ffdroider | 55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.3MB
MD5

918769eceacd168684def1b316ff3198
SHA1

044df161143e5e5c255b4edea7199364703776ed
SHA256

6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
SHA512

b0f4dc956b8aeee77724d0424d6c5f8c5b7c503e184ef54caf9bb47bd509205e843d91784329327010726e73fc28140d63a7e461b61fe86278caa86fc4530a17
SSDEEP

98304:xHCvLUBsg//y/FkpXd/00WuDu8gSX0zIqqr9u/ieKJLDGwtOR:xkLUCgnE600WX8gSXrnrEaeqDi

Score

10^/10

ffdroider nullmixer privateloader aspackv2 discovery dropper evasion loader spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

nullmixer

http://watira.xyz/

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral4/memory/2320-83-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider
behavioral4/memory/2320-604-0x0000000000400000-0x0000000000759000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0007000000023c98-29.dat	aspack_v212_v242
behavioral4/files/0x0007000000023c95-22.dat	aspack_v212_v242
behavioral4/files/0x0007000000023c96-23.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1a693a205739887.exe

Executes dropped EXE 9 IoCs

pid	Process
3124	setup_install.exe
3352	6eee9f336da6fcf1.exe
4972	c98f61652.exe
4440	626c1e3ded0b288.exe
544	1a693a205739887.exe
2456	9e27a03aab64665.exe
2320	efd22e6e99d7ee86.exe
4000	01a389215e4.exe
3436	1a693a205739887.exe

Loads dropped DLL 6 IoCs

pid	Process
3124	setup_install.exe
3124	setup_install.exe
3124	setup_install.exe
3124	setup_install.exe
3124	setup_install.exe
3124	setup_install.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral4/files/0x0007000000023ca0-75.dat	vmprotect
behavioral4/memory/2320-83-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral4/memory/2320-79-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral4/memory/2320-604-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	efd22e6e99d7ee86.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	iplogger.org
15	iplogger.org
25	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
8	ipinfo.io
26	api.db-ip.com
27	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
3360	3124	WerFault.exe	83
224	4972	WerFault.exe	95
1288	2456	WerFault.exe	98
4192	2456	WerFault.exe	98
4516	2456	WerFault.exe	98
444	2456	WerFault.exe	98
4004	2456	WerFault.exe	98
4288	2456	WerFault.exe	98
2156	2456	WerFault.exe	98
1544	2456	WerFault.exe	98
3684	2456	WerFault.exe	98
704	2456	WerFault.exe	98
3444	2456	WerFault.exe	98
3948	2456	WerFault.exe	98
3108	2456	WerFault.exe	98
3852	2456	WerFault.exe	98
3604	2456	WerFault.exe	98
4564	2456	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e27a03aab64665.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a693a205739887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efd22e6e99d7ee86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a693a205739887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98f61652.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01a389215e4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c98f61652.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe
4000	01a389215e4.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	6eee9f336da6fcf1.exe
Token: SeDebugPrivilege	4440	626c1e3ded0b288.exe
Token: SeManageVolumePrivilege	2320	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	2320	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	2320	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	2320	efd22e6e99d7ee86.exe
Token: SeManageVolumePrivilege	2320	efd22e6e99d7ee86.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3124	3356	setup_installer.exe	83
PID 3356 wrote to memory of 3124	3356	setup_installer.exe	83
PID 3356 wrote to memory of 3124	3356	setup_installer.exe	83
PID 3124 wrote to memory of 1920	3124	setup_install.exe	86
PID 3124 wrote to memory of 1920	3124	setup_install.exe	86
PID 3124 wrote to memory of 1920	3124	setup_install.exe	86
PID 3124 wrote to memory of 4264	3124	setup_install.exe	87
PID 3124 wrote to memory of 4264	3124	setup_install.exe	87
PID 3124 wrote to memory of 4264	3124	setup_install.exe	87
PID 3124 wrote to memory of 3208	3124	setup_install.exe	88
PID 3124 wrote to memory of 3208	3124	setup_install.exe	88
PID 3124 wrote to memory of 3208	3124	setup_install.exe	88
PID 3124 wrote to memory of 1784	3124	setup_install.exe	89
PID 3124 wrote to memory of 1784	3124	setup_install.exe	89
PID 3124 wrote to memory of 1784	3124	setup_install.exe	89
PID 3124 wrote to memory of 2008	3124	setup_install.exe	90
PID 3124 wrote to memory of 2008	3124	setup_install.exe	90
PID 3124 wrote to memory of 2008	3124	setup_install.exe	90
PID 3124 wrote to memory of 2664	3124	setup_install.exe	91
PID 3124 wrote to memory of 2664	3124	setup_install.exe	91
PID 3124 wrote to memory of 2664	3124	setup_install.exe	91
PID 3124 wrote to memory of 2852	3124	setup_install.exe	92
PID 3124 wrote to memory of 2852	3124	setup_install.exe	92
PID 3124 wrote to memory of 2852	3124	setup_install.exe	92
PID 3124 wrote to memory of 1576	3124	setup_install.exe	93
PID 3124 wrote to memory of 1576	3124	setup_install.exe	93
PID 3124 wrote to memory of 1576	3124	setup_install.exe	93
PID 1920 wrote to memory of 3352	1920	cmd.exe	94
PID 1920 wrote to memory of 3352	1920	cmd.exe	94
PID 4264 wrote to memory of 4972	4264	cmd.exe	95
PID 4264 wrote to memory of 4972	4264	cmd.exe	95
PID 4264 wrote to memory of 4972	4264	cmd.exe	95
PID 1576 wrote to memory of 4440	1576	cmd.exe	96
PID 1576 wrote to memory of 4440	1576	cmd.exe	96
PID 2664 wrote to memory of 544	2664	cmd.exe	97
PID 2664 wrote to memory of 544	2664	cmd.exe	97
PID 2664 wrote to memory of 544	2664	cmd.exe	97
PID 2008 wrote to memory of 2456	2008	cmd.exe	98
PID 2008 wrote to memory of 2456	2008	cmd.exe	98
PID 2008 wrote to memory of 2456	2008	cmd.exe	98
PID 2852 wrote to memory of 2320	2852	cmd.exe	99
PID 2852 wrote to memory of 2320	2852	cmd.exe	99
PID 2852 wrote to memory of 2320	2852	cmd.exe	99
PID 3208 wrote to memory of 4000	3208	cmd.exe	100
PID 3208 wrote to memory of 4000	3208	cmd.exe	100
PID 3208 wrote to memory of 4000	3208	cmd.exe	100
PID 544 wrote to memory of 3436	544	1a693a205739887.exe	106
PID 544 wrote to memory of 3436	544	1a693a205739887.exe	106
PID 544 wrote to memory of 3436	544	1a693a205739887.exe	106

