hawkeye_reborn | 545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9

Analysis

max time kernel
74s
max time network
75s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Size

696KB
MD5

4ee93de86def5cb761ff63b8be928a50
SHA1

8a49f1244152fc4dd5e3174335cbfb77bb6abfeb
SHA256

545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9
SHA512

fa65530ffd92e1e6665c23762e6b1124e629e27894529c32a4474cdb244328967fa549de94f69f374fd42a12aa949701cbd6357c91cefe2a66bcee0ea8f184af
SSDEEP

12288:sFtUJ5yf/yw6hKomF9Fsra7aZKDNuO+S+Ua6H7KyK4T/+MY:sFnHZ6ht+7nf+S+wK4+MY

Score

10^/10

hawkeye_reborn m00nd3v_logger defense_evasion discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.nokachi.rs
Port:
587
Username:
[email protected]
Password:
Proizvodnja2018

Mutex

c9ac8604-645d-4898-8da0-95fd2ddef895

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Proizvodnja2018 _EmailPort:587 _EmailSSL:false _EmailServer:mail.nokachi.rs _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:99000 _MeltFile:false _Mutex:c9ac8604-645d-4898-8da0-95fd2ddef895 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Hawkeye_reborn family
hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
M00nd3v_logger family
m00nd3v_logger

M00nD3v Logger payload 5 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/2656-18-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2656-15-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2656-13-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2656-12-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2656-20-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Executes dropped EXE 1 IoCs

pid	Process
2656	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3040	timeout.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000022a0565ac52b04ba5e34810df7cdde20000000002000000000010660000000100002000000049ff23441ffd4baa90573d74cef63259330d60c5cdee808461401043920ea998000000000e8000000002000020000000c06d58657aa6aa11144c25b84532a823b93fc17b58b37373264b50a25883e72590000000ccfdece0d27913aafba175eb609bd31ccebbade25928d0e16b7a8bb5a36342e7258efe12bd5e4bf3b721b3c61dee49e279026c936c61469fc1f83bbde0ac131d0aa1aa684209e0cdce338216be29751bc2f4acd4490800a2f1a6a05b09b86e8973fae0657cfb4bf7935ac13769c3ee2f26e2b521712442ab4d911a3588bc4c3213d77f7003d6f6af80c6b0b6e005c6b84000000005faf9d6941fb104efec75d186cab1af3d37a8da79fcaa6d0c9497f33055caf7b621674908369de476532264112454215fd3e647b828f80c57785de428d05efb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444600501"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000022a0565ac52b04ba5e34810df7cdde2000000000200000000001066000000010000200000009b388cb0f0cdfc21ec9bb3ddd9931ee0fc96d4c171788599f600ef215daf4ec8000000000e80000000020000200000000e9a7c4708f1976da8559b80056292ecea3d0ba0841c4407ae3b6466ce5b792e200000001b3c0507876ee593b76443dfe2922e788484cc98988b9d77e8a0511c8c0dbf264000000062615a84adfa910a5132976b73ffa3141ae3a7a8ebcc9e56ace0b39aaf92fca1073f3d14b1a78f28db475977dbe929838d4c5e84a1e7a61e0f6e0a805b679e40	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cccac5e074db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFA482C1-E0D3-11EF-94A5-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Token: 33	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Token: SeIncBasePriorityPrivilege	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2612	iexplore.exe
2612	iexplore.exe
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2576	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	30
PID 2968 wrote to memory of 2576	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	30
PID 2968 wrote to memory of 2576	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	30
PID 2968 wrote to memory of 2576	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	30
PID 2576 wrote to memory of 2824	2576	cmd.exe	32
PID 2576 wrote to memory of 2824	2576	cmd.exe	32
PID 2576 wrote to memory of 2824	2576	cmd.exe	32
PID 2576 wrote to memory of 2824	2576	cmd.exe	32
PID 2968 wrote to memory of 2712	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	33
PID 2968 wrote to memory of 2712	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	33
PID 2968 wrote to memory of 2712	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	33
PID 2968 wrote to memory of 2712	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	33
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2656	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	35
PID 2968 wrote to memory of 2640	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	36
PID 2968 wrote to memory of 2640	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	36
PID 2968 wrote to memory of 2640	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	36
PID 2968 wrote to memory of 2640	2968	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	36
PID 2640 wrote to memory of 3040	2640	cmd.exe	38
PID 2640 wrote to memory of 3040	2640	cmd.exe	38
PID 2640 wrote to memory of 3040	2640	cmd.exe	38
PID 2640 wrote to memory of 3040	2640	cmd.exe	38
PID 2656 wrote to memory of 2612	2656	svhost.exe	39
PID 2656 wrote to memory of 2612	2656	svhost.exe	39
PID 2656 wrote to memory of 2612	2656	svhost.exe	39
PID 2656 wrote to memory of 2612	2656	svhost.exe	39
PID 2612 wrote to memory of 1636	2612	iexplore.exe	40
PID 2612 wrote to memory of 1636	2612	iexplore.exe	40
PID 2612 wrote to memory of 1636	2612	iexplore.exe	40
PID 2612 wrote to memory of 1636	2612	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
"C:\Users\Admin\AppData\Local\Temp\545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
06c8f142859004db16ca0e3f82388c9c

