arkei | 02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-12-2021 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31646747fe74d32212a7cbcb97c7d78d.exe
Size

331KB
MD5

31646747fe74d32212a7cbcb97c7d78d
SHA1

62df758f397934053749ee38416a74f81a6d8ed6
SHA256

02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
SHA512

d665c5a31de37667636d439483d46bcd1ca7f612256889a9c2b4cdab49faae2e23fe1dbbce09043eee0b17c65cd7cba400a133a5b06720062d81ceca345a1483

Score

10^/10

arkei raccoon smokeloader tofsee 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor discovery evasion persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

tofsee

patmushta.info

parubey.info

Extracted

Family

raccoon

Botnet

10da56e7e71e97bdc1f36eb76813bbc3231de7e4

Attributes

url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar

rc4.plain

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/960-134-0x0000000001110000-0x00000000015E6000-memory.dmp	family_arkei
behavioral1/memory/960-136-0x0000000001110000-0x00000000015E6000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

822B.exe822B.exe953F.exe9946.exe9946.exe9946.exeF194.exeprzyooif.exe60E.exe26DC.exe3732.exe26DC.exe

pid	process
304	822B.exe
1376	822B.exe
672	953F.exe
1640	9946.exe
2016	9946.exe
2020	9946.exe
952	F194.exe
1384	przyooif.exe
960	60E.exe
900	26DC.exe
612	3732.exe
1480	26DC.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1848-194-0x0000000000D90000-0x0000000001821000-memory.dmp	vmprotect
behavioral1/memory/2044-197-0x0000000000970000-0x0000000000B18000-memory.dmp	vmprotect
behavioral1/memory/2044-198-0x0000000000970000-0x0000000000B18000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	60E.exe

Deletes itself 1 IoCs

Processes:

pid process

1416

pid	process
1416

Drops startup file 2 IoCs

Processes:

Updater.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Updater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Updater.exe

Loads dropped DLL 9 IoCs

Processes:

822B.exe9946.exe26DC.exe60E.exe

pid process

304 822B.exe
1640 9946.exe
1640 9946.exe
900 26DC.exe
960 60E.exe
960 60E.exe
960 60E.exe
960 60E.exe
960 60E.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

60E.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 60E.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

60E.exeUpdate.exe

pid process

960 60E.exe
960 60E.exe
1848 Update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60E.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
960	60E.exe
960	60E.exe
1848	Update.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exe822B.exe9946.exe26DC.exeprzyooif.exe

description	pid	process	target process
PID 832 set thread context of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 304 set thread context of 1376	304	822B.exe	822B.exe
PID 1640 set thread context of 2020	1640	9946.exe	9946.exe
PID 900 set thread context of 1480	900	26DC.exe	26DC.exe
PID 1384 set thread context of 1748	1384	przyooif.exe	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

822B.exe31646747fe74d32212a7cbcb97c7d78d.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	822B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	822B.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	822B.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	60E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	60E.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1724 timeout.exe

pid	process
1724	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 1c392c3db5bdd00724edb47d450dd49d084297dce82e72baa48220fd2c7d401d3b07aaa981cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815d9804e703ae7ae644490bdb57b26ec955a04c4f4be54758df21d5904f4ac6a11d881447734d4f10b4c90d8f6127db9a4553494b48d792fd49f43093cf5a06b11edc70f3252a0f40948f490b67d2de5965c07c9f1ba54718bce15515bb9fd3041ed85487539e0ae501ac78a84a934d0a4df44b99e8d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd84f265c1e72834fdc48d57d1f6ae743d04cca56417c3814b6a3ce0ab4a1cc08b844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd735c24ed	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

26DC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	26DC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	26DC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	26DC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exe

pid	process
1212	31646747fe74d32212a7cbcb97c7d78d.exe
1212	31646747fe74d32212a7cbcb97c7d78d.exe
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1416
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exe822B.exe

pid process

1212 31646747fe74d32212a7cbcb97c7d78d.exe
1376 822B.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9946.exe9946.exe26DC.exe

description pid process

Token: SeDebugPrivilege 1640 9946.exe
Token: SeDebugPrivilege 2020 9946.exe
Token: SeDebugPrivilege 900 26DC.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1416
1416
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1416
1416
1416
1416

pid	process
1416

description	pid	process
Token: SeDebugPrivilege	1640	9946.exe
Token: SeDebugPrivilege	2020	9946.exe
Token: SeDebugPrivilege	900	26DC.exe

