arkei | 02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-12-2021 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31646747fe74d32212a7cbcb97c7d78d.exe
Size

331KB
MD5

31646747fe74d32212a7cbcb97c7d78d
SHA1

62df758f397934053749ee38416a74f81a6d8ed6
SHA256

02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
SHA512

d665c5a31de37667636d439483d46bcd1ca7f612256889a9c2b4cdab49faae2e23fe1dbbce09043eee0b17c65cd7cba400a133a5b06720062d81ceca345a1483

Score

10^/10

arkei smokeloader tofsee backdoor discovery evasion persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

tofsee

patmushta.info

parubey.info

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Arkei Stealer Payload 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2952-134-0x00000000001C0000-0x00000000001DC000-memory.dmp	family_arkei
behavioral2/memory/2952-135-0x0000000000400000-0x00000000004D5000-memory.dmp	family_arkei
behavioral2/memory/3852-207-0x0000000000220000-0x00000000006F6000-memory.dmp	family_arkei
behavioral2/memory/3852-208-0x0000000000220000-0x00000000006F6000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

DCDF.exeDCDF.exeEC22.exeF00B.exeF442.exesdiimdop.exeF442.exe4D12.exe5688.exe5DCD.exe6A22.exe5DCD.exe79A4.exe5DCD.exeUpdate.exeUpdater.exe

pid	process
3372	DCDF.exe
2084	DCDF.exe
2952	EC22.exe
2544	F00B.exe
364	F442.exe
1796	sdiimdop.exe
1448	F442.exe
2372	4D12.exe
3852	5688.exe
3932	5DCD.exe
1180	6A22.exe
3992	5DCD.exe
1488	79A4.exe
1064	5DCD.exe
3936	Update.exe
1424	Updater.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Update.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Update.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Updater.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Updater.exe	vmprotect
behavioral2/memory/3936-299-0x0000000000D60000-0x00000000017F1000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5688.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5688.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5688.exe

Deletes itself 1 IoCs

Processes:

pid process

2760

pid	process
2760

Drops startup file 2 IoCs

Processes:

Updater.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Updater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Updater.exe

Loads dropped DLL 6 IoCs

Processes:

EC22.exe5688.exe

pid process

2952 EC22.exe
2952 EC22.exe
2952 EC22.exe
3852 5688.exe
3852 5688.exe
3852 5688.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

5688.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5688.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

5688.exeUpdate.exe

pid process

3852 5688.exe
3852 5688.exe
3936 Update.exe

pid	process
2952	EC22.exe
2952	EC22.exe
2952	EC22.exe
3852	5688.exe
3852	5688.exe
3852	5688.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5688.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
3852	5688.exe
3852	5688.exe
3936	Update.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exeDCDF.exesdiimdop.exeF442.exe5DCD.exeUpdate.exe

description	pid	process	target process
PID 3264 set thread context of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3372 set thread context of 2084	3372	DCDF.exe	DCDF.exe
PID 1796 set thread context of 3560	1796	sdiimdop.exe	svchost.exe
PID 364 set thread context of 1448	364	F442.exe	F442.exe
PID 3932 set thread context of 1064	3932	5DCD.exe	5DCD.exe
PID 3936 set thread context of 1320	3936	Update.exe	AppLaunch.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 1180 WerFault.exe 6A22.exe

pid	pid_target	process	target process
2484	1180	WerFault.exe	6A22.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

31646747fe74d32212a7cbcb97c7d78d.exeDCDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31646747fe74d32212a7cbcb97c7d78d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCDF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCDF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DCDF.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EC22.exe5688.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EC22.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EC22.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5688.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5688.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1996 timeout.exe
2144 timeout.exe

pid	process
1996	timeout.exe
2144	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008ddc3d83efb90724edb47d450dd49d084297dce82e72baa46d34fdc48d541d0655fd3d80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815df8d4d733eeda8644490bdb57927ec975901caf3b454758df21d5904fca36412d48c49733de09d084295d9e13f4bb4c06d0cfdadfd5430d69d460a30f5ac6912d8b40e367b8be90d4091bdbc7d21e89c5b00c4f48d387287cc186270a4f93824dc814c7634e4aa5714cdbd	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exe

pid	process
2660	31646747fe74d32212a7cbcb97c7d78d.exe
2660	31646747fe74d32212a7cbcb97c7d78d.exe
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760
2760

