arkei | 4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827

Analysis

max time kernel
150s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-01-2022 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
Size

294KB
MD5

5810935d6ff1cbad02fe43c3b1f64593
SHA1

24d4343e20837a57040b9c482b3a40ac51bdc6d1
SHA256

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827
SHA512

adc276b2cf0d9e14a8668d1af9b1fbc52390d9c0a278e37c3f59089bc10983f2345cf530b6b105674fd21b5aee7c8c72367626121f9f847f0aa109d462eba9ba

Score

10^/10

arkei raccoon smokeloader tofsee 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

tofsee

patmushta.info

parubey.info

Extracted

Family

raccoon

Botnet

10da56e7e71e97bdc1f36eb76813bbc3231de7e4

Attributes

url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar

rc4.plain

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3132 created 2172 3132 WerFault.exe 73A7.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

description	pid	process	target process
PID 3132 created 2172	3132	WerFault.exe	73A7.exe

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2808-139-0x0000000000400000-0x0000000002B87000-memory.dmp	family_arkei
behavioral1/memory/2708-207-0x00000000000A0000-0x0000000000200000-memory.dmp	family_arkei
behavioral1/memory/2708-208-0x00000000000A0000-0x0000000000200000-memory.dmp	family_arkei

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

94D9.exe94D9.exeB3DC.exeD2DE.exeE406.exeEDBB.exeszdcdkt.exeEDBB.exeEDBB.exeEDBB.exe5DBC.exe73A7.exeA045.exeBD73.exe

pid	process
3236	94D9.exe
4020	94D9.exe
3008	B3DC.exe
2808	D2DE.exe
1036	E406.exe
1196	EDBB.exe
3356	szdcdkt.exe
2364	EDBB.exe
1496	EDBB.exe
2456	EDBB.exe
2708	5DBC.exe
2172	73A7.exe
1156	A045.exe
720	BD73.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

2720
Loads dropped DLL 6 IoCs

Processes:

D2DE.exe5DBC.exe

pid process

2808 D2DE.exe
2808 D2DE.exe
2808 D2DE.exe
2708 5DBC.exe
2708 5DBC.exe
2708 5DBC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2720

pid	process
2808	D2DE.exe
2808	D2DE.exe
2808	D2DE.exe
2708	5DBC.exe
2708	5DBC.exe
2708	5DBC.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5DBC.exeBD73.exe

pid process

2708 5DBC.exe
720 BD73.exe

pid	process
2708	5DBC.exe
720	BD73.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe94D9.exeszdcdkt.exeEDBB.exe

description	pid	process	target process
PID 3844 set thread context of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3236 set thread context of 4020	3236	94D9.exe	94D9.exe
PID 3356 set thread context of 1004	3356	szdcdkt.exe	svchost.exe
PID 1196 set thread context of 2456	1196	EDBB.exe	EDBB.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3132 2172 WerFault.exe 73A7.exe

pid	pid_target	process	target process
3132	2172	WerFault.exe	73A7.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe94D9.exeB3DC.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94D9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94D9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3DC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	94D9.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D2DE.exe5DBC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	D2DE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5DBC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5DBC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	D2DE.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2544 timeout.exe
2508 timeout.exe

pid	process
2544	timeout.exe
2508	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe

pid	process
3240	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
3240	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2720
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe94D9.exeB3DC.exe

pid process

3240 4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
4020 94D9.exe
3008 B3DC.exe
2720
2720
2720
2720

pid	process
2720

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

EDBB.exeEDBB.exeA045.exeBD73.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeDebugPrivilege	1196	EDBB.exe
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeDebugPrivilege	2456	EDBB.exe
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeDebugPrivilege	1156	A045.exe
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeDebugPrivilege	720	BD73.exe
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeRestorePrivilege	3132	WerFault.exe
Token: SeBackupPrivilege	3132	WerFault.exe
Token: SeDebugPrivilege	3132	WerFault.exe
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe94D9.exeE406.exeEDBB.exeszdcdkt.exe