SHA1
23acf3d4a2f8c7e1d45c34d4cd534ed853b2db36

SHA256
bb1e955d30b877d21cee3baed7249b9c620abda8bb2718dc5ed51583868ecea1

SHA512
86701d206a9d28fb5b8b32137d82284c28d87c7bf60ba1f6529a3fc0b1297854976bd92284e183c866a4655a1bbecd14c4f693fee97e1b29f459c639ed0d42ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4dc7884d9cb5aeb19e95cfef1bb3632

SHA1
44bcccadbaf7e2fee9c306438dd7d57cd4fed7c1

SHA256
d8305824e1b582fa76862ffb09346dbcb28d4f1eab8e7513e0cba7b02141253c

SHA512
608c5042f9d70adf48d08d4eb1b4bc07371170ee5d660bca0ff815e941aecb562f326b48c10a2a1bc826d482664562ae802312b808ae89be3db666930a2d152f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ea5b1f18e0d401ce65aa9cbfbbc57b1

SHA1
5b57b77b98aff2de44b8e29bcb5723898e426ccf

SHA256
0afee901cb8b6d8d75614ea04c374fbe9049e7a2db5e07474230a91ea3e8ba3f

SHA512
81667ccac5e719fd2495adf9142b7dde85d5b4a3f69828b5930f1260bf94aa7ea78cc9af1a1dbc945b2683e2f4bb65ec773428d7772636545f097dc992f59b6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e86912c3f51840b862185f8ac418fa5d

SHA1
17f16bb471780d3b57a5c5ec46fe6a4cf462b989

SHA256
9ddf6c4ca4496a1e2d492163aa5b27e066afa7e3c4e0c6db2d793d575442ae50

SHA512
14d95df5373ee225ace72e0d01f8dac9be0f87117e9b764d0b4c6b6f91f44d9cab5c967331400fb1afa7cafb00112af4802a060a3d560be5f7f2db840cff20f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27ff13710fad9ebd68fa6c397f8970a0

SHA1
8e7aba91212933c0a251b8abc0de56b6e25a3992

SHA256
01ac1adabfe3062d3ff7bea9c1469770849dba42d2c4ac82e9d1c7b46ba0b810

SHA512
198bec673a588168ad5ad7a7c5c669ebd0a64500b76fbdac4643622a11b2f129ebf5654ef0f0e2fb3488b0624fc8b027d46bdab8be021679b048e6d9d94d210a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea0993041d296b3035e58f6ba9b2144d

SHA1
b669c0e6d907099e9a8d796ec23ae28bd9cc1005

SHA256
bae53e115aca4a09d9b0d452b8b72c2aef90e6638afd54ddbed789f1d05bf3c5

SHA512
2275cdee47a5d0d8901e074dfa40af7b2bc7f5685f5a2e55c464f9118437d58bc4704171a10e7b2f2a15e7179e3e49444165602ee36dfa944d3de34b77878e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abc0ca5f54175315c2c3070f7a1ff707