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2760
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exeDCDF.exe

pid process

2660 31646747fe74d32212a7cbcb97c7d78d.exe
2084 DCDF.exe

pid	process
2760

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

F442.exeF442.exe5DCD.exeWerFault.exe79A4.exe5DCD.exe

description	pid	process
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeDebugPrivilege	364	F442.exe
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeDebugPrivilege	1448	F442.exe
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeDebugPrivilege	3932	5DCD.exe
Token: SeRestorePrivilege	2484	WerFault.exe
Token: SeBackupPrivilege	2484	WerFault.exe
Token: SeDebugPrivilege	2484	WerFault.exe
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeDebugPrivilege	1488	79A4.exe
Token: SeDebugPrivilege	1064	5DCD.exe
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760
Token: SeShutdownPrivilege	2760
Token: SeCreatePagefilePrivilege	2760

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31646747fe74d32212a7cbcb97c7d78d.exeDCDF.exeF00B.exeF442.exesdiimdop.exeEC22.execmd.exe

description	pid	process	target process
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 3264 wrote to memory of 2660	3264	31646747fe74d32212a7cbcb97c7d78d.exe	31646747fe74d32212a7cbcb97c7d78d.exe
PID 2760 wrote to memory of 3372	2760		DCDF.exe
PID 2760 wrote to memory of 3372	2760		DCDF.exe
PID 2760 wrote to memory of 3372	2760		DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 3372 wrote to memory of 2084	3372	DCDF.exe	DCDF.exe
PID 2760 wrote to memory of 2952	2760		EC22.exe
PID 2760 wrote to memory of 2952	2760		EC22.exe
PID 2760 wrote to memory of 2952	2760		EC22.exe
PID 2760 wrote to memory of 2544	2760		F00B.exe
PID 2760 wrote to memory of 2544	2760		F00B.exe
PID 2760 wrote to memory of 2544	2760		F00B.exe
PID 2760 wrote to memory of 364	2760		F442.exe
PID 2760 wrote to memory of 364	2760		F442.exe
PID 2760 wrote to memory of 364	2760		F442.exe
PID 2544 wrote to memory of 1156	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 1156	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 1156	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 3976	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 3976	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 3976	2544	F00B.exe	cmd.exe
PID 2544 wrote to memory of 952	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 952	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 952	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 1388	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 1388	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 1388	2544	F00B.exe	sc.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 2544 wrote to memory of 2824	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 2824	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 2824	2544	F00B.exe	sc.exe
PID 2544 wrote to memory of 1884	2544	F00B.exe	netsh.exe
PID 2544 wrote to memory of 1884	2544	F00B.exe	netsh.exe
PID 2544 wrote to memory of 1884	2544	F00B.exe	netsh.exe
PID 1796 wrote to memory of 3560	1796	sdiimdop.exe	svchost.exe
PID 1796 wrote to memory of 3560	1796	sdiimdop.exe	svchost.exe
PID 1796 wrote to memory of 3560	1796	sdiimdop.exe	svchost.exe
PID 1796 wrote to memory of 3560	1796	sdiimdop.exe	svchost.exe
PID 1796 wrote to memory of 3560	1796	sdiimdop.exe	svchost.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 364 wrote to memory of 1448	364	F442.exe	F442.exe
PID 2952 wrote to memory of 1520	2952	EC22.exe	cmd.exe
PID 2952 wrote to memory of 1520	2952	EC22.exe	cmd.exe
PID 2952 wrote to memory of 1520	2952	EC22.exe	cmd.exe
PID 1520 wrote to memory of 1996	1520	cmd.exe	timeout.exe
PID 1520 wrote to memory of 1996	1520	cmd.exe	timeout.exe
PID 1520 wrote to memory of 1996	1520	cmd.exe	timeout.exe
PID 2760 wrote to memory of 2372	2760		4D12.exe
PID 2760 wrote to memory of 2372	2760		4D12.exe
PID 2760 wrote to memory of 2372	2760		4D12.exe

