arkei | beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10-en-20211104
submitted
24-11-2021 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
Size

145KB
MD5

8f76454a9312d8338b2f1c78c4b04c20
SHA1

4d5197b57360430f2b68fb6be11f349a2182be77
SHA256

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953
SHA512

48169a6de3940074f1815bc27421c2445add35ce17e8aee1b1e6b880b56a10d5f77fed54647b8f22c1fce49031200c1db2cf329df28ec5247d751df249c19b5e

Score

10^/10

arkei redline smokeloader tofsee @123 default backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

@123

141.95.82.50:63652

Extracted

Family

redline

185.159.80.90:38655

Extracted

Family

arkei

Botnet

Default

http://185.10.68.50/lYWcN6H7B1.php

http://file-file-host4.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-160-0x0000000000B70000-0x0000000000B8B000-memory.dmp	family_redline
behavioral1/memory/2224-178-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2224-179-0x0000000000418EEE-mapping.dmp	family_redline
behavioral1/memory/3636-221-0x0000000000400000-0x0000000000816000-memory.dmp	family_redline
behavioral1/memory/3068-281-0x0000000001340000-0x0000000001440000-memory.dmp	family_redline
behavioral1/memory/3068-282-0x0000000001340000-0x0000000001440000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Arkei Stealer Payload 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3188-200-0x0000000000400000-0x0000000000424000-memory.dmp	family_arkei
behavioral1/memory/3188-201-0x0000000000406690-mapping.dmp	family_arkei
behavioral1/memory/3188-203-0x0000000000400000-0x0000000000424000-memory.dmp	family_arkei
behavioral1/memory/1048-217-0x0000000000400000-0x0000000000437000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

EF43.exeEF43.exeF6B6.exeF9F3.exe280.exe55F.exe9A6.exevwuehafq.exeF9F3.exe9A6.exe9A6.exe64A8.exe6AF2.exe6FB6.exe

pid	process
1384	EF43.exe
2792	EF43.exe
652	F6B6.exe
3388	F9F3.exe
2992	280.exe
2144	55F.exe
2176	9A6.exe
3540	vwuehafq.exe
2224	F9F3.exe
1124	9A6.exe
3188	9A6.exe
1048	64A8.exe
3636	6AF2.exe
3068	6FB6.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6AF2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6AF2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6AF2.exe

Deletes itself 1 IoCs

Processes:

pid process

2264
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

6AF2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6AF2.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe

pid	process
2264

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6AF2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exeEF43.exevwuehafq.exeF9F3.exe9A6.exe

description	pid	process	target process
PID 2576 set thread context of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 1384 set thread context of 2792	1384	EF43.exe	EF43.exe
PID 3540 set thread context of 816	3540	vwuehafq.exe	svchost.exe
PID 3388 set thread context of 2224	3388	F9F3.exe	F9F3.exe
PID 2176 set thread context of 3188	2176	9A6.exe	9A6.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

600 3188 WerFault.exe 9A6.exe

pid	pid_target	process	target process
600	3188	WerFault.exe	9A6.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

EF43.exe280.exebeb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EF43.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	280.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EF43.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EF43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	280.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

64A8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	64A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	64A8.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3180 timeout.exe

pid	process
3180	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = d4cd673e45d28c0724edb47d450dd49d084297dce82e72baa46d34fdc48d541d552c7b9e87cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815dc814e743ee4ad644490bdb57d25ec965507c5fcb554758df21d5904f4a66c12dc834f7339d4f10b4c90d8f6127db9a45a3494b48d792cd39c420830faa36811edc70f3252a0f40948f48bb27821e4905501cdc4e13b7e85c12b496da0f15d15d8854c713ee4ae5418f459a4fe149cbb756efdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df437dd7ea798a46d34fdc741461ee4ad743c35f4a77311db9a4c703bfaaf5019f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de4cc945d	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe

pid	process
2656	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
2656	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2264
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exeEF43.exe280.exe

pid process

2656 beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
2792 EF43.exe
2992 280.exe

pid	process
2264

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9A6.exeF9F3.exeWerFault.exe6FB6.exe6AF2.exe

description	pid	process
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	2176	9A6.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	2224	F9F3.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeRestorePrivilege	600	WerFault.exe
Token: SeBackupPrivilege	600	WerFault.exe
Token: SeDebugPrivilege	600	WerFault.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	3068	6FB6.exe
Token: SeDebugPrivilege	3636	6AF2.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exeEF43.exeF6B6.exeF9F3.exevwuehafq.exe9A6.exe