SHA1
ec8bb352535a4b8418a2b6c75f1dc2fe863574f3

SHA256
a29c74b15bf15a878737dd5f8831ba2972f3d98b235d6dbc70794e704b0e2175

SHA512
a7281f067703d16bc44de4635f12883b70cee0235fa345a04f6d82a461584eca924fa34a9f628382982fcba3469973ed4c57c28c498b8663470fd8ab75304261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd4d682ab1265da1c1a4e56b614cb500

SHA1
c7623c987122ef6cfd3813e4549bf532e8050b1c

SHA256
71c43bfc5953bdc28e89ff30a6d95e51db363ce45c9adf970a6ee5a47e115ad3

SHA512
5b2f572b98594f7f9e175d4b036810cbc11cd7c94df143ea7fd7d684305ff755c00351fd5df8eccd38bf721ea7484f071bc71c5eb2e73cce9e3c9fab57d500f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f95f4c700fdc61a66881e8f4471cb0cb

SHA1
ee53254d5f44dafeaf76873c4b88fc6381668310

SHA256
5777a6daf71064e4c3c32ee4f68fac8ffa40b3360c2951cf51b33091ead6d842

SHA512
0b5e2ea1b11fdeafe964cb34ac96baaa8e6ee73c14eb5055c2df6e9cd012a368c5e8894629a25f839c633498348d94ca32b27d15ab0dddc6e8575a2938ed3cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
232f674e15624bc5ba874ac8a4d38c28

SHA1
8a86dc11d2e2d7b0d96caf1dcc337b53948cd330

SHA256
5d97db851759ac386d854bc65019f956b8041e23331cd12912494c36943b4c7f

SHA512
bb57a36bd8fe9a98bd9c3fcc8d3ac8136ef5ebe7167b17a51b1df8f39e88168da1c76539ffe9244431db76d4e1f4126c6af7024e058374052eaf7cd68a3b70db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ea152fb56f3d1ee14136bf1d1a45cc

SHA1
c932a6376d654b4125df9f52778347c8887433cb

SHA256
9287a6337875f3c48ef1a2a91d50d8d1e77d1a1fb8af9d5c3b73a4eb3a1c92dd

SHA512
6b4ac5c383bd63274d96eebffe00cc075af809de8c6b14ceb903be1f1e5c5db819dc79e09e18d05dc882519743f0090990dd39775da00387ad9fbf90214a5dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da3364d9e8e1e31394758495981db8a2

SHA1
43fe477c20119147f033b27c95fcf7dc20fe0b82

SHA256
31fed7848f08d8783e1b409c01ef6e150b7f0998f38cee10660408df2d18f301

SHA512
9a12c7e8ef9645e58357d7a6ef41fb12786ff55bc2195c2ac63b177e98184575f6b9a048af4c7c172932ab8ae4c85b4f7a6859f124730dc95de2f01fde410e3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
415983f104a9569024a48d1ee12e53af

SHA1
4d7417b8a2476a2470ed694cfeb19c2cc9d5aadd

SHA256
e8d458edef59c9a4d39234ba3a2e3925c5612f5736b1196aa5f22a36ddba196e

SHA512
1a915b7b1636784a1cf9d165e46970d2a47250f4e62401ea7d1f18aa43403f231ee123f202e89a197d59ac6329cac65cf9cfd065114fa4c7152fcd373edcc084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52f2591f4b893f8f497145440ba94c79

SHA1
aa3105585f9d5f83c0a66f9cd51874865a373755

SHA256
56fd1aaa0709595fabbc524172908b63801322bf14af24122a2054e365afd096

SHA512
3d060393d51a84baa50435192b47dabcb4fa8a7c0a26b115aa32718600596c6a932952f671a43718393a37fb1eb2dec72d94c35436a7c0cbc44b2ef9606b373f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d698445f73fd72d816fa0668de1f9bd8