C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe
"C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe
"C:\Users\Admin\AppData\Local\Temp\31646747fe74d32212a7cbcb97c7d78d.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Users\Admin\AppData\Local\Temp\DCDF.exe
C:\Users\Admin\AppData\Local\Temp\DCDF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\DCDF.exe
C:\Users\Admin\AppData\Local\Temp\DCDF.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2084

C:\Users\Admin\AppData\Local\Temp\EC22.exe
C:\Users\Admin\AppData\Local\Temp\EC22.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EC22.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1996

C:\Users\Admin\AppData\Local\Temp\F00B.exe
C:\Users\Admin\AppData\Local\Temp\F00B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pdbqbvbo\
2⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\pdbqbvbo\
2⤵
PID:3976

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create pdbqbvbo binPath= "C:\Windows\SysWOW64\pdbqbvbo\sdiimdop.exe /d\"C:\Users\Admin\AppData\Local\Temp\F00B.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:952

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description pdbqbvbo "wifi internet conection"
2⤵
PID:1388

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start pdbqbvbo
2⤵
PID:2824

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\F442.exe
C:\Users\Admin\AppData\Local\Temp\F442.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\F442.exe
C:\Users\Admin\AppData\Local\Temp\F442.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\pdbqbvbo\sdiimdop.exe
C:\Windows\SysWOW64\pdbqbvbo\sdiimdop.exe /d"C:\Users\Admin\AppData\Local\Temp\F00B.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3560

C:\Users\Admin\AppData\Local\Temp\4D12.exe
C:\Users\Admin\AppData\Local\Temp\4D12.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\5688.exe
C:\Users\Admin\AppData\Local\Temp\5688.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5688.exe" & exit
2⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2144

C:\Users\Admin\AppData\Local\Temp\5DCD.exe
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Users\Admin\AppData\Local\Temp\5DCD.exe
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\AppData\Local\Temp\5DCD.exe
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:1424

C:\Users\Admin\AppData\Local\Temp\6A22.exe
C:\Users\Admin\AppData\Local\Temp\6A22.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 408
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\79A4.exe
C:\Users\Admin\AppData\Local\Temp\79A4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5DCD.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F442.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D12.exe
MD5
dbfaec97a910463b8767b8ceb053cf3c

SHA1
b9470684eb254871a989d41da389aab0159a0ded

SHA256
f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4

SHA512
12556cb478acb96394e06ce462db008669e62ffa2197a91b7c1c3df46bd5833177c91c30df3506285a62e08ac184ab1663004429e19f5ce85df7c88c88810161

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D12.exe
MD5
dbfaec97a910463b8767b8ceb053cf3c

SHA1
b9470684eb254871a989d41da389aab0159a0ded

SHA256
f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4

SHA512
12556cb478acb96394e06ce462db008669e62ffa2197a91b7c1c3df46bd5833177c91c30df3506285a62e08ac184ab1663004429e19f5ce85df7c88c88810161

Download Submit
C:\Users\Admin\AppData\Local\Temp\5688.exe
MD5
765885e4a5bf2b58911c445e2ba0f7df

SHA1
65edc531c1313df4adbff520b31a998becbd6760

SHA256
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

SHA512
8ac155da0b4c4999eb00905dcb3f6e8626438aeb80c000f174030dd9ce2922d922a40dc7e6066f99f371991710e9d911adbfa20013669767cd793b780bcc0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\5688.exe
MD5
765885e4a5bf2b58911c445e2ba0f7df

SHA1
65edc531c1313df4adbff520b31a998becbd6760

SHA256
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

SHA512
8ac155da0b4c4999eb00905dcb3f6e8626438aeb80c000f174030dd9ce2922d922a40dc7e6066f99f371991710e9d911adbfa20013669767cd793b780bcc0616

