arkei | 49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
15-12-2021 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
Size

172KB
MD5

d1e775c9f97655529c9314d6f46eda74
SHA1

e63aada2053b31af036df7b55fe35c6713422a27
SHA256

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b
SHA512

e2bf09e6643eeae3cb3d5d17a5ab8ba5f9a9b309f2e25ec2aabb08820217524896b2c33aa8f2dda5fe92971a80987b88462befab1ea6c2620198211cb076b4d8

Score

10^/10

arkei icedid raccoon redline smokeloader warzonerat 871b18794e3cbbc6476a5b391363702168853a50 3372020928 backdoor banker collection discovery infostealer persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

icedid

Campaign

3372020928

jeliskvosh.com

Extracted

Family

redline

185.215.113.57:50723

Extracted

Family

raccoon

Botnet

871b18794e3cbbc6476a5b391363702168853a50

Attributes

url4cnc
http://194.180.174.53/duglassa1
http://91.219.236.18/duglassa1
http://194.180.174.41/duglassa1
http://91.219.236.148/duglassa1
https://t.me/duglassa1

rc4.plain

Extracted

Family

warzonerat

91.229.76.26:5200

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3748-129-0x0000000000AF0000-0x0000000000B59000-memory.dmp	family_redline
behavioral1/memory/1196-186-0x0000000000D80000-0x0000000000E06000-memory.dmp	family_redline
behavioral1/memory/2444-201-0x000000000041BAFE-mapping.dmp	family_redline
behavioral1/memory/2444-202-0x0000000000500000-0x0000000000520000-memory.dmp	family_redline
behavioral1/memory/2432-248-0x0000000000FC0000-0x0000000001066000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1316 created 524 1316 WerFault.exe regsvr32.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

description	pid	process	target process
PID 1316 created 524	1316	WerFault.exe	regsvr32.exe

Arkei Stealer Payload 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1016-166-0x0000000000400000-0x0000000000825000-memory.dmp	family_arkei

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1188-231-0x00000000001E0000-0x00000000001FE000-memory.dmp	warzonerat
behavioral1/memory/1188-232-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2432-253-0x0000000000350000-0x00000000003FE000-memory.dmp	warzonerat
behavioral1/memory/1248-379-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

730.exe1143.exe1972.exe1143.exe2CFC.exe33B3.exe9CFD.exeA348.exeAFAD.exeB50D.exeReader.exeD1FC.exe

pid	process
808	730.exe
3180	1143.exe
3748	1972.exe
812	1143.exe
1016	2CFC.exe
1836	33B3.exe
4808	9CFD.exe
1196	A348.exe
4528	AFAD.exe
1188	B50D.exe
1248	Reader.exe
2432	D1FC.exe

Deletes itself 1 IoCs

Processes:

pid process

1876
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exe2CFC.exe

pid process

524 regsvr32.exe
1016 2CFC.exe
1016 2CFC.exe
1016 2CFC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1876

pid	process
524	regsvr32.exe
1016	2CFC.exe
1016	2CFC.exe
1016	2CFC.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B50D.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\ProgramData\\Reader.exe"	B50D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

1972.exeA348.exeD1FC.exe

pid process

3748 1972.exe
1196 A348.exe
2432 D1FC.exe

pid	process
3748	1972.exe
1196	A348.exe
2432	D1FC.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe1143.exe9CFD.exe

description	pid	process	target process
PID 1964 set thread context of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 3180 set thread context of 812	3180	1143.exe	1143.exe
PID 4808 set thread context of 2444	4808	9CFD.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1316 524 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
1316	524	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe730.exe33B3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33B3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33B3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	730.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	730.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	33B3.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe2CFC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2CFC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2CFC.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4260 timeout.exe

pid	process
4260	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe

pid	process
4072	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
4072	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876
1876

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1876
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe730.exe33B3.exe

pid process

4072 49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
808 730.exe
1836 33B3.exe
1876
1876
1876
1876

pid	process
1876

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

WerFault.exeRegAsm.exeA348.exepowershell.exeD1FC.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeDebugPrivilege	1316	WerFault.exe
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeDebugPrivilege	2444	RegAsm.exe
Token: SeDebugPrivilege	1196	A348.exe
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeDebugPrivilege	2432	D1FC.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876
Token: SeShutdownPrivilege	1876
Token: SeCreatePagefilePrivilege	1876