SHA1
971ea8fedf32dcaa4419c1668c11759f9202b2a8

SHA256
a257963cfcd077364be239be0f437ce751686a94bdff788b73e324dd5d6f29d7

SHA512
b865991c5d8df1f7c37fbedbd558bad59d86c7aff9fda71c9f5caddca53bcd5ffeffa96a7bcacc6fdc6e04ead7c8080db66fd7c867fe9e03a8eb726bbf198445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08bc3514a3a6a2a45163b52e4183303a

SHA1
ce1d4fe2912b22a9759fda36165426665311edd2

SHA256
bd9c19076ecbf7a231b431aadb0ed9cc74629bec1b305f90eb4b57087438cfa8

SHA512
c714e3770f1763769fa2eec8c4804bb9bcc7f75d7bb42555a9c1bf7701ead05725a8884271358c2db39acce9e479b9d965a415df6954244b900982c441c1dc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af36b7c72f899dcb7a96e09abf01ee56

SHA1
dfc9fdf915e4e1d7e59c1e3473ca02ffe85a83cd

SHA256
86afa72de537e93bed58e402d4a71cf2cc5f7ba287809be5bced32bd4e57d88b

SHA512
ecfdf398037beb41989ecc11645ad31c7773866b732076c38fd630bb5cbaa971f1175278ddfc2cfb1779b72c43895449c3b4430aee55c2a5543fb90fd24e645c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73801a57230d2fca3593a8edc47e8e5d

SHA1
70495560918e5a0db9741c354e042190ad1a5990

SHA256
70aba902e9545ea8ec9719ba9df0e47a7c2a31f199febdafe8e42cb79668f6aa

SHA512
96db97f414d82d924e6f9213ffec98f60c5ce18136f86968e6547aa5c31bc6c122befa0e9e66c703dfc008acb6c1c08d05c98b7e6dab9ebc52ed5595233c9903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4df4c2c6c8dd7cdbd5789857bb74d367

SHA1
fb9e3ad8858fc83b328582c8d79afa266bdf1030

SHA256
7064053d09400f208a8690db19fe1ca210d7c5365e0f8bd510c0ad329381be19

SHA512
8717c2dda2d25fced5491e3042615d1812c99454ab528490e8e59baf5cad35f389915de2981c6f4df65e70314603caeb307defd9f0f88057b1fe99ed122a08b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8c3c7f639c3074bf37162a162a610a

SHA1
441b325050442b575728f22c5da86d0185d50b79

SHA256
b9b84dd12399dc483c5e42a295f8355a330475fa846d6fd2162fb60cacb1d5d8

SHA512
e4c1837ff11e0594e926fc0ce29663c902cf5cd5128fe6340807b2c9979634a6bec9e2988b86a8d6e033627e26437ede68ad2f4f84acf8dd1e0489487b2d0812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3408b806690843a86a9fcd07d02aaab

SHA1
383baa2bdec85baf103c10259de30c8e7aa21879

SHA256
cb3b996a0a054e73f81ae7ceef6e6150f3dcfacb21098da6ee3e002ca6062309

SHA512
72b925275f242daeaa6ff1a3c44e37d133d012d0c6dea70d1159d611ad313e37a02b11b8cf14c0605640878163f5992c9dc67c7ea6127fc762bfd478a2f90bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99dcd4dd4bbeeb9cde972481b5f4258a

SHA1
abc21121f7d817a06650687283ee0abe842cfbf0

SHA256
7df24a6a515732c3f7947cc038182678502b09aa431f0c5f9779f5513204745f

SHA512
3152039366ddf5b5523258961dc5718fbc8ceffa8fafc8fe4e514e93fea32c03540f209dd51e876e1e84c52642c076a2a2dbb481612a776abcbe1981b8cbf4ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b19ad081d4c4cf41f97e247685ee5099