pid	process
1416
1416

pid	process
1416
1416
1416
1416

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exe822B.exe9946.exe953F.exe

description	pid	process	target process
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 832 wrote to memory of 1212	832	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 1416 wrote to memory of 304	1416		822B.exe
PID 1416 wrote to memory of 304	1416		822B.exe
PID 1416 wrote to memory of 304	1416		822B.exe
PID 1416 wrote to memory of 304	1416		822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 304 wrote to memory of 1376	304	822B.exe	822B.exe
PID 1416 wrote to memory of 672	1416		953F.exe
PID 1416 wrote to memory of 672	1416		953F.exe
PID 1416 wrote to memory of 672	1416		953F.exe
PID 1416 wrote to memory of 672	1416		953F.exe
PID 1416 wrote to memory of 1640	1416		9946.exe
PID 1416 wrote to memory of 1640	1416		9946.exe
PID 1416 wrote to memory of 1640	1416		9946.exe
PID 1416 wrote to memory of 1640	1416		9946.exe
PID 1640 wrote to memory of 2016	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2016	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2016	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2016	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1640 wrote to memory of 2020	1640	9946.exe	9946.exe
PID 1416 wrote to memory of 952	1416		F194.exe
PID 1416 wrote to memory of 952	1416		F194.exe
PID 1416 wrote to memory of 952	1416		F194.exe
PID 1416 wrote to memory of 952	1416		F194.exe
PID 672 wrote to memory of 1536	672	953F.exe	cmd.exe
PID 672 wrote to memory of 1536	672	953F.exe	cmd.exe
PID 672 wrote to memory of 1536	672	953F.exe	cmd.exe
PID 672 wrote to memory of 1536	672	953F.exe	cmd.exe
PID 672 wrote to memory of 832	672	953F.exe	cmd.exe
PID 672 wrote to memory of 832	672	953F.exe	cmd.exe
PID 672 wrote to memory of 832	672	953F.exe	cmd.exe
PID 672 wrote to memory of 832	672	953F.exe	cmd.exe
PID 672 wrote to memory of 1584	672	953F.exe	sc.exe
PID 672 wrote to memory of 1584	672	953F.exe	sc.exe
PID 672 wrote to memory of 1584	672	953F.exe	sc.exe
PID 672 wrote to memory of 1584	672	953F.exe	sc.exe
PID 672 wrote to memory of 1244	672	953F.exe	sc.exe
PID 672 wrote to memory of 1244	672	953F.exe	sc.exe
PID 672 wrote to memory of 1244	672	953F.exe	sc.exe
PID 672 wrote to memory of 1244	672	953F.exe	sc.exe
PID 672 wrote to memory of 1048	672	953F.exe	sc.exe
PID 672 wrote to memory of 1048	672	953F.exe	sc.exe
PID 672 wrote to memory of 1048	672	953F.exe	sc.exe
PID 672 wrote to memory of 1048	672	953F.exe	sc.exe
PID 672 wrote to memory of 1088	672	953F.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe
"C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe
"C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1212

C:\Users\Admin\AppData\Local\Temp\822B.exe
C:\Users\Admin\AppData\Local\Temp\822B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Local\Temp\822B.exe
C:\Users\Admin\AppData\Local\Temp\822B.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1376

C:\Users\Admin\AppData\Local\Temp\953F.exe
C:\Users\Admin\AppData\Local\Temp\953F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rkuylexm\
2⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\przyooif.exe" C:\Windows\SysWOW64\rkuylexm\
2⤵
PID:832

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rkuylexm binPath= "C:\Windows\SysWOW64\rkuylexm\przyooif.exe /d\"C:\Users\Admin\AppData\Local\Temp\953F.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1584

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rkuylexm "wifi internet conection"
2⤵
PID:1244

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rkuylexm
2⤵
PID:1048

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\9946.exe
C:\Users\Admin\AppData\Local\Temp\9946.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\9946.exe
C:\Users\Admin\AppData\Local\Temp\9946.exe
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\9946.exe
C:\Users\Admin\AppData\Local\Temp\9946.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\F194.exe
C:\Users\Admin\AppData\Local\Temp\F194.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\rkuylexm\przyooif.exe
C:\Windows\SysWOW64\rkuylexm\przyooif.exe /d"C:\Users\Admin\AppData\Local\Temp\953F.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1384

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1748

C:\Users\Admin\AppData\Local\Temp\60E.exe
C:\Users\Admin\AppData\Local\Temp\60E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\60E.exe" & exit
2⤵
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1724

C:\Users\Admin\AppData\Local\Temp\26DC.exe
C:\Users\Admin\AppData\Local\Temp\26DC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\26DC.exe
C:\Users\Admin\AppData\Local\Temp\26DC.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1480