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe1143.exe2CFC.execmd.exe9CFD.exeB50D.exe

description	pid	process	target process
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1964 wrote to memory of 4072	1964	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe	49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
PID 1876 wrote to memory of 808	1876		730.exe
PID 1876 wrote to memory of 808	1876		730.exe
PID 1876 wrote to memory of 808	1876		730.exe
PID 1876 wrote to memory of 3180	1876		1143.exe
PID 1876 wrote to memory of 3180	1876		1143.exe
PID 1876 wrote to memory of 3180	1876		1143.exe
PID 1876 wrote to memory of 3748	1876		1972.exe
PID 1876 wrote to memory of 3748	1876		1972.exe
PID 1876 wrote to memory of 3748	1876		1972.exe
PID 1876 wrote to memory of 524	1876		regsvr32.exe
PID 1876 wrote to memory of 524	1876		regsvr32.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 3180 wrote to memory of 812	3180	1143.exe	1143.exe
PID 1876 wrote to memory of 1016	1876		2CFC.exe
PID 1876 wrote to memory of 1016	1876		2CFC.exe
PID 1876 wrote to memory of 1016	1876		2CFC.exe
PID 1876 wrote to memory of 1836	1876		33B3.exe
PID 1876 wrote to memory of 1836	1876		33B3.exe
PID 1876 wrote to memory of 1836	1876		33B3.exe
PID 1016 wrote to memory of 2152	1016	2CFC.exe	cmd.exe
PID 1016 wrote to memory of 2152	1016	2CFC.exe	cmd.exe
PID 1016 wrote to memory of 2152	1016	2CFC.exe	cmd.exe
PID 2152 wrote to memory of 4260	2152	cmd.exe	timeout.exe
PID 2152 wrote to memory of 4260	2152	cmd.exe	timeout.exe
PID 2152 wrote to memory of 4260	2152	cmd.exe	timeout.exe
PID 1876 wrote to memory of 4808	1876		9CFD.exe
PID 1876 wrote to memory of 4808	1876		9CFD.exe
PID 1876 wrote to memory of 1196	1876		A348.exe
PID 1876 wrote to memory of 1196	1876		A348.exe
PID 1876 wrote to memory of 1196	1876		A348.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 4808 wrote to memory of 2444	4808	9CFD.exe	RegAsm.exe
PID 1876 wrote to memory of 4528	1876		AFAD.exe
PID 1876 wrote to memory of 4528	1876		AFAD.exe
PID 1876 wrote to memory of 4528	1876		AFAD.exe
PID 1876 wrote to memory of 1188	1876		B50D.exe
PID 1876 wrote to memory of 1188	1876		B50D.exe
PID 1876 wrote to memory of 1188	1876		B50D.exe
PID 1188 wrote to memory of 2348	1188	B50D.exe	powershell.exe
PID 1188 wrote to memory of 2348	1188	B50D.exe	powershell.exe
PID 1188 wrote to memory of 2348	1188	B50D.exe	powershell.exe
PID 1188 wrote to memory of 1248	1188	B50D.exe	Reader.exe
PID 1188 wrote to memory of 1248	1188	B50D.exe	Reader.exe
PID 1188 wrote to memory of 1248	1188	B50D.exe	Reader.exe
PID 1876 wrote to memory of 2432	1876		D1FC.exe
PID 1876 wrote to memory of 2432	1876		D1FC.exe
PID 1876 wrote to memory of 2432	1876		D1FC.exe
PID 1876 wrote to memory of 1432	1876		explorer.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
"C:\Users\Admin\AppData\Local\Temp\49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe
"C:\Users\Admin\AppData\Local\Temp\49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4072

C:\Users\Admin\AppData\Local\Temp\730.exe
C:\Users\Admin\AppData\Local\Temp\730.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:808

C:\Users\Admin\AppData\Local\Temp\1143.exe
C:\Users\Admin\AppData\Local\Temp\1143.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\1143.exe
C:\Users\Admin\AppData\Local\Temp\1143.exe
2⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\AppData\Local\Temp\1972.exe
C:\Users\Admin\AppData\Local\Temp\1972.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3748

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22AA.dll
1⤵
- Loads dropped DLL
PID:524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 524 -s 504
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\2CFC.exe
C:\Users\Admin\AppData\Local\Temp\2CFC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2CFC.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:4260

C:\Users\Admin\AppData\Local\Temp\33B3.exe
C:\Users\Admin\AppData\Local\Temp\33B3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1836