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DCD.exe
MD5
cf844515328ae2e2f1b4e9879401c7ca

SHA1
c2328d6ec4dd72f8d298db5ab4145e7fb2d43575

SHA256
3fe128fa6b1779c21d6283f566940788dde7345e4e91063f5b60d0dcd38c3da6

SHA512
73684ccd9712a7632cdefaae000d666b9214701455b4b0211df2cf07481e0a10bfda6d45429b39d2ba42bdc79d4f88dfaf9d22ccbded3bc6c9d9e59b37c20264

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A22.exe
MD5
e5bd8a53623522c49ccc35bc492b5a11

SHA1
e36258fc96f90432c79be82520ef0b27fdbe9c89

SHA256
7ce91a1e9b7df0d018835ee8483c9e97c9718f9865b53728f958f01c740035af

SHA512
93367fc15f8f24d6ef73a62c37e5ca99aa284c609617ff24ef6ebac7d4b2ac922d9b1aff986a7b70d9304d2d637213c14b0f218d67db79e563adfb5a130ca358

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A22.exe
MD5
e5bd8a53623522c49ccc35bc492b5a11

SHA1
e36258fc96f90432c79be82520ef0b27fdbe9c89

SHA256
7ce91a1e9b7df0d018835ee8483c9e97c9718f9865b53728f958f01c740035af

SHA512
93367fc15f8f24d6ef73a62c37e5ca99aa284c609617ff24ef6ebac7d4b2ac922d9b1aff986a7b70d9304d2d637213c14b0f218d67db79e563adfb5a130ca358

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A4.exe
MD5
1a8620af98d68f9cadb5916341ad1e71

SHA1
1a39e1f41e89d552bd1228f7dd79e553a8dbb22e

SHA256
f593cd3e0a4ad34d16b48b9cdd344e486b42fbfc5bca0c25abb75b6cc03ac2d0

SHA512
0824ade76adc9c5f6120775ce89d6e3b64d5814683dffa39adeab2a90131a7cf1d3be0a72546c0afeeb2fd72a510639a64fc37ef23dea8baeb9dbbc9c3b38de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\79A4.exe
MD5
1a8620af98d68f9cadb5916341ad1e71

SHA1
1a39e1f41e89d552bd1228f7dd79e553a8dbb22e

SHA256
f593cd3e0a4ad34d16b48b9cdd344e486b42fbfc5bca0c25abb75b6cc03ac2d0

SHA512
0824ade76adc9c5f6120775ce89d6e3b64d5814683dffa39adeab2a90131a7cf1d3be0a72546c0afeeb2fd72a510639a64fc37ef23dea8baeb9dbbc9c3b38de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCDF.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCDF.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCDF.exe
MD5
5e0ed8966761e70ee0b8dcd141aafb4c

SHA1
933e68212d0f6d029e920bd93e5dca7ca5bdcb7a

SHA256
8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

SHA512
d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC22.exe
MD5
babd835d0fe9e63300b037a5aaaa4284

SHA1
b23d69da082314a88e5f0ef188f92b60557d056a

SHA256
82ac68b07479792aaf1f4aa1bd78154257349ba4057f29752be2ce05ce3cc1b2

SHA512
f9f1f59c656efefe7fc3ea4bbc8dcf6d18e7c4ac94ef4749325117f0a1a517fd7d4fceacc6db285ae7248b438c805437b5a5a77c240b8e78c83b2bb27fcbb9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC22.exe
MD5
babd835d0fe9e63300b037a5aaaa4284

SHA1
b23d69da082314a88e5f0ef188f92b60557d056a

SHA256
82ac68b07479792aaf1f4aa1bd78154257349ba4057f29752be2ce05ce3cc1b2

SHA512
f9f1f59c656efefe7fc3ea4bbc8dcf6d18e7c4ac94ef4749325117f0a1a517fd7d4fceacc6db285ae7248b438c805437b5a5a77c240b8e78c83b2bb27fcbb9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00B.exe
MD5
435da4e2bcd79eb21615d0089433d3a8