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe
      6eee9f336da6fcf1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c98f61652.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe
      c98f61652.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 356
        5⤵
        Program crash
        
        PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 01a389215e4.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe
      01a389215e4.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c APPNAME33.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
      9e27a03aab64665.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 824
        5⤵
        Program crash
        
        PID:1288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 832
        5⤵
        Program crash
        
        PID:4192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 884
        5⤵
        Program crash
        
        PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 892
        5⤵
        Program crash
        
        PID:444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1040
        5⤵
        Program crash
        
        PID:4004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1076
        5⤵
        Program crash
        
        PID:4288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1536
        5⤵
        Program crash
        
        PID:2156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1544
        5⤵
        Program crash
        
        PID:1544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1784
        5⤵
        Program crash
        
        PID:3684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1548
        5⤵
        Program crash
        
        PID:704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1640
        5⤵
        Program crash
        
        PID:3444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1620
        5⤵
        Program crash
        
        PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1780
        5⤵
        Program crash
        
        PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1628
        5⤵
        Program crash
        
        PID:3852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1636
        5⤵
        Program crash
        
        PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1028
        5⤵
        Program crash
        
        PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 1a693a205739887.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
      1a693a205739887.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe" -a
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe
      efd22e6e99d7ee86.exe
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe
      626c1e3ded0b288.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 548
    3⤵
    - Program crash
    PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4972 -ip 4972
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2456 -ip 2456
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2456 -ip 2456
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2456 -ip 2456
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2456 -ip 2456
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2456 -ip 2456
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2456 -ip 2456
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2456 -ip 2456
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2456 -ip 2456
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2456 -ip 2456
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2456 -ip 2456
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2456 -ip 2456
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2456 -ip 2456
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe