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1848

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
3⤵
- Drops startup file
PID:2044

C:\Users\Admin\AppData\Local\Temp\3732.exe
C:\Users\Admin\AppData\Local\Temp\3732.exe
1⤵
- Executes dropped EXE
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26DC.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\26DC.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\26DC.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\3732.exe
MD5
e5bd8a53623522c49ccc35bc492b5a11

SHA1
e36258fc96f90432c79be82520ef0b27fdbe9c89

SHA256
7ce91a1e9b7df0d018835ee8483c9e97c9718f9865b53728f958f01c740035af

SHA512
93367fc15f8f24d6ef73a62c37e5ca99aa284c609617ff24ef6ebac7d4b2ac922d9b1aff986a7b70d9304d2d637213c14b0f218d67db79e563adfb5a130ca358

Download Submit
C:\Users\Admin\AppData\Local\Temp\60E.exe
MD5
765885e4a5bf2b58911c445e2ba0f7df

SHA1
65edc531c1313df4adbff520b31a998becbd6760

SHA256
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

SHA512
8ac155da0b4c4999eb00905dcb3f6e8626438aeb80c000f174030dd9ce2922d922a40dc7e6066f99f371991710e9d911adbfa20013669767cd793b780bcc0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\60E.exe
MD5
765885e4a5bf2b58911c445e2ba0f7df

SHA1
65edc531c1313df4adbff520b31a998becbd6760

SHA256
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

SHA512
8ac155da0b4c4999eb00905dcb3f6e8626438aeb80c000f174030dd9ce2922d922a40dc7e6066f99f371991710e9d911adbfa20013669767cd793b780bcc0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\822B.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\953F.exe
MD5
435da4e2bcd79eb21615d0089433d3a8

SHA1
ec9eb615c37e31fef99119de7f51b7e943cf6503

SHA256
c4dbb1a23eaa059b7b7a036f55c41ea8a558e0120b9ae4ff90aae53be628d42b

SHA512
d2ab3f39d9d310fe4938dc9750050fb762881331ef2e74b28c2c6e1907cfc0204dcf72d339f05c9e868f2999f10cabc1537a74267af2b37d37c172a5c3f5dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\953F.exe
MD5
435da4e2bcd79eb21615d0089433d3a8

SHA1
ec9eb615c37e31fef99119de7f51b7e943cf6503

SHA256
c4dbb1a23eaa059b7b7a036f55c41ea8a558e0120b9ae4ff90aae53be628d42b

SHA512
d2ab3f39d9d310fe4938dc9750050fb762881331ef2e74b28c2c6e1907cfc0204dcf72d339f05c9e868f2999f10cabc1537a74267af2b37d37c172a5c3f5dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\F194.exe
MD5
dbfaec97a910463b8767b8ceb053cf3c

SHA1
b9470684eb254871a989d41da389aab0159a0ded

SHA256
f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4

SHA512
12556cb478acb96394e06ce462db008669e62ffa2197a91b7c1c3df46bd5833177c91c30df3506285a62e08ac184ab1663004429e19f5ce85df7c88c88810161

Download Submit
C:\Users\Admin\AppData\Local\Temp\przyooif.exe
MD5
a8c284ebe2d83f849e04270a8f9ca8c9

SHA1
7b2343f6265c8e355c17989cd7e0ec57861e511c

SHA256
d0571de5611178c9e9c2049ff18350414de84f2ca1e3f80140db06deea84f15b

SHA512
da9aa9301196f56a8437b31961dd01ff007ed4ffe4540927a9ecbed8c601d7c860c493ceb75f4d65dcad21e40782c890fff06c340ef034d671dabe9bde49aa44

Download Submit
C:\Windows\SysWOW64\rkuylexm\przyooif.exe
MD5
a8c284ebe2d83f849e04270a8f9ca8c9

SHA1
7b2343f6265c8e355c17989cd7e0ec57861e511c

SHA256
d0571de5611178c9e9c2049ff18350414de84f2ca1e3f80140db06deea84f15b

SHA512
da9aa9301196f56a8437b31961dd01ff007ed4ffe4540927a9ecbed8c601d7c860c493ceb75f4d65dcad21e40782c890fff06c340ef034d671dabe9bde49aa44

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\26DC.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
\Users\Admin\AppData\Local\Temp\822B.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
\Users\Admin\AppData\Local\Temp\9946.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
memory/304-60-0x0000000000000000-mapping.dmp