description	pid	process	target process
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2576 wrote to memory of 2656	2576	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe	beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
PID 2264 wrote to memory of 1384	2264		EF43.exe
PID 2264 wrote to memory of 1384	2264		EF43.exe
PID 2264 wrote to memory of 1384	2264		EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 1384 wrote to memory of 2792	1384	EF43.exe	EF43.exe
PID 2264 wrote to memory of 652	2264		F6B6.exe
PID 2264 wrote to memory of 652	2264		F6B6.exe
PID 2264 wrote to memory of 652	2264		F6B6.exe
PID 2264 wrote to memory of 3388	2264		F9F3.exe
PID 2264 wrote to memory of 3388	2264		F9F3.exe
PID 2264 wrote to memory of 3388	2264		F9F3.exe
PID 652 wrote to memory of 704	652	F6B6.exe	cmd.exe
PID 652 wrote to memory of 704	652	F6B6.exe	cmd.exe
PID 652 wrote to memory of 704	652	F6B6.exe	cmd.exe
PID 652 wrote to memory of 1732	652	F6B6.exe	cmd.exe
PID 652 wrote to memory of 1732	652	F6B6.exe	cmd.exe
PID 652 wrote to memory of 1732	652	F6B6.exe	cmd.exe
PID 2264 wrote to memory of 2992	2264		280.exe
PID 2264 wrote to memory of 2992	2264		280.exe
PID 2264 wrote to memory of 2992	2264		280.exe
PID 652 wrote to memory of 1820	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1820	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1820	652	F6B6.exe	sc.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 2264 wrote to memory of 2144	2264		55F.exe
PID 2264 wrote to memory of 2144	2264		55F.exe
PID 652 wrote to memory of 1600	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1600	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1600	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1788	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1788	652	F6B6.exe	sc.exe
PID 652 wrote to memory of 1788	652	F6B6.exe	sc.exe
PID 2264 wrote to memory of 2176	2264		9A6.exe
PID 2264 wrote to memory of 2176	2264		9A6.exe
PID 2264 wrote to memory of 2176	2264		9A6.exe
PID 652 wrote to memory of 1908	652	F6B6.exe	netsh.exe
PID 652 wrote to memory of 1908	652	F6B6.exe	netsh.exe
PID 652 wrote to memory of 1908	652	F6B6.exe	netsh.exe
PID 3540 wrote to memory of 816	3540	vwuehafq.exe	svchost.exe
PID 3540 wrote to memory of 816	3540	vwuehafq.exe	svchost.exe
PID 3540 wrote to memory of 816	3540	vwuehafq.exe	svchost.exe
PID 3540 wrote to memory of 816	3540	vwuehafq.exe	svchost.exe
PID 3540 wrote to memory of 816	3540	vwuehafq.exe	svchost.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 3388 wrote to memory of 2224	3388	F9F3.exe	F9F3.exe
PID 2176 wrote to memory of 1124	2176	9A6.exe	9A6.exe
PID 2176 wrote to memory of 1124	2176	9A6.exe	9A6.exe
PID 2176 wrote to memory of 1124	2176	9A6.exe	9A6.exe
PID 2176 wrote to memory of 3188	2176	9A6.exe	9A6.exe

C:\Users\Admin\AppData\Local\Temp\beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
"C:\Users\Admin\AppData\Local\Temp\beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe
"C:\Users\Admin\AppData\Local\Temp\beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Users\Admin\AppData\Local\Temp\EF43.exe
C:\Users\Admin\AppData\Local\Temp\EF43.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\EF43.exe
C:\Users\Admin\AppData\Local\Temp\EF43.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2792

C:\Users\Admin\AppData\Local\Temp\F6B6.exe
C:\Users\Admin\AppData\Local\Temp\F6B6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tjtjjxzl\
2⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vwuehafq.exe" C:\Windows\SysWOW64\tjtjjxzl\
2⤵
PID:1732

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tjtjjxzl binPath= "C:\Windows\SysWOW64\tjtjjxzl\vwuehafq.exe /d\"C:\Users\Admin\AppData\Local\Temp\F6B6.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1820

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tjtjjxzl "wifi internet conection"
2⤵
PID:1600

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tjtjjxzl
2⤵
PID:1788

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\F9F3.exe
C:\Users\Admin\AppData\Local\Temp\F9F3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\F9F3.exe
C:\Users\Admin\AppData\Local\Temp\F9F3.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\280.exe
C:\Users\Admin\AppData\Local\Temp\280.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2992