SHA1
ec9eb615c37e31fef99119de7f51b7e943cf6503

SHA256
c4dbb1a23eaa059b7b7a036f55c41ea8a558e0120b9ae4ff90aae53be628d42b

SHA512
d2ab3f39d9d310fe4938dc9750050fb762881331ef2e74b28c2c6e1907cfc0204dcf72d339f05c9e868f2999f10cabc1537a74267af2b37d37c172a5c3f5dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\F00B.exe
MD5
435da4e2bcd79eb21615d0089433d3a8

SHA1
ec9eb615c37e31fef99119de7f51b7e943cf6503

SHA256
c4dbb1a23eaa059b7b7a036f55c41ea8a558e0120b9ae4ff90aae53be628d42b

SHA512
d2ab3f39d9d310fe4938dc9750050fb762881331ef2e74b28c2c6e1907cfc0204dcf72d339f05c9e868f2999f10cabc1537a74267af2b37d37c172a5c3f5dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\F442.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\F442.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\F442.exe
MD5
ccbcf301b4a4c51fc6ac6108e1a0a702

SHA1
c2fa44ae73649ef3fe9b3e11ac6deef05d967d6a

SHA256
c956eaf697229c8388bcad6757441f826ad947f619eb684dc62f769f87cb8d3c

SHA512
f30a6606858401734c50f152d0c766f38de7aa226db99613bcde989cd47f015ef7916b168945984d95c81fab45d975c384194fd44fa28a44b60400f6817042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe
MD5
3abd077426b7b116cc3d1aecac4b757a

SHA1
5fa04943fb98f8cdedd0cf611be3e49beb2a373d

SHA256
7322227e60086a497e66c0a6c5568dc138e81efc34e0d3a0ab5a2015b73afdaa

SHA512
eb83a64ebc05b9a1f769495dda9e99c2d029f8491933b196c82ca6d588d8dc96882bcee424f7ca71e6a0a4bbc098d21d9025a1cba504b41688241299963bc92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe
MD5
3abd077426b7b116cc3d1aecac4b757a

SHA1
5fa04943fb98f8cdedd0cf611be3e49beb2a373d

SHA256
7322227e60086a497e66c0a6c5568dc138e81efc34e0d3a0ab5a2015b73afdaa

SHA512
eb83a64ebc05b9a1f769495dda9e99c2d029f8491933b196c82ca6d588d8dc96882bcee424f7ca71e6a0a4bbc098d21d9025a1cba504b41688241299963bc92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
MD5
f50ddee232b8941986950dc42d8f5251

SHA1
f27a87a24492c9c537666654f22482e733c202c6

SHA256
789ad793931e1bf08389629880c026c8a57cf84dcf1f33072afa4025ae29293a

SHA512
f3065a88ff2cffff65ddebf6f7dae887c6532acee7132d47a42d950cd67a0e0e34792ae439702d69342e1b90045817635a759fd84ad108549d88060b19e4759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
MD5
f50ddee232b8941986950dc42d8f5251

SHA1
f27a87a24492c9c537666654f22482e733c202c6

SHA256
789ad793931e1bf08389629880c026c8a57cf84dcf1f33072afa4025ae29293a

SHA512
f3065a88ff2cffff65ddebf6f7dae887c6532acee7132d47a42d950cd67a0e0e34792ae439702d69342e1b90045817635a759fd84ad108549d88060b19e4759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdiimdop.exe
MD5
9f7d356a78c3d54eaab35df6b8affe7e

SHA1
b3da71eec2547f2250d4cea7626ee36e53e717d7

SHA256
df60ef281b38384d797baf7e28c783fbab4494ce7dc5787c3bf8191e51ddfe43

SHA512
4bf6bced83dc894fa384ed5be09c9078f29a4948fa879a1a6f8198070f19fc1fde834a161dddf43e5578662e427e0c8fa1821edb79aec468aa89a44388c4c8b3

