132865449b2243380fdd57b3cf

SHA256
8a84287468d8f77721271b98a8332a683d68261cde620ee47dd9a82f0a7b59df

SHA512
5abce8d0954a59dd62916612b4e7536c4e93ca77506c2fb21293a9a7a009f3737371d908d723e1149dd46c3169537bd086c2fa2f7639c27504a7d189e2ac3306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
e412378d59c1515095a56de068a4345c

SHA1
d8a3888c3d2733f2da3aaf3a87cca966b8572a00

SHA256
d707d4c4753535e09381e54b2e9651d919d2c1211e38b4404ecede4bf41c9b96

SHA512
332fdb29a4efc6634669a86476fd43b22d50f10a7e5d669a52b52ded0d7c22758f7e17c8f7c67691536dc2421d781d8c3b3737074758ccb1bf18c3dd24133236

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
366b0ea80c0f6bd5fac7fe0ff5de9268

SHA1
4fd52d267ed28e25eb7e59098694dbfe4827fa44

SHA256
a33f9ca5a3f472f071a0fa81886a0c876d052bf31c220b48db0c7122689c802d

SHA512
9a905b5e3bae5108c43f49b50c7d13d182c8507cacfbff5f234dd8dfff1265a252184600585ef8f2313dc63bd8089bda70513fd2dd6444c0bf8186f05ede8129

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
7f189d1fb28381e38e18a9329aa0b060

SHA1
4329521e229f7a6ca7d745083b8443f80eb4d15c

SHA256
fff2231dd37e6ddf16180d4a72d3ec421001644e19cf4d12915a55fed5bc8e8a

SHA512
041329df87ea0f9df99363552cf25a3c6c7b31e86f54d44826c4e3134fec7aaf6f0ecd24c814830d3ef7aa3b7a86f22e499a7626419fcddd765a44b8e68cd4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
d79ace3f2754ade448fe379334c286db

SHA1
ed1cd284d3b5925e57570842bec58e799451956b

SHA256
f6e9cc794f849dc73e8125690d6cd8cf5b5ad04f1fa4a393dd5c1b35b6a267b4

SHA512
3c26e5def23e73e76e95ccc391ceb779045ea45172ffd052f6b61078125ea79eb4b3e3de795a3c739961f914cfa9fdfa67d86cf2900bc4ed915c3edd17de726d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
0d4045d80274a0246c9dbdf55d95684a

SHA1
65258668f5db561f9dfeb3867827cd7e07f72409

SHA256
3d92f7e3c54d34e3c15ea614d3f08b6049a6a76a8a70ac254630f2b289922c53

SHA512
ea801c7affc9b178cf0a1325824c22038a9bf199ec0eab0f36d9592968ceb472a6f77fb387a7f20294a88c263fbce119903101b04f2d150eabd5da103e0ce4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

Filesize
16KB

MD5
7cceef6a4be2e8d9ffe6cf8c7ecb0cc4

SHA1
44e0e05d6d551700f419a347bd078d7912c56c17

SHA256
185a1077bb91b787e78c5ef41313908c1c18b361bfbb73c1cce350a3027156df

SHA512
02eb84660d822d2faa67b6eabd579eb6e7af55440c65dd483b03a497e0fb6c11a96f79a5de278f94f119ba94195940534a37969684db72ed7d0f7816c6c99157

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe

Filesize
1.2MB

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe

Filesize
5.9MB

MD5
b11a656f94670d490972f233b5f73cc0

SHA1
5b84f9bac9a1fe59b2e27eae58912f8364654025

SHA256
5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a

SHA512
1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

Download Submit
memory/60-93-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download
memory/2036-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-99-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2036-94-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2036-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2036-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2036-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2036-39-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2036-38-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/2036-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2036-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2036-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2036-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2036-33-0x0000000001060000-0x00000000010EF000-memory.dmp

Filesize
572KB

Download
memory/2036-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2036-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2036-29-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2036-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4028-66-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/4328-89-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/4328-88-0x0000000000450000-0x0000000000482000-memory.dmp

Filesize
200KB

Download
memory/4328-90-0x0000000000D40000-0x0000000000D62000-memory.dmp

Filesize
136KB

Download
memory/4328-91-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/4832-127-0x0000000004820000-0x0000000004828000-memory.dmp

Filesize
32KB

Download
memory/4832-177-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/4832-167-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4832-175-0x0000000004990000-0x0000000004998000-memory.dmp

Filesize
32KB

Download
memory/4832-154-0x0000000004990000-0x0000000004998000-memory.dmp

Filesize
32KB

Download
memory/4832-152-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/4832-144-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4832-131-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/4832-130-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/4832-129-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/4832-128-0x0000000004840000-0x0000000004848000-memory.dmp

Filesize
32KB

Download
memory/4832-83-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4832-79-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/4832-124-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/4832-122-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/4832-121-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/4832-114-0x0000000003B70000-0x0000000003B80000-memory.dmp

Filesize
64KB

Download
memory/4832-108-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/4832-606-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download