C:\Users\Admin\AppData\Local\Temp\55F.exe
C:\Users\Admin\AppData\Local\Temp\55F.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\9A6.exe
C:\Users\Admin\AppData\Local\Temp\9A6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\9A6.exe
C:\Users\Admin\AppData\Local\Temp\9A6.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\9A6.exe
C:\Users\Admin\AppData\Local\Temp\9A6.exe
2⤵
- Executes dropped EXE
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1232
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\tjtjjxzl\vwuehafq.exe
C:\Windows\SysWOW64\tjtjjxzl\vwuehafq.exe /d"C:\Users\Admin\AppData\Local\Temp\F6B6.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:816

C:\Users\Admin\AppData\Local\Temp\64A8.exe
C:\Users\Admin\AppData\Local\Temp\64A8.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\64A8.exe" & exit
2⤵
PID:3048

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:3180

C:\Users\Admin\AppData\Local\Temp\6AF2.exe
C:\Users\Admin\AppData\Local\Temp\6AF2.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\AppData\Local\Temp\6FB6.exe
C:\Users\Admin\AppData\Local\Temp\6FB6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F9F3.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\280.exe
MD5
03651bfa0fa57d86e5a612e0cc81bc09

SHA1
67738024bea02128f0d7a9939e193dc706bcd0d8

SHA256
48183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b

SHA512
b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\280.exe
MD5
03651bfa0fa57d86e5a612e0cc81bc09

SHA1
67738024bea02128f0d7a9939e193dc706bcd0d8

SHA256
48183fd297159559ea5ca3f626bf6ade7bdbaeefec816116a30da7969642ce6b

SHA512
b9efdef3230478dc4691034bc7e556c313c536115166e4493f7754755d6ab9515c771f51620a5bf5c21bf19b42eb77d95bd040b0f1d3205c715cb21175cffbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\55F.exe
MD5
b25fdabef081394cfc659b7f9574e323

SHA1
84c00d9786f82767814033f70401cb193e0024c0

SHA256
ebc4acabf30b159e1a855e529b5c045fa7af9356e70433fa3ce8ce9599b151e6

SHA512
42dae5ed2501280d02102d9969a60f7415a688af4db9b93949e1e6c4e3928916e374a9e47416aad32e6eb6f30b0e7966bc699bd13fbbd14b3c7059f8540f45a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\55F.exe
MD5
b25fdabef081394cfc659b7f9574e323

SHA1
84c00d9786f82767814033f70401cb193e0024c0

SHA256
ebc4acabf30b159e1a855e529b5c045fa7af9356e70433fa3ce8ce9599b151e6

SHA512
42dae5ed2501280d02102d9969a60f7415a688af4db9b93949e1e6c4e3928916e374a9e47416aad32e6eb6f30b0e7966bc699bd13fbbd14b3c7059f8540f45a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\64A8.exe
MD5
8a5810a5fb4272a6cca29566bd850108

SHA1
4ea345541c7689ad047ea4b9193b7280a83594ea

SHA256
1638adda4dc6bd85deac54db72bc3c3e0011ab1a763c932722837a9970db9872

SHA512
1ca98a6c26a93165f891f907fea89269388dd5e112ffb5ece561efa98802a154112fe1154c4281d9e1404cc8daf2c2b61d23c014146d517576eab54763a2e47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\64A8.exe
MD5
8a5810a5fb4272a6cca29566bd850108

SHA1
4ea345541c7689ad047ea4b9193b7280a83594ea

SHA256
1638adda4dc6bd85deac54db72bc3c3e0011ab1a763c932722837a9970db9872

SHA512
1ca98a6c26a93165f891f907fea89269388dd5e112ffb5ece561efa98802a154112fe1154c4281d9e1404cc8daf2c2b61d23c014146d517576eab54763a2e47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AF2.exe
MD5
5bb9ac32655956f1924110c7c9c7adc3

SHA1
922d06d96ab2138b8ff8b6c8f7605e2c0c1fb72b

SHA256
6b126592ce7ac410aa0c3e68ef95226ae15b02c36f416d74f8e3fc1ea3df7f9d

SHA512
86e529e7cc1b4ec583228a098dcd811deafb26be737a07b1fca0c4a8ba91f7dbef29569db5457f94c38a88e65e0e27406e3371da7118a220b78fb3c0f90de4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AF2.exe
MD5
5bb9ac32655956f1924110c7c9c7adc3