C:\Users\Admin\AppData\Local\Temp\9CFD.exe
C:\Users\Admin\AppData\Local\Temp\9CFD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Users\Admin\AppData\Local\Temp\A348.exe
C:\Users\Admin\AppData\Local\Temp\A348.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\AFAD.exe
C:\Users\Admin\AppData\Local\Temp\AFAD.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Users\Admin\AppData\Local\Temp\B50D.exe
C:\Users\Admin\AppData\Local\Temp\B50D.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\ProgramData\Reader.exe
"C:\ProgramData\Reader.exe"
2⤵
- Executes dropped EXE
PID:1248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Local\Temp\D1FC.exe
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1432

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3936

C:\Windows\system32\cmd.exe
cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ceywcwgd.default-release\cookies.sqlite" "C:\Users\Admin\AppData\Local\Temp\\FVIGTSBj.PKU"
1⤵
PID:496

C:\Windows\system32\cmd.exe
cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ceywcwgd.default-release\key4.db" "C:\Users\Admin\AppData\Local\Temp\\ODMHJLxl.jrr"
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Reader.exe
MD5
01b3b77f485c87b65fd3750720403f7f

SHA1
6202a46a8ac5269f43accc5d13a5af96212c6e9f

SHA256
cdebe0580b1643cb346d23defb112b619cbbd6c4feaa7574270a168144e5858e

SHA512
475a52ca7ad70d5ddd9aa1f2f67dc5f98a4ce3f3a57cce025e6636928e702a9587514dfcb35729617b9f3dab139519ba3d223f144268c51bcf74b0f41f7fd485

Download Submit
C:\ProgramData\Reader.exe
MD5
01b3b77f485c87b65fd3750720403f7f

SHA1
6202a46a8ac5269f43accc5d13a5af96212c6e9f

SHA256
cdebe0580b1643cb346d23defb112b619cbbd6c4feaa7574270a168144e5858e

SHA512
475a52ca7ad70d5ddd9aa1f2f67dc5f98a4ce3f3a57cce025e6636928e702a9587514dfcb35729617b9f3dab139519ba3d223f144268c51bcf74b0f41f7fd485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7a8a4d072bd2b7a8017ce057af7d3ff9

SHA1
7d35890c2efae7c85af6512f154a20607306ca1a

SHA256
0f003030cb1a4c938bdc476b6b43fe04ce1c1ae5b7afe6a287bc60da9807780b

SHA512
05d61c26ffcf32414a7073874cb0d2254f07aae9d5b107f899d45e5f56639e59d0969db87221ad937a749e4648cd4eb7dd054863bda869d3be3298597fedcbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1143.exe
MD5
d1e775c9f97655529c9314d6f46eda74

SHA1
e63aada2053b31af036df7b55fe35c6713422a27

SHA256
49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b

SHA512
e2bf09e6643eeae3cb3d5d17a5ab8ba5f9a9b309f2e25ec2aabb08820217524896b2c33aa8f2dda5fe92971a80987b88462befab1ea6c2620198211cb076b4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1143.exe
MD5
d1e775c9f97655529c9314d6f46eda74

SHA1
e63aada2053b31af036df7b55fe35c6713422a27

SHA256
49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b

SHA512
e2bf09e6643eeae3cb3d5d17a5ab8ba5f9a9b309f2e25ec2aabb08820217524896b2c33aa8f2dda5fe92971a80987b88462befab1ea6c2620198211cb076b4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1143.exe
MD5
d1e775c9f97655529c9314d6f46eda74

SHA1
e63aada2053b31af036df7b55fe35c6713422a27

SHA256
49a1e15c4004e6e2dab72d23eb9ed3d88539d0e18d71e9222fac37820c8d9c6b

SHA512
e2bf09e6643eeae3cb3d5d17a5ab8ba5f9a9b309f2e25ec2aabb08820217524896b2c33aa8f2dda5fe92971a80987b88462befab1ea6c2620198211cb076b4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1972.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1972.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\22AA.dll
MD5
d59fa2838f83e31ef0d2bd34bd86ef40

SHA1
d9115b1a962256b6accabfee45c5654f3ee64a47

SHA256
32de1e4b5582279bf16bfcad4c55b5e0f1151afddb2a96013442b3158f4a02d8

SHA512
92a9888556706f4f3bf33e6cdfeddca958780438c73a6749e18b4a59b866b96e67c1736cf557ed470ae095c3385bb0818c4199bc00d2c088a5179029c587a93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CFC.exe
MD5
2f9f909423170ded900e3974b7cb69a3