description	pid	process	target process
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 3844 wrote to memory of 3240	3844	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe	4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
PID 2720 wrote to memory of 3236	2720		94D9.exe
PID 2720 wrote to memory of 3236	2720		94D9.exe
PID 2720 wrote to memory of 3236	2720		94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 3236 wrote to memory of 4020	3236	94D9.exe	94D9.exe
PID 2720 wrote to memory of 3008	2720		B3DC.exe
PID 2720 wrote to memory of 3008	2720		B3DC.exe
PID 2720 wrote to memory of 3008	2720		B3DC.exe
PID 2720 wrote to memory of 2808	2720		D2DE.exe
PID 2720 wrote to memory of 2808	2720		D2DE.exe
PID 2720 wrote to memory of 2808	2720		D2DE.exe
PID 2720 wrote to memory of 1036	2720		E406.exe
PID 2720 wrote to memory of 1036	2720		E406.exe
PID 2720 wrote to memory of 1036	2720		E406.exe
PID 2720 wrote to memory of 1196	2720		EDBB.exe
PID 2720 wrote to memory of 1196	2720		EDBB.exe
PID 2720 wrote to memory of 1196	2720		EDBB.exe
PID 1036 wrote to memory of 3432	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 3432	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 3432	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 3180	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 3180	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 3180	1036	E406.exe	cmd.exe
PID 1036 wrote to memory of 1268	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 1268	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 1268	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 2296	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 2296	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 2296	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 1936	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 1936	1036	E406.exe	sc.exe
PID 1036 wrote to memory of 1936	1036	E406.exe	sc.exe
PID 1196 wrote to memory of 2364	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2364	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2364	1196	EDBB.exe	EDBB.exe
PID 1036 wrote to memory of 3328	1036	E406.exe	netsh.exe
PID 1036 wrote to memory of 3328	1036	E406.exe	netsh.exe
PID 1036 wrote to memory of 3328	1036	E406.exe	netsh.exe
PID 3356 wrote to memory of 1004	3356	szdcdkt.exe	svchost.exe
PID 3356 wrote to memory of 1004	3356	szdcdkt.exe	svchost.exe
PID 3356 wrote to memory of 1004	3356	szdcdkt.exe	svchost.exe
PID 3356 wrote to memory of 1004	3356	szdcdkt.exe	svchost.exe
PID 3356 wrote to memory of 1004	3356	szdcdkt.exe	svchost.exe
PID 1196 wrote to memory of 1496	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 1496	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 1496	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe
PID 1196 wrote to memory of 2456	1196	EDBB.exe	EDBB.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
"C:\Users\Admin\AppData\Local\Temp\4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe
"C:\Users\Admin\AppData\Local\Temp\4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3240

C:\Users\Admin\AppData\Local\Temp\94D9.exe
C:\Users\Admin\AppData\Local\Temp\94D9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\94D9.exe
C:\Users\Admin\AppData\Local\Temp\94D9.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4020

C:\Users\Admin\AppData\Local\Temp\B3DC.exe
C:\Users\Admin\AppData\Local\Temp\B3DC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Users\Admin\AppData\Local\Temp\D2DE.exe
C:\Users\Admin\AppData\Local\Temp\D2DE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D2DE.exe" & exit
2⤵
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2544

C:\Users\Admin\AppData\Local\Temp\E406.exe
C:\Users\Admin\AppData\Local\Temp\E406.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ypjqvzlt\
2⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\ypjqvzlt\
2⤵
PID:3180

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ypjqvzlt binPath= "C:\Windows\SysWOW64\ypjqvzlt\szdcdkt.exe /d\"C:\Users\Admin\AppData\Local\Temp\E406.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1268

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ypjqvzlt "wifi internet conection"
2⤵
PID:2296

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ypjqvzlt
2⤵
PID:1936

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\EDBB.exe
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\EDBB.exe
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\EDBB.exe
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\EDBB.exe
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\ypjqvzlt\szdcdkt.exe
C:\Windows\SysWOW64\ypjqvzlt\szdcdkt.exe /d"C:\Users\Admin\AppData\Local\Temp\E406.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3976

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\5DBC.exe
C:\Users\Admin\AppData\Local\Temp\5DBC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5DBC.exe" & exit
2⤵
PID:2204

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2508

C:\Users\Admin\AppData\Local\Temp\73A7.exe
C:\Users\Admin\AppData\Local\Temp\73A7.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1204
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\A045.exe
C:\Users\Admin\AppData\Local\Temp\A045.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Users\Admin\AppData\Local\Temp\BD73.exe
C:\Users\Admin\AppData\Local\Temp\BD73.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDBB.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DBC.exe
MD5
aec70ded586cfe6f9bae06560b0fe7a6

SHA1
8da695d69d3e3c3df85767b57c24f46576d1aeef

SHA256
a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

SHA512
14a2f13cb24652d0e3d230d5c05a90d9312ea26a7dacd81de9482fa87d7dab9b718c6af6be28ca7e747da156f136193b328cff662cd50d5f7fb8e684ead0edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DBC.exe
MD5
aec70ded586cfe6f9bae06560b0fe7a6