SHA1
922d06d96ab2138b8ff8b6c8f7605e2c0c1fb72b

SHA256
6b126592ce7ac410aa0c3e68ef95226ae15b02c36f416d74f8e3fc1ea3df7f9d

SHA512
86e529e7cc1b4ec583228a098dcd811deafb26be737a07b1fca0c4a8ba91f7dbef29569db5457f94c38a88e65e0e27406e3371da7118a220b78fb3c0f90de4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FB6.exe
MD5
83dddcc26632bc370f7880cc8d5471cd

SHA1
ec6382212350259caef118c5f8903fb3fce8dae4

SHA256
e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a

SHA512
aa77b5963047837c25e4496dd8081760106c9240d9e0c5191e5cf2a2ea6b29f4d611693690a1422318fc6bf98fd6996e5edadabe1b630da7959e336100fbcd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FB6.exe
MD5
83dddcc26632bc370f7880cc8d5471cd

SHA1
ec6382212350259caef118c5f8903fb3fce8dae4

SHA256
e3ae7d435271c21acc43898d86fc3e36a76c0af50f466ea9fd239b2ebd0cca7a

SHA512
aa77b5963047837c25e4496dd8081760106c9240d9e0c5191e5cf2a2ea6b29f4d611693690a1422318fc6bf98fd6996e5edadabe1b630da7959e336100fbcd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6.exe
MD5
4527f0425aeb58b028e40f8c46c7c49b

SHA1
de1354058c4f5bd4b1bbb63c6ef53c8e0cb6b517

SHA256
6a3bc5c90443b05ada5fae8086cb8929c8ac5a991eb9b21367ddbb4eb5ed0ba7

SHA512
0beaf98f95b1771d2833fe5967bfcca48a7673964755d2998fc9d0b4f624eab535af89f6175af1eded6a6730df9d99abcd28fcec302203d11fbd4218aaba4608

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6.exe
MD5
4527f0425aeb58b028e40f8c46c7c49b

SHA1
de1354058c4f5bd4b1bbb63c6ef53c8e0cb6b517

SHA256
6a3bc5c90443b05ada5fae8086cb8929c8ac5a991eb9b21367ddbb4eb5ed0ba7

SHA512
0beaf98f95b1771d2833fe5967bfcca48a7673964755d2998fc9d0b4f624eab535af89f6175af1eded6a6730df9d99abcd28fcec302203d11fbd4218aaba4608

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6.exe
MD5
4527f0425aeb58b028e40f8c46c7c49b

SHA1
de1354058c4f5bd4b1bbb63c6ef53c8e0cb6b517

SHA256
6a3bc5c90443b05ada5fae8086cb8929c8ac5a991eb9b21367ddbb4eb5ed0ba7

SHA512
0beaf98f95b1771d2833fe5967bfcca48a7673964755d2998fc9d0b4f624eab535af89f6175af1eded6a6730df9d99abcd28fcec302203d11fbd4218aaba4608

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6.exe
MD5
4527f0425aeb58b028e40f8c46c7c49b

SHA1
de1354058c4f5bd4b1bbb63c6ef53c8e0cb6b517

SHA256
6a3bc5c90443b05ada5fae8086cb8929c8ac5a991eb9b21367ddbb4eb5ed0ba7

SHA512
0beaf98f95b1771d2833fe5967bfcca48a7673964755d2998fc9d0b4f624eab535af89f6175af1eded6a6730df9d99abcd28fcec302203d11fbd4218aaba4608

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF43.exe
MD5
8f76454a9312d8338b2f1c78c4b04c20

SHA1
4d5197b57360430f2b68fb6be11f349a2182be77

SHA256
beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953

SHA512
48169a6de3940074f1815bc27421c2445add35ce17e8aee1b1e6b880b56a10d5f77fed54647b8f22c1fce49031200c1db2cf329df28ec5247d751df249c19b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF43.exe
MD5
8f76454a9312d8338b2f1c78c4b04c20

SHA1
4d5197b57360430f2b68fb6be11f349a2182be77

SHA256
beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953

SHA512
48169a6de3940074f1815bc27421c2445add35ce17e8aee1b1e6b880b56a10d5f77fed54647b8f22c1fce49031200c1db2cf329df28ec5247d751df249c19b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF43.exe
MD5
8f76454a9312d8338b2f1c78c4b04c20