Download
memory/304-62-0x0000000000568000-0x0000000000579000-memory.dmp

Filesize
68KB

Download
memory/612-155-0x00000000002C0000-0x0000000000320000-memory.dmp

Filesize
384KB

Download
memory/612-149-0x0000000000000000-mapping.dmp

Download
memory/672-97-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/672-69-0x0000000000000000-mapping.dmp

Download
memory/672-99-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/672-98-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/832-101-0x0000000000000000-mapping.dmp

Download
memory/832-58-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/832-54-0x0000000000638000-0x0000000000649000-memory.dmp

Filesize
68KB

Download
memory/900-145-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/900-138-0x0000000000000000-mapping.dmp

Download
memory/900-144-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/900-141-0x0000000000D20000-0x0000000000DAA000-memory.dmp

Filesize
552KB

Download
memory/900-142-0x0000000000D20000-0x0000000000DAA000-memory.dmp

Filesize
552KB

Download
memory/952-103-0x00000000002B0000-0x000000000035C000-memory.dmp

Filesize
688KB

Download
memory/952-107-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/952-204-0x0000000000B40000-0x0000000000B90000-memory.dmp

Filesize
320KB

Download
memory/952-92-0x0000000000000000-mapping.dmp

Download
memory/952-104-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/952-135-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/952-106-0x0000000000A58000-0x0000000000ACC000-memory.dmp

Filesize
464KB

Download
memory/952-100-0x0000000000220000-0x00000000002AB000-memory.dmp

Filesize
556KB

Download
memory/952-130-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/952-110-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/952-109-0x0000000000890000-0x0000000000927000-memory.dmp

Filesize
604KB

Download
memory/952-128-0x0000000000ACE000-0x0000000000B2B000-memory.dmp

Filesize
372KB

Download
memory/952-133-0x0000000000930000-0x00000000009C5000-memory.dmp

Filesize
596KB

Download
memory/952-205-0x0000000002420000-0x00000000024B2000-memory.dmp

Filesize
584KB

Download
memory/952-206-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/960-123-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/960-122-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-117-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-118-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-119-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/960-120-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-121-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-136-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-134-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-124-0x0000000076910000-0x0000000076957000-memory.dmp

Filesize
284KB

Download
memory/960-125-0x0000000077270000-0x000000007731C000-memory.dmp

Filesize
688KB

Download
memory/960-132-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/960-114-0x0000000000000000-mapping.dmp

Download
memory/960-131-0x0000000001110000-0x00000000015E6000-memory.dmp

Filesize
4.8MB

Download
memory/1048-111-0x0000000000000000-mapping.dmp

Download
memory/1088-112-0x0000000000000000-mapping.dmp

Download
memory/1212-56-0x0000000000402F47-mapping.dmp

Download
memory/1212-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1212-57-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1244-108-0x0000000000000000-mapping.dmp

Download
memory/1376-66-0x0000000000402F47-mapping.dmp

Download
memory/1384-157-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/1416-59-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/1416-76-0x0000000004340000-0x0000000004356000-memory.dmp

Filesize
88KB

Download
memory/1480-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1480-153-0x000000000041919E-mapping.dmp

Download
memory/1480-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1480-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1480-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1536-96-0x0000000000000000-mapping.dmp

Download
memory/1584-105-0x0000000000000000-mapping.dmp

Download
memory/1640-74-0x0000000000C00000-0x0000000000C8A000-memory.dmp

Filesize
552KB

Download
memory/1640-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1640-71-0x0000000000000000-mapping.dmp

Download
memory/1640-77-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1640-75-0x0000000000C00000-0x0000000000C8A000-memory.dmp

Filesize
552KB

Download
memory/1724-168-0x0000000000000000-mapping.dmp

Download
memory/1748-159-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1748-158-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/1748-160-0x00000000000C9A6B-mapping.dmp

Download
memory/1848-179-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1848-182-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1848-194-0x0000000000D90000-0x0000000001821000-memory.dmp

Filesize
10.6MB

Download
memory/1848-192-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1848-193-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1848-191-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1848-190-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1848-169-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1848-170-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1848-171-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1848-173-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1848-174-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1848-172-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1848-176-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-177-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1848-188-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1848-180-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1848-187-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1848-183-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1848-185-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1848-186-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1976-167-0x0000000000000000-mapping.dmp

Download
memory/2020-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-87-0x0000000000419196-mapping.dmp

Download
memory/2020-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-91-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2044-197-0x0000000000970000-0x0000000000B18000-memory.dmp

Filesize
1.7MB

Download
memory/2044-198-0x0000000000970000-0x0000000000B18000-memory.dmp

Filesize
1.7MB

Download
memory/2044-202-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/2044-203-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download