SHA1
9c4536c9e8ce05a6797cc022d349973a989b9084

SHA256
8b5160d4fb02a7e9fa686ea4261e5bbb3fd0c7223d8aff3963713083df01f5ea

SHA512
456d276867a375232cdd7b90a29526130612fd48a853d9567b18a3143e838696d18d5f95a485c5fe9f6401568bd4f52078c1c809aaf502a2e796c7c64057dd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CFC.exe
MD5
2f9f909423170ded900e3974b7cb69a3

SHA1
9c4536c9e8ce05a6797cc022d349973a989b9084

SHA256
8b5160d4fb02a7e9fa686ea4261e5bbb3fd0c7223d8aff3963713083df01f5ea

SHA512
456d276867a375232cdd7b90a29526130612fd48a853d9567b18a3143e838696d18d5f95a485c5fe9f6401568bd4f52078c1c809aaf502a2e796c7c64057dd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\33B3.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\33B3.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\730.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\730.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CFD.exe
MD5
c1425d962bd95fe6f4bee3e17a161b49

SHA1
661db9a6760c60ffa5702b3916afff6161c6f26c

SHA256
5abd0df5decffecb5575e5130dc026cfae0b623182a7dcb865fdd6a900f91ec3

SHA512
0a43369319578782f8a74c63ddabe9e02f1a018702cb02863fc55ccf285e88a9b8a3c09299453dffbf6db3c7fa3133f664e5f889ca7ef7c6f7028258aebb960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CFD.exe
MD5
c1425d962bd95fe6f4bee3e17a161b49

SHA1
661db9a6760c60ffa5702b3916afff6161c6f26c

SHA256
5abd0df5decffecb5575e5130dc026cfae0b623182a7dcb865fdd6a900f91ec3

SHA512
0a43369319578782f8a74c63ddabe9e02f1a018702cb02863fc55ccf285e88a9b8a3c09299453dffbf6db3c7fa3133f664e5f889ca7ef7c6f7028258aebb960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A348.exe
MD5
3b96115b899b776732a45c42f12dcd2e

SHA1
21545b1b7ddef7f9ea27ca9b03e138c5b6419034

SHA256
1486bdb5accb1ddffe9042c595c18a932c7807e903d89f8d71d62ba766a37a0f

SHA512
2948012aebc72a99a61e0a98ba0a6a5246c07eafdf4e44cac14f125d3c042c144b4fb285c4667280a8cc6e90fef26517766be3b756b1d9f692215c7207ceff53

Download Submit
C:\Users\Admin\AppData\Local\Temp\A348.exe
MD5
3b96115b899b776732a45c42f12dcd2e

SHA1
21545b1b7ddef7f9ea27ca9b03e138c5b6419034

SHA256
1486bdb5accb1ddffe9042c595c18a932c7807e903d89f8d71d62ba766a37a0f

SHA512
2948012aebc72a99a61e0a98ba0a6a5246c07eafdf4e44cac14f125d3c042c144b4fb285c4667280a8cc6e90fef26517766be3b756b1d9f692215c7207ceff53

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFAD.exe
MD5
090603642836ca845c553dacf2cab043

SHA1
9602dfb90a4ef750924f5682f142a39562acca76

SHA256
e7505ad7948ad3b964c2aab6b2d8226e72364c2afb3ad5ac220b92646f963992

SHA512
c0e3ba5c8c7211a5e48473bd608d90c86177af1d06c6f330cd4b6e501d467caf68d2e155112a9b77c4c515acdc5e990032d0bd1750e989e1c1c0c954a98cfa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFAD.exe
MD5
090603642836ca845c553dacf2cab043

SHA1
9602dfb90a4ef750924f5682f142a39562acca76

SHA256
e7505ad7948ad3b964c2aab6b2d8226e72364c2afb3ad5ac220b92646f963992

SHA512
c0e3ba5c8c7211a5e48473bd608d90c86177af1d06c6f330cd4b6e501d467caf68d2e155112a9b77c4c515acdc5e990032d0bd1750e989e1c1c0c954a98cfa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.exe
MD5
01b3b77f485c87b65fd3750720403f7f

SHA1
6202a46a8ac5269f43accc5d13a5af96212c6e9f

SHA256
cdebe0580b1643cb346d23defb112b619cbbd6c4feaa7574270a168144e5858e

SHA512
475a52ca7ad70d5ddd9aa1f2f67dc5f98a4ce3f3a57cce025e6636928e702a9587514dfcb35729617b9f3dab139519ba3d223f144268c51bcf74b0f41f7fd485