SHA1
4d5197b57360430f2b68fb6be11f349a2182be77

SHA256
beb329b3ee524ea9d00e08d06c5e882ac9ab046fcf8ec163ea6226a90cd04953

SHA512
48169a6de3940074f1815bc27421c2445add35ce17e8aee1b1e6b880b56a10d5f77fed54647b8f22c1fce49031200c1db2cf329df28ec5247d751df249c19b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6B6.exe
MD5
c0dbba4f5dca0e18d7efe5f19796f8e0

SHA1
d6509ad7b491bb09a7c294a9d5de906bfa5a96d9

SHA256
a5e4738176af815f5e05d2fb3d23bbf2fa94cee02b8f400624549af80a3cc89a

SHA512
661ecd1a37da9d6d032ff421a9448ed5328bca695d0b63ba5ed3c9d2fc573841ac662698b6ea8d6f84226d794c708e30b03b7774e22738e061fa202d268e771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6B6.exe
MD5
c0dbba4f5dca0e18d7efe5f19796f8e0

SHA1
d6509ad7b491bb09a7c294a9d5de906bfa5a96d9

SHA256
a5e4738176af815f5e05d2fb3d23bbf2fa94cee02b8f400624549af80a3cc89a

SHA512
661ecd1a37da9d6d032ff421a9448ed5328bca695d0b63ba5ed3c9d2fc573841ac662698b6ea8d6f84226d794c708e30b03b7774e22738e061fa202d268e771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F3.exe
MD5
e850bf7dbab0575d6bcde28710be9192

SHA1
9d8c748670b02c2e01c6ad894cacd1dd27ba0814

SHA256
c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

SHA512
4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F3.exe
MD5
e850bf7dbab0575d6bcde28710be9192

SHA1
9d8c748670b02c2e01c6ad894cacd1dd27ba0814

SHA256
c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

SHA512
4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9F3.exe
MD5
e850bf7dbab0575d6bcde28710be9192

SHA1
9d8c748670b02c2e01c6ad894cacd1dd27ba0814

SHA256
c5f10feca7a51c7e54414820d37ca533175a78465578b4b03c531c8422a16db0

SHA512
4f181a6e43fc116ad9b5c92b762d7609e620b57e3c19009fe88fbbc3a248495a042d4e92644e333c10cb5c774e5237a9e312690a8c98975a9af029ba85087352

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwuehafq.exe
MD5
35ad8c695255c24ca703f9a3270ee192

SHA1
effb69fc995d07af2a7af0fc4ecb77c3b2750bee

SHA256
d2ff766c51a3a2611ab5dd2f57d6901e4e0d2fb86f5f7e1fd792a746a4acd95d

SHA512
8b919a9646391dbe5fdeaae2d67d4f1ea52046493a74b4e256a753532a5c54d98cd4df6feb16c693202f0cc0f325c16fc7e25335359ef8a178c9827b45bfc37b

Download Submit
C:\Windows\SysWOW64\tjtjjxzl\vwuehafq.exe
MD5
35ad8c695255c24ca703f9a3270ee192

SHA1
effb69fc995d07af2a7af0fc4ecb77c3b2750bee

SHA256
d2ff766c51a3a2611ab5dd2f57d6901e4e0d2fb86f5f7e1fd792a746a4acd95d

SHA512
8b919a9646391dbe5fdeaae2d67d4f1ea52046493a74b4e256a753532a5c54d98cd4df6feb16c693202f0cc0f325c16fc7e25335359ef8a178c9827b45bfc37b

Download Submit
memory/652-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/652-134-0x00000000001E0000-0x00000000001ED000-memory.dmp

Filesize
52KB

Download
memory/652-135-0x0000000000590000-0x00000000005A3000-memory.dmp

Filesize
76KB

Download
memory/652-131-0x0000000000000000-mapping.dmp

Download
memory/704-144-0x0000000000000000-mapping.dmp

Download
memory/816-177-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/816-173-0x0000000000B20000-0x0000000000B35000-memory.dmp

Filesize
84KB

Download
memory/816-176-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/816-187-0x0000000000B20000-0x0000000000B35000-memory.dmp

Filesize
84KB

Download
memory/816-175-0x0000000000B29A6B-mapping.dmp

Download
memory/1048-212-0x0000000000000000-mapping.dmp

Download
memory/1048-215-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1048-217-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1048-216-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/1384-123-0x0000000000000000-mapping.dmp

Download
memory/1384-130-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/1384-129-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/1600-159-0x0000000000000000-mapping.dmp