SHA1
5818b489b7609ff0dc64324d4b214be2e1649170

SHA256
3f1b83bafa406b980dc3942c971117325940076334281fb5f525e0ad64d7612a

SHA512
a8ec42098d9ae4010af1c807fa67c20c5ee3bf1c4426c60183f2f0f6de0ac884143ab2c4c5688819da0ac0ad8769d049a05f5059c6dffe777025b71e8aa87871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97bcf26f7a6f3c2d921769a58afbb0ee

SHA1
60e4da4eaa255ac6ae948cd45e0dcb29e04f66ec

SHA256
b621feb2cb5e46750ea1a50fdeb0f6bf0318e185e86814f9f8e1716aafbc7e32

SHA512
841c6e440dd94b917014aac6e7bb9551e4397ee5cc96e9cb3922dceb6ae55c74cca984b3f891564b1327eb6d9b1e292459ebeda933277caab5fe19139fe52db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f20cc28495f5700b8123a01942d9788

SHA1
92e57bb7178dabf89fd6f391dbb956956c6f18b8

SHA256
a098da42238b87c6b6a3daa14212019f532705316b7c6886118277833394bb33

SHA512
5a94547c3632ace6826bdb482c24f04bfd6f76682c6816efc39f0ad2d81b79ccd27a60bdaeb45b7c098a06bc714140e43e6d92ab81f2f3804dc878c160c9e8d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a07a0ef8ac44de223ddfc67990b9f2f4

SHA1
6b7e533028197a04ef10216dba810503f6bf2209

SHA256
5727ee0c124855cd271f4a241f48dbc5552a5ae9e4bcb8ce429580c476860f7c

SHA512
565282bcac230ff8d6b25ea0302a803a93cb4bf350d9e9d66308040033d0f7ce8f9e89d43039b48123da0782315c4817432086e2ff6aaf8f5039c151ddc94924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aec0b0ea716c820746958af703baaa31

SHA1
a27aaa36d3ecaa7e547c88b5ac2034e17d21f8da

SHA256
487089866f3e943447b1f407cc669b001efc0e31073a0c9bf6cb5afa96c0c068

SHA512
a483e1c833395ea54c9a4d0eaede87c10fc873bd9e85160c2c881576f757c95530ed07b15e3ccc73fa72b4aea9004e549b715ac9da89cc527e98c2744d6a9619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f6f8970d796bd6d1e8699b2ffc4dac3

SHA1
480caaf4bd78c3402dd270f56ad1cb38d2b970aa

SHA256
fa298aa44ee05f681792f3d3af4eb37bc68c0b6975706a30f542bf81daa624fa

SHA512
0bebf6bc66a3eff61eb5917bb13cdbdfc86ceb9b362818f1be099d563f3146400c1e1078e06eab78c3ba6c6b4f04205b7d8c691fa87b91a8d5e8ea43a8f4b4c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10ebc38ea956ef0433086805193025b7

SHA1
a7afd2827697ceddeed41f92e7bf594eb2fa7198

SHA256
2ee9e31cb72fd66e28d285c5dc613464fabf5cec9f9ae5aa940969ce72466e1e

SHA512
607dd26764aa39a0bfdad442ebbbcf1ad718ae72497ed82cc7d51f373ef1451fee1280617f8608b62f02173cb888f9bbe45206c06bc797b0d2b97ab43c490ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
382f5c0679dac730e6000c9fc54ca8ff

SHA1
8dbc105be9e363873654dd7acc6a006f26bf1ec5

SHA256
b4ef8373081aa848d0b613faf93503af7964ea22f90bc92f24350ab91ff46aae

SHA512
bb129a8cc6325ef7b38271d45dcc34a7762f82921ce810068babeb981aeca17b95eac19c5325be0b75857fcce826f7a12cb76e30713bbbb40bcd9800a0d9569b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1ED8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F97.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
memory/2656-18-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-20-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2656-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2968-501-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-353-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2968-485-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2968-3-0x0000000000CB0000-0x0000000000D42000-memory.dmp

Filesize
584KB

Download
memory/2968-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-1-0x0000000001220000-0x00000000012D4000-memory.dmp

Filesize
720KB

Download