SHA1
8da695d69d3e3c3df85767b57c24f46576d1aeef

SHA256
a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

SHA512
14a2f13cb24652d0e3d230d5c05a90d9312ea26a7dacd81de9482fa87d7dab9b718c6af6be28ca7e747da156f136193b328cff662cd50d5f7fb8e684ead0edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\73A7.exe
MD5
c085684db882063c21f18d251679b0cc

SHA1
2b5e71123abdb276913e4438ad89f4ed1616950a

SHA256
cda92bb8e0734752dc6366275020ce48d75f95d78af9793b40512895ecd2d470

SHA512
8158aa6d5a6d2130b711671d3dac1a335b01d08118fb8ac91dc491ed17ee04cca8559b634edd4c03decbd8278709ad70db7fb0615df73f25d42242ea4b2555b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\73A7.exe
MD5
c085684db882063c21f18d251679b0cc

SHA1
2b5e71123abdb276913e4438ad89f4ed1616950a

SHA256
cda92bb8e0734752dc6366275020ce48d75f95d78af9793b40512895ecd2d470

SHA512
8158aa6d5a6d2130b711671d3dac1a335b01d08118fb8ac91dc491ed17ee04cca8559b634edd4c03decbd8278709ad70db7fb0615df73f25d42242ea4b2555b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D9.exe
MD5
5810935d6ff1cbad02fe43c3b1f64593

SHA1
24d4343e20837a57040b9c482b3a40ac51bdc6d1

SHA256
4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827

SHA512
adc276b2cf0d9e14a8668d1af9b1fbc52390d9c0a278e37c3f59089bc10983f2345cf530b6b105674fd21b5aee7c8c72367626121f9f847f0aa109d462eba9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D9.exe
MD5
5810935d6ff1cbad02fe43c3b1f64593

SHA1
24d4343e20837a57040b9c482b3a40ac51bdc6d1

SHA256
4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827

SHA512
adc276b2cf0d9e14a8668d1af9b1fbc52390d9c0a278e37c3f59089bc10983f2345cf530b6b105674fd21b5aee7c8c72367626121f9f847f0aa109d462eba9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D9.exe
MD5
5810935d6ff1cbad02fe43c3b1f64593

SHA1
24d4343e20837a57040b9c482b3a40ac51bdc6d1

SHA256
4691f594fe6a35c912ab09af8eb0b4ccb91ec03c4cc0b655343f9e15a6cd0827

SHA512
adc276b2cf0d9e14a8668d1af9b1fbc52390d9c0a278e37c3f59089bc10983f2345cf530b6b105674fd21b5aee7c8c72367626121f9f847f0aa109d462eba9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\A045.exe
MD5
63eb415c553b5c2204f1bb46213b10c4

SHA1
340e4b38773bf186749b0055c2ab3696efb61718

SHA256
0e3e2247090efb74201b9aa5a5965cdf0b1b09edc4747bc0c3515f9a4bb46023

SHA512
92fbd179c7902bdc197e493bb7f88aa1ebfe1c54910cf8f91bd0fb2ce4641caccde8cf1851eb09febadb71f18e62e600e4f20340c9a11ab18d90c450ba1d042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A045.exe
MD5
63eb415c553b5c2204f1bb46213b10c4

SHA1
340e4b38773bf186749b0055c2ab3696efb61718

SHA256
0e3e2247090efb74201b9aa5a5965cdf0b1b09edc4747bc0c3515f9a4bb46023

SHA512
92fbd179c7902bdc197e493bb7f88aa1ebfe1c54910cf8f91bd0fb2ce4641caccde8cf1851eb09febadb71f18e62e600e4f20340c9a11ab18d90c450ba1d042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3DC.exe
MD5
1f935bfff0f8128972bc69625e5b2a6c

SHA1
18db55c519bbe14311662a06faeecc97566e2afd

SHA256
2bfa0884b172c9eaff7358741c164f571f0565389ab9cf99a8e0b90ae8ad914d

SHA512
2c94c1ea43b008ce164d7cd22a2d0ff3b60a623017007a2f361bdff69ed72e97b0cc0897590be9cc56333e014cd003786741eb6bb7887590cb2aad832ea8a32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3DC.exe
MD5
1f935bfff0f8128972bc69625e5b2a6c