Filesize
1.6MB

MD5
0965da18bfbf19bafb1c414882e19081

SHA1
e4556bac206f74d3a3d3f637e594507c30707240

SHA256
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

SHA512
fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe

Filesize
179KB

MD5
c5437a135b1a8803c24cae117c5c46a4

SHA1
eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf

SHA256
7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1

SHA512
07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe

Filesize
8KB

MD5
5b8639f453da7c204942d918b40181de

SHA1
2daed225238a9b1fe2359133e6d8e7e85e7d6995

SHA256
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

SHA512
cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe

Filesize
582KB

MD5
80a85c4bf6c8500431c195eecb769363

SHA1
72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb

SHA256
ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6

SHA512
f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe

Filesize
215KB

MD5
3d82323e7a84a2692208024901cd2857

SHA1
9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c

SHA256
38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4

SHA512
8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d

Filesize
14.0MB

MD5
97f23c52803d34ed6fc9e061af66a150

SHA1
66c0c341ed9b5408a8589f7e507759c8e0f2f743

SHA256
2a5fb26eb0a5b81f3a63123f970a55523fa5de1fe479b210abfa94ab80975d5e

SHA512
01ca527ff5521a0326f13d94030ec7c445e130499adbb2f93e0ff2b89d51e8c3066819fd6eca63de5b108d29e4c6f9b8935abffb612da00ad117e04ad477a886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.INTEG.RAW

Filesize
49KB

MD5
4cc67c140cfd5a5a86294429ca2ab33a

SHA1
b037acfeb90788679cb3bccef90fc4d0882c6e8b

SHA256
177d14b5605bb27a635736a11b82063fe07f6f0e667c24e8c51773f9674adf6b

SHA512
7bf18d97b275a8ab6522a7576bec6f1f9acc450e913b9d97b2bb447cde36243519ca1ab1cd6b46189ba3ecce230d146909425909bf267a3c26880edecd65f66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
f58dff1cffc5ddb7119ffb5e0b86ebca

SHA1
cabe178acb2a8b8cb3b45ef5fb17062026198fbf

SHA256
fac1d7532de42495bd900c711f77a2ce384734f54a9345e9fa06d19fedd6bfcc

SHA512
a84bfff406ab9e35b2ea68ad7bac7a53091303995260b1b5a8e0c0e39a92cdd8324d58895efdaee99523ee3774d49cbc97b7d412f795351ed3a910e5aee97c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
79b24d35a3e4957969a3a35c1e8ad84e

SHA1
e0059553c072c306b09acb43404b10e2b7319d0f

SHA256
40cf719dfa4fe48f4e69454227a0fc4db943f4b28a562c4d0ac4365327fd2c46

SHA512
5d1db758b49a8aae63fa1c1bb25f291c7e3e3b427c6d7ecdf3fbd8591e5e5fb35f85826224a40e99b9b9fda0c675bae1c4ef6cae8f032723488fe4c09d96a171

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
fd07cc98b76ae7b5e2c747d1e2354455

SHA1
8791246c72139e112f5a32b751bdea766c0b4fb3

SHA256
52f737b5b240fc4660c23bc0d0e913b6d95fb77f6639ccf9d40f2a604d437dde

SHA512
86347138ad5d4c010e183273a30e8c0fa97ef660e4c68c8619457b003d70585e5d9dae4608ff92b7ee3009a186a86bf89a316a717c9b3be2b9e3817ad1c1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
3f6a20ae7f4cfe03e8c29e28cc74e2d0

SHA1
860d22b6cea942cb360c3036bae3d820772a81ba

SHA256
a74430b32e07e2ee4c9eee659713fe287287484ffc697ede01634a3e59bad80d

SHA512
cfc971120656b47685c79a8eadcb6107ba3954b67169f9908e274b129e84fa174a680cfeeebc5c148facea51987150b4e833e3c14f3fccd8d2a8c96978f3db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
c32877f026ef64846ab9ddd95636b38b

SHA1
6a0431169552f7da20eaed436625432eb32ce704

SHA256
247417a478cdd08a035629b132bbcb81b794b9fa7beb223c0e3aac20e0c59dcb

SHA512
f8e46215e466b3b3059a2b80bcc072a42fbfa4f6dbe17da3d1a37df701b7706b54cff064bc057ac3a7e40d2aa5064f1acf70a2700a7a4d9e3d4a11ffd77d4696

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
20c1d6f7c91e152b9912628e077c6311