Download
memory/1732-147-0x0000000000000000-mapping.dmp

Download
memory/1788-164-0x0000000000000000-mapping.dmp

Download
memory/1820-152-0x0000000000000000-mapping.dmp

Download
memory/1908-172-0x0000000000000000-mapping.dmp

Download
memory/2144-167-0x000000001B190000-0x000000001B192000-memory.dmp

Filesize
8KB

Download
memory/2144-153-0x0000000000000000-mapping.dmp

Download
memory/2144-163-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2144-162-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2144-161-0x000000001CB50000-0x000000001CB51000-memory.dmp

Filesize
4KB

Download
memory/2144-160-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/2144-157-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2176-198-0x00000000061F0000-0x000000000620F000-memory.dmp

Filesize
124KB

Download
memory/2176-189-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2176-196-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/2176-193-0x0000000005FE0000-0x0000000006056000-memory.dmp

Filesize
472KB

Download
memory/2176-169-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2176-165-0x0000000000000000-mapping.dmp

Download
memory/2224-188-0x0000000005670000-0x0000000005C76000-memory.dmp

Filesize
6.0MB

Download
memory/2224-191-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2224-186-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2224-207-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/2224-184-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/2224-210-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/2224-190-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2224-185-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2224-211-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2224-179-0x0000000000418EEE-mapping.dmp

Download
memory/2224-178-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2264-122-0x0000000001260000-0x0000000001276000-memory.dmp

Filesize
88KB

Download
memory/2264-206-0x0000000004CD0000-0x0000000004CE6000-memory.dmp

Filesize
88KB

Download
memory/2264-156-0x0000000004CB0000-0x0000000004CC6000-memory.dmp

Filesize
88KB

Download
memory/2576-120-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2576-121-0x0000000002150000-0x0000000002159000-memory.dmp

Filesize
36KB

Download
memory/2656-119-0x0000000000402DC6-mapping.dmp

Download
memory/2656-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-127-0x0000000000402DC6-mapping.dmp

Download
memory/2992-192-0x0000000001306000-0x0000000001317000-memory.dmp

Filesize
68KB

Download
memory/2992-194-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/2992-148-0x0000000000000000-mapping.dmp

Download
memory/2992-195-0x0000000000400000-0x0000000001085000-memory.dmp

Filesize
12.5MB

Download
memory/3048-309-0x0000000000000000-mapping.dmp

Download
memory/3068-300-0x00000000706D0000-0x000000007071B000-memory.dmp

Filesize
300KB

Download
memory/3068-288-0x0000000070AE0000-0x0000000070B60000-memory.dmp

Filesize
512KB

Download
memory/3068-294-0x0000000074690000-0x00000000759D8000-memory.dmp

Filesize
19.3MB

Download
memory/3068-293-0x0000000076F80000-0x0000000077504000-memory.dmp

Filesize
5.5MB

Download
memory/3068-283-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3068-278-0x0000000000000000-mapping.dmp

Download
memory/3068-286-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/3068-282-0x0000000001340000-0x0000000001440000-memory.dmp

Filesize
1024KB

Download
memory/3068-281-0x0000000001340000-0x0000000001440000-memory.dmp

Filesize
1024KB

Download
memory/3068-285-0x0000000074280000-0x0000000074371000-memory.dmp

Filesize
964KB

Download
memory/3068-284-0x00000000764B0000-0x0000000076672000-memory.dmp

Filesize
1.8MB

Download
memory/3180-310-0x0000000000000000-mapping.dmp

Download
memory/3188-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3188-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3188-201-0x0000000000406690-mapping.dmp

Download
memory/3388-146-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3388-145-0x0000000002B50000-0x0000000002BC6000-memory.dmp

Filesize
472KB

Download
memory/3388-136-0x0000000000000000-mapping.dmp

Download
memory/3388-140-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3388-142-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3388-143-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3540-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3636-252-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3636-258-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-234-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3636-238-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/3636-239-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-241-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-242-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-243-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3636-244-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3636-246-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3636-247-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3636-245-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3636-248-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3636-249-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-250-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-240-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-251-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3636-236-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/3636-254-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3636-253-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3636-255-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/3636-256-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3636-257-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3636-237-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3636-259-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-260-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-261-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-262-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3636-263-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3636-264-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3636-265-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3636-266-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3636-267-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3636-268-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3636-269-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3636-270-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3636-231-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3636-235-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3636-233-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3636-232-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3636-229-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3636-230-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3636-228-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/3636-222-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3636-221-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3636-218-0x0000000000000000-mapping.dmp

Download