Download Submit
C:\Users\Admin\AppData\Local\Temp\B50D.exe
MD5
01b3b77f485c87b65fd3750720403f7f

SHA1
6202a46a8ac5269f43accc5d13a5af96212c6e9f

SHA256
cdebe0580b1643cb346d23defb112b619cbbd6c4feaa7574270a168144e5858e

SHA512
475a52ca7ad70d5ddd9aa1f2f67dc5f98a4ce3f3a57cce025e6636928e702a9587514dfcb35729617b9f3dab139519ba3d223f144268c51bcf74b0f41f7fd485

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
MD5
a73c4054b630f348c4ffb1f5939c8c02

SHA1
8fc966305d9810ffd1aa4c79344a06892be5c9d4

SHA256
db8c5ef558a72c5075366149d86e43f8b22c7af51ae71d0456d2c44116a80835

SHA512
a53605fe5de2730089db38b58f4b007a081438015119f8742adf99534cff5e7e64c6c5d85bf1f289a4be1a677c7481f5d5d9a2c18d0259ada78c1d7343e8e0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1FC.exe
MD5
a73c4054b630f348c4ffb1f5939c8c02

SHA1
8fc966305d9810ffd1aa4c79344a06892be5c9d4

SHA256
db8c5ef558a72c5075366149d86e43f8b22c7af51ae71d0456d2c44116a80835

SHA512
a53605fe5de2730089db38b58f4b007a081438015119f8742adf99534cff5e7e64c6c5d85bf1f289a4be1a677c7481f5d5d9a2c18d0259ada78c1d7343e8e0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVIGTSBj.PKU
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\22AA.dll
MD5
d59fa2838f83e31ef0d2bd34bd86ef40

SHA1
d9115b1a962256b6accabfee45c5654f3ee64a47

SHA256
32de1e4b5582279bf16bfcad4c55b5e0f1151afddb2a96013442b3158f4a02d8

SHA512
92a9888556706f4f3bf33e6cdfeddca958780438c73a6749e18b4a59b866b96e67c1736cf557ed470ae095c3385bb0818c4199bc00d2c088a5179029c587a93f

Download Submit
memory/496-789-0x0000000000000000-mapping.dmp

Download
memory/524-147-0x0000000000000000-mapping.dmp

Download
memory/524-159-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/808-143-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/808-142-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/808-120-0x0000000000000000-mapping.dmp

Download
memory/808-137-0x00000000007C6000-0x00000000007D7000-memory.dmp

Filesize
68KB

Download
memory/812-154-0x0000000000402F47-mapping.dmp

Download
memory/1016-156-0x0000000000000000-mapping.dmp

Download
memory/1016-164-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/1016-166-0x0000000000400000-0x0000000000825000-memory.dmp

Filesize
4.1MB

Download
memory/1016-165-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/1188-231-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download
memory/1188-217-0x0000000000000000-mapping.dmp

Download
memory/1188-228-0x0000000000706000-0x0000000000718000-memory.dmp

Filesize
72KB

Download
memory/1188-232-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1196-187-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1196-210-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1196-192-0x0000000072630000-0x00000000726B0000-memory.dmp

Filesize
512KB

Download
memory/1196-189-0x00000000748A0000-0x0000000074991000-memory.dmp

Filesize
964KB

Download
memory/1196-222-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/1196-221-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1196-220-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1196-190-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1196-244-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/1196-186-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/1196-206-0x00000000707C0000-0x000000007080B000-memory.dmp

Filesize
300KB

Download
memory/1196-223-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1196-188-0x00000000766D0000-0x0000000076892000-memory.dmp

Filesize
1.8MB

Download
memory/1196-195-0x0000000000CF0000-0x0000000000D35000-memory.dmp

Filesize
276KB

Download
memory/1196-200-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/1196-249-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/1196-198-0x00000000772A0000-0x0000000077824000-memory.dmp

Filesize
5.5MB

Download
memory/1196-183-0x0000000000000000-mapping.dmp

Download
memory/1248-378-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1248-379-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1248-236-0x0000000000000000-mapping.dmp

Download
memory/1432-275-0x0000000000000000-mapping.dmp

Download
memory/1432-280-0x0000000002EB0000-0x0000000002F24000-memory.dmp

Filesize
464KB

Download
memory/1432-281-0x0000000002E40000-0x0000000002EAB000-memory.dmp

Filesize
428KB

Download
memory/1836-168-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1836-160-0x0000000000000000-mapping.dmp