SHA1
0dfb504a6edbd524916d684ec0915b470dcb7ecf

SHA256
0931f56a37b78c9909c00d1236e409e6c1956ffe8f6a96d77952b9897cb7e759

SHA512
f03da7c09c0e4407d45b03e3696eff01b389284638074602d7932cbd40dd2446ec00401fff313375079c0414380166b649d82551e0f78ec93eb88b9b1d48ee03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
3444dddc5444da0ad818d500e7e026c6

SHA1
3bc462c3e5bba2c9a85a82b7dc7e29f0a3d8d96c

SHA256
b24c132bc996f7dcb0580ea4a5a63eabcae1743a8627f7adb50e3b0e97098309

SHA512
cf88b072eb7f5c7382e2fe6e4c907bba62e989f6089e9ab6c4e4668a409c33ad2513adcef5857532bf50b8b9dad05fb62fb7732f4aa007757f6c08b86977ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
b4b5acd7e20099092a15fccb2b33d3c0

SHA1
af76179b10bc82da565b0d32ff552aadea04612e

SHA256
0952e941176134cb60c4d1069b1852706af041d70e3fb5aad01996ccec242a57

SHA512
b8e0248c80077e85d6bfb2f8fa3b1c70db7bacd1394433c96801d8ef3427d3c01b008b5bca670370b897766baaef0b975e05a13cdb4bd73f7b5ff72c96fb35fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
08093eef352c2b58a5384bdf8c8a7521

SHA1
3ccae7d884af0850a69a4cc802151bc395fa2c05

SHA256
e3b32cfc68e9c2dedb30e28b5bc91db8ab024908d5547df0c14d3178df565e0b

SHA512
3b018d6010d01a315851dfaa936b4ac6e14530fd569aea3028de16235ff39d83fbe169585b312a9f5eaafdad1012bbc80d930a2d1c906dcdc723df04259796d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
77e874ff0a4d917b597c62778929522a

SHA1
1522ceb9498d5ef5bc141cd5fa6af85890c3a813

SHA256
53316053e66158f9e571d61a35ec98cc300fca6c90f665fcb6c410bd37aba93f

SHA512
7575ebacd079d56c93a8ea727af6718c589e14cd23eade11bb93a24e4dd6749f40418327778c131e2ec1feb1bd70208d175217d4f1750fa30683e718bc320b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
dd8cb5c03eedd0d2a166b3a0b5494557

SHA1
eb9eaa081c3bd2edab34b6a1fd0972ab1e29b852

SHA256
6ad7b793b547f16ea4e8f2ddbd3c47cd0759f0e8178dcb4f90996aaf4c9af03d

SHA512
2d6d539bded366a402bda9734ab4f513a49be065bd45ee894aee0c75805a528ca39936fa1ed99ac479826478abb8e8415caff0fda20ebee1219f7bc3838f0c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
7b29fc44b9f9730ba528c27395e0a684

SHA1
2b06ee28e9961a98e5b5f77742672a29104e91fa

SHA256
f1864086aa500a7bc2cae87b740e0833adfa3a64577fc351609affa0b11cbe3d

SHA512
ff0b047aba5b2b15f8f3060182b3249c4d7fa93afb49c0d786f5ab862f43e75cea0e3d90a1fa1207783b9be1b136c680f265e07d7224e983b0e777b2dfb601cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
4b0e152e7614656c119399a0759eba98

SHA1
fcc298500c697b149756519a5e14292e85e066ec

SHA256
da5f6f2e6374deb5fd58eceef157f4b9fec65d5bb8d4866e3b09290a3a4384a4

SHA512
3157ba501e9396b3b03fd2066ca51ad0185c75a9a8d369119c2d886334dcd59c08940ad81e42f73ba64127e36de277a9c726d6379cef6af1c382da3941e52399

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
70f0d4d099e81e0aa84d0e7c338da7e4

SHA1
5f1f002de16e033ab5237b4879b18e4ad4dc1d50

SHA256
acdc2415ad0ea4cca6cbfd89e2c710af593eb21f77a544e38a221eafa3bf8b72

SHA512
77d68abb715b60e61a18588f69fa3457651a118b48cc40b778918ce33a77e85892dd956000d904e9082a3251df71008f70666eeaa5f7f3a10a468e0a27cc9910

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
9fc77d27c0a902df61733e54e597ec1e