Download Submit
C:\Windows\SysWOW64\pdbqbvbo\sdiimdop.exe
MD5
9f7d356a78c3d54eaab35df6b8affe7e

SHA1
b3da71eec2547f2250d4cea7626ee36e53e717d7

SHA256
df60ef281b38384d797baf7e28c783fbab4494ce7dc5787c3bf8191e51ddfe43

SHA512
4bf6bced83dc894fa384ed5be09c9078f29a4948fa879a1a6f8198070f19fc1fde834a161dddf43e5578662e427e0c8fa1821edb79aec468aa89a44388c4c8b3

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/364-136-0x0000000000000000-mapping.dmp

Download
memory/364-148-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/364-154-0x0000000005390000-0x000000000588E000-memory.dmp

Filesize
5.0MB

Download
memory/364-139-0x0000000000270000-0x00000000002FA000-memory.dmp

Filesize
552KB

Download
memory/364-140-0x0000000000270000-0x00000000002FA000-memory.dmp

Filesize
552KB

Download
memory/364-146-0x0000000004AE0000-0x0000000004B56000-memory.dmp

Filesize
472KB

Download
memory/364-149-0x0000000004AC0000-0x0000000004ADE000-memory.dmp

Filesize
120KB

Download
memory/364-147-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/952-152-0x0000000000000000-mapping.dmp

Download
memory/1064-248-0x0000000005840000-0x000000000587E000-memory.dmp

Filesize
248KB

Download
memory/1064-243-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-250-0x0000000005730000-0x0000000005D36000-memory.dmp

Filesize
6.0MB

Download
memory/1064-240-0x000000000041919E-mapping.dmp

Download
memory/1064-245-0x0000000005D40000-0x0000000006346000-memory.dmp

Filesize
6.0MB

Download
memory/1064-246-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/1064-247-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/1064-239-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-244-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-249-0x0000000005880000-0x00000000058CB000-memory.dmp

Filesize
300KB

Download
memory/1156-145-0x0000000000000000-mapping.dmp

Download
memory/1180-223-0x0000000000000000-mapping.dmp

Download
memory/1180-227-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1320-309-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1320-303-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1320-307-0x00000000004012A5-mapping.dmp

Download
memory/1320-308-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1320-310-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1388-153-0x0000000000000000-mapping.dmp

Download
memory/1424-283-0x0000000000000000-mapping.dmp

Download
memory/1448-182-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/1448-169-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/1448-183-0x0000000006720000-0x00000000068E2000-memory.dmp

Filesize
1.8MB

Download
memory/1448-181-0x0000000005260000-0x000000000527E000-memory.dmp

Filesize
120KB

Download
memory/1448-180-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/1448-179-0x00000000050E0000-0x0000000005156000-memory.dmp

Filesize
472KB

Download
memory/1448-178-0x0000000005DA0000-0x000000000629E000-memory.dmp

Filesize
5.0MB

Download
memory/1448-174-0x0000000004D60000-0x0000000004DAB000-memory.dmp

Filesize
300KB

Download
memory/1448-184-0x0000000006E20000-0x000000000734C000-memory.dmp

Filesize
5.2MB

Download
memory/1448-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-172-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/1448-171-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/1448-164-0x0000000000419196-mapping.dmp

Download
memory/1448-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-173-0x0000000004C80000-0x0000000005286000-memory.dmp

Filesize
6.0MB

Download
memory/1448-170-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/1488-233-0x0000000005930000-0x0000000005F36000-memory.dmp

Filesize
6.0MB

Download
memory/1488-232-0x0000000000B90000-0x0000000000BB2000-memory.dmp

Filesize
136KB

Download
memory/1488-234-0x00000000053A0000-0x00000000053B2000-memory.dmp

Filesize
72KB

Download
memory/1488-231-0x0000000000B90000-0x0000000000BB2000-memory.dmp

Filesize
136KB

Download
memory/1488-228-0x0000000000000000-mapping.dmp

Download
memory/1488-235-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/1488-236-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/1488-237-0x0000000005450000-0x000000000549B000-memory.dmp