Download
memory/1876-380-0x000000000B6C0000-0x000000000BBD0000-memory.dmp

Filesize
5.1MB

Download
memory/1876-788-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1876-163-0x0000000004E50000-0x0000000004E66000-memory.dmp

Filesize
88KB

Download
memory/1876-169-0x0000000004E80000-0x0000000004E96000-memory.dmp

Filesize
88KB

Download
memory/1876-119-0x0000000001540000-0x0000000001556000-memory.dmp

Filesize
88KB

Download
memory/1964-118-0x0000000000820000-0x00000000008CE000-memory.dmp

Filesize
696KB

Download
memory/1964-117-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2152-173-0x0000000000000000-mapping.dmp

Download
memory/2224-791-0x0000000000000000-mapping.dmp

Download
memory/2348-240-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2348-241-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/2348-324-0x00000000068A3000-0x00000000068A4000-memory.dmp

Filesize
4KB

Download
memory/2348-239-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2348-251-0x00000000068A2000-0x00000000068A3000-memory.dmp

Filesize
4KB

Download
memory/2348-235-0x0000000000000000-mapping.dmp

Download
memory/2348-242-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/2348-247-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/2348-295-0x000000007EB90000-0x000000007EB91000-memory.dmp

Filesize
4KB

Download
memory/2432-248-0x0000000000FC0000-0x0000000001066000-memory.dmp

Filesize
664KB

Download
memory/2432-243-0x0000000000000000-mapping.dmp

Download
memory/2432-268-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2432-253-0x0000000000350000-0x00000000003FE000-memory.dmp

Filesize
696KB

Download
memory/2432-250-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2444-201-0x000000000041BAFE-mapping.dmp

Download
memory/2444-202-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/2444-209-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2444-211-0x0000000004900000-0x0000000004F06000-memory.dmp

Filesize
6.0MB

Download
memory/3180-153-0x0000000000820000-0x00000000008CE000-memory.dmp

Filesize
696KB

Download
memory/3180-123-0x0000000000000000-mapping.dmp

Download
memory/3748-130-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3748-133-0x00000000748A0000-0x0000000074991000-memory.dmp

Filesize
964KB

Download
memory/3748-140-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3748-149-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3748-138-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/3748-129-0x0000000000AF0000-0x0000000000B59000-memory.dmp

Filesize
420KB

Download
memory/3748-126-0x0000000000000000-mapping.dmp

Download
memory/3748-146-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/3748-136-0x0000000072630000-0x00000000726B0000-memory.dmp

Filesize
512KB

Download
memory/3748-134-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3748-131-0x00000000766D0000-0x0000000076892000-memory.dmp

Filesize
1.8MB

Download
memory/3748-132-0x0000000002D20000-0x0000000002D65000-memory.dmp

Filesize
276KB

Download
memory/3748-145-0x00000000772A0000-0x0000000077824000-memory.dmp

Filesize
5.5MB

Download
memory/3748-139-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3748-151-0x00000000707C0000-0x000000007080B000-memory.dmp

Filesize
300KB

Download
memory/3748-141-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3748-144-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/3936-282-0x0000000000000000-mapping.dmp

Download
memory/3936-291-0x0000000000A00000-0x0000000000A07000-memory.dmp

Filesize
28KB

Download
memory/3936-293-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/3996-558-0x000000007EC30000-0x000000007EC31000-memory.dmp

Filesize
4KB

Download
memory/3996-521-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/3996-518-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/3996-440-0x0000000000000000-mapping.dmp

Download
memory/3996-640-0x00000000042D3000-0x00000000042D4000-memory.dmp

Filesize
4KB

Download
memory/4072-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4072-116-0x0000000000402F47-mapping.dmp

Download
memory/4260-174-0x0000000000000000-mapping.dmp

Download
memory/4528-225-0x0000000000586000-0x00000000005D7000-memory.dmp

Filesize
324KB

Download
memory/4528-212-0x0000000000000000-mapping.dmp

Download
memory/4528-227-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/4528-226-0x00000000021B0000-0x0000000002242000-memory.dmp

Filesize
584KB

Download
memory/4808-178-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4808-180-0x000000001BFC0000-0x000000001BFC2000-memory.dmp

Filesize
8KB

Download
memory/4808-181-0x000000001BF00000-0x000000001BF01000-memory.dmp

Filesize
4KB

Download
memory/4808-182-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4808-175-0x0000000000000000-mapping.dmp

Download