SHA1
4117ebfdf25ab0ee883435b331d4b8c8b07a478c

SHA256
83efdf2521e60c891941a4ceadefe1049fa39e5a55836989687335ef3f8ebafe

SHA512
b684c02c13da9e392f59509132384a93422353acd3e75899a6b19853f0123352dc67ec6e057d49577d3e0abef6b2849b0651bd9ec05902c1a41ec0ad68397271

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
fae00bd40debd396059a1c657298bda6

SHA1
814283d431075b1b0be9ab8da278e7de82cb36ba

SHA256
3a51ba535fbf45af5b8a8d7394fa2ce47063fd92c81a6d700c8c745402f11c82

SHA512
9e778faef2ea59c9499569ba45ee3a28244086094c48b757c823d4543bc3a997f305dd8916befc52fbbcd74a0fa3fe79c4e28cd0e155e28e08fe927bb864e888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
a40d7b9940da5a61dfd434a6d9513fc6

SHA1
4dc229114c71e8f92304da91d1f934b51c3e2838

SHA256
ce00b10e59430568684de82576bec8ccd4fcb1d894b94c6db5cb4550dc9d4233

SHA512
f60da8aa50e2797221f051830f215a8e80917cd141738f6953b299c3d16d92bf6afc249e77ee238b1b5ffce265e44ecea3f3ec995643d0ae47981820a13f7ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
c51f247207d653ca6afdf8c8d9c1a86d

SHA1
3a6d4fdd7e296a53bc440af91a33fa7dbdf697d7

SHA256
82689ddf956c32332158db84dfcd613c422291f44bcc2be67cf3bab448ca04ac

SHA512
2071f7d23ef00ee9400e8fb2a6106b91bab031d6963f53199c6be549b5762c98d4dd0baf2b09de379ff21976beeff392d485c280fa87acf49c378a45bdc4546c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

Filesize
16KB

MD5
4ac3b45828982f0c2ce1a0caddeca0e2

SHA1
eee2aa918917d334d7fe12e6245901011086b829

SHA256
50366547d11a371029b8ed8f30ed0156e8c7e3b87be29ce3bad07f42fdc4999c

SHA512
98e35b128de049c0aab8b1a02f889dd1765d0ea53abc792571db4e32771cb10a534bb17c7e9b11bfd82c036d57441f9ed7ce24d32eb78f8151d0d185ed69fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe

Filesize
1.2MB

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe

Filesize
5.9MB

MD5
b11a656f94670d490972f233b5f73cc0

SHA1
5b84f9bac9a1fe59b2e27eae58912f8364654025

SHA256
5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a

SHA512
1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

Download Submit
memory/2320-173-0x0000000004990000-0x0000000004998000-memory.dmp

Filesize
32KB

Download
memory/2320-119-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2320-175-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/2320-83-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2320-165-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/2320-79-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2320-152-0x0000000004990000-0x0000000004998000-memory.dmp

Filesize
32KB

Download
memory/2320-106-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/2320-112-0x0000000003B70000-0x0000000003B80000-memory.dmp

Filesize
64KB

Download
memory/2320-604-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2320-120-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/2320-122-0x00000000046E0000-0x00000000046E8000-memory.dmp

Filesize
32KB

Download
memory/2320-125-0x0000000004830000-0x0000000004838000-memory.dmp

Filesize
32KB

Download
memory/2320-126-0x0000000004850000-0x0000000004858000-memory.dmp

Filesize
32KB

Download
memory/2320-127-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/2320-128-0x00000000049F0000-0x00000000049F8000-memory.dmp

Filesize
32KB

Download
memory/2320-129-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/2320-150-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/2320-142-0x0000000004640000-0x0000000004648000-memory.dmp

Filesize
32KB

Download
memory/3124-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-30-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3124-96-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3124-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-99-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3124-100-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3124-92-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/3124-101-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3124-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3124-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3124-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3124-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3124-31-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3124-32-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/3124-33-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3124-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3124-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3124-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3352-71-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/4440-87-0x00000000022A0000-0x00000000022A6000-memory.dmp

Filesize
24KB

Download
memory/4440-85-0x0000000000310000-0x0000000000342000-memory.dmp

Filesize
200KB

Download
memory/4440-88-0x00000000023D0000-0x00000000023F2000-memory.dmp

Filesize
136KB

Download
memory/4440-89-0x00000000022B0000-0x00000000022B6000-memory.dmp

Filesize
24KB

Download
memory/4972-91-0x0000000000400000-0x0000000002C6C000-memory.dmp

Filesize
40.4MB

Download