Filesize
300KB

Download
memory/1488-238-0x0000000005320000-0x0000000005926000-memory.dmp

Filesize
6.0MB

Download
memory/1520-185-0x0000000000000000-mapping.dmp

Download
memory/1796-162-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/1884-157-0x0000000000000000-mapping.dmp

Download
memory/1996-186-0x0000000000000000-mapping.dmp

Download
memory/2084-125-0x0000000000402F47-mapping.dmp

Download
memory/2144-268-0x0000000000000000-mapping.dmp

Download
memory/2372-205-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2372-252-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2372-191-0x0000000000960000-0x0000000000AAA000-memory.dmp

Filesize
1.3MB

Download
memory/2372-187-0x0000000000000000-mapping.dmp

Download
memory/2372-217-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2372-251-0x0000000000B8A000-0x0000000000BE7000-memory.dmp

Filesize
372KB

Download
memory/2372-204-0x0000000000B11000-0x0000000000B85000-memory.dmp

Filesize
464KB

Download
memory/2372-258-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2372-192-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2372-215-0x0000000000D10000-0x0000000000DA7000-memory.dmp

Filesize
604KB

Download
memory/2544-142-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/2544-143-0x0000000000A10000-0x0000000000A23000-memory.dmp

Filesize
76KB

Download
memory/2544-144-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/2544-130-0x0000000000000000-mapping.dmp

Download
memory/2660-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2660-118-0x0000000000402F47-mapping.dmp

Download
memory/2760-141-0x0000000003370000-0x0000000003386000-memory.dmp

Filesize
88KB

Download
memory/2760-119-0x0000000001490000-0x00000000014A6000-memory.dmp

Filesize
88KB

Download
memory/2776-264-0x0000000000000000-mapping.dmp

Download
memory/2824-155-0x0000000000000000-mapping.dmp

Download
memory/2952-135-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2952-127-0x0000000000000000-mapping.dmp

Download
memory/2952-134-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/3264-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3264-115-0x00000000007E1000-0x00000000007F2000-memory.dmp

Filesize
68KB

Download
memory/3372-120-0x0000000000000000-mapping.dmp

Download
memory/3560-158-0x0000000000A70000-0x0000000000A85000-memory.dmp

Filesize
84KB

Download
memory/3560-161-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3560-160-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3560-159-0x0000000000A79A6B-mapping.dmp

Download
memory/3852-198-0x0000000000F20000-0x0000000000F64000-memory.dmp

Filesize
272KB

Download
memory/3852-207-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-203-0x0000000076A50000-0x0000000076C12000-memory.dmp

Filesize
1.8MB

Download
memory/3852-199-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-202-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3852-201-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-206-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-200-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-208-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-196-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-211-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3852-197-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-210-0x0000000000220000-0x00000000006F6000-memory.dmp

Filesize
4.8MB

Download
memory/3852-193-0x0000000000000000-mapping.dmp

Download
memory/3932-222-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/3932-209-0x0000000000000000-mapping.dmp

Download
memory/3932-220-0x0000000005860000-0x0000000005D5E000-memory.dmp

Filesize
5.0MB

Download
memory/3932-214-0x00000000009E0000-0x0000000000A6A000-memory.dmp

Filesize
552KB

Download
memory/3932-221-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3932-216-0x00000000009E0000-0x0000000000A6A000-memory.dmp

Filesize
552KB

Download
memory/3932-218-0x00000000052C0000-0x0000000005336000-memory.dmp

Filesize
472KB

Download
memory/3932-219-0x0000000005240000-0x000000000525E000-memory.dmp

Filesize
120KB

Download
memory/3936-291-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3936-295-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3936-296-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3936-298-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3936-299-0x0000000000D60000-0x00000000017F1000-memory.dmp

Filesize
10.6MB

Download
memory/3936-294-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3936-293-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3936-292-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3936-280-0x0000000000000000-mapping.dmp

Download
memory/3976-150-0x0000000000000000-mapping.dmp

Download