SHA1
18db55c519bbe14311662a06faeecc97566e2afd

SHA256
2bfa0884b172c9eaff7358741c164f571f0565389ab9cf99a8e0b90ae8ad914d

SHA512
2c94c1ea43b008ce164d7cd22a2d0ff3b60a623017007a2f361bdff69ed72e97b0cc0897590be9cc56333e014cd003786741eb6bb7887590cb2aad832ea8a32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD73.exe
MD5
b035525a5300eee5d055c90964923c0b

SHA1
fc4ea5f2a58b7b70cd64f2ec0fb5cd2f1b0d8ed0

SHA256
5e2e4e6fac056fa3b75d65f72d4a4dbc4827c68708e7788102a9539305211c53

SHA512
c3358cfea800e1bdfe135758a8ae909c61ebe9a4f2e76f2bae3edbbd2830e6b0d0cc032f50a71d28d7bde2b3e3f1982a750b30f8c4098153000be8bc6c08d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD73.exe
MD5
b035525a5300eee5d055c90964923c0b

SHA1
fc4ea5f2a58b7b70cd64f2ec0fb5cd2f1b0d8ed0

SHA256
5e2e4e6fac056fa3b75d65f72d4a4dbc4827c68708e7788102a9539305211c53

SHA512
c3358cfea800e1bdfe135758a8ae909c61ebe9a4f2e76f2bae3edbbd2830e6b0d0cc032f50a71d28d7bde2b3e3f1982a750b30f8c4098153000be8bc6c08d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2DE.exe
MD5
49761bdaf5eebc8bbbd0a13fb928c452

SHA1
f54ba146d53788dda3db7351c7c7cacebda75b43

SHA256
bf9f65ea86859da7bfbba30758bd0210f371b45fe6f764abee322b5fcb3a66e8

SHA512
e5ad04f0704f19e1e7b10d2529bfc6a4c42253abefd91abc42a2239691db3ca11dec7ddb1a13b6e70ed3e4afb5ebdf6c04fd25490c12f433fc7b5fa0a13911d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2DE.exe
MD5
49761bdaf5eebc8bbbd0a13fb928c452

SHA1
f54ba146d53788dda3db7351c7c7cacebda75b43

SHA256
bf9f65ea86859da7bfbba30758bd0210f371b45fe6f764abee322b5fcb3a66e8

SHA512
e5ad04f0704f19e1e7b10d2529bfc6a4c42253abefd91abc42a2239691db3ca11dec7ddb1a13b6e70ed3e4afb5ebdf6c04fd25490c12f433fc7b5fa0a13911d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E406.exe
MD5
b6de8a25705e5d1c22468de300ed8fcb

SHA1
3392b025ec12339ce76e15fd907b68a102e5ce43

SHA256
a8294917e63382c16d2e965316145ed9110d687ee575f7ca01f462dfc2873f31

SHA512
479af2a8fc3e0cf9ef5276485b799156d133dd59d547720655c1b2db627277ed8fcdb0a13d9293a3b75825673f415dc66fa6239d35d3dd78865ba665aeee62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\E406.exe
MD5
b6de8a25705e5d1c22468de300ed8fcb

SHA1
3392b025ec12339ce76e15fd907b68a102e5ce43

SHA256
a8294917e63382c16d2e965316145ed9110d687ee575f7ca01f462dfc2873f31

SHA512
479af2a8fc3e0cf9ef5276485b799156d133dd59d547720655c1b2db627277ed8fcdb0a13d9293a3b75825673f415dc66fa6239d35d3dd78865ba665aeee62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\szdcdkt.exe
MD5
39555111941a678445b04fc62e2a7e3c

SHA1
9ba6999dfb50e6b38b337488211c08b62df2c56f

SHA256
c53942f5abae7d98b0bfeff5a2ea1288417bd76e7b89bfcd6fec5bbefe8c224d

SHA512
c817c2784224a909152f85163adae2d71de4beac45f73c05311ab0f3cd625cf87c9e03ce9656de24c7ddf3d6fd336f0eff7123783941c53a2a9744ffe65d1818

Download Submit
C:\Windows\SysWOW64\ypjqvzlt\szdcdkt.exe
MD5
39555111941a678445b04fc62e2a7e3c

SHA1
9ba6999dfb50e6b38b337488211c08b62df2c56f

SHA256
c53942f5abae7d98b0bfeff5a2ea1288417bd76e7b89bfcd6fec5bbefe8c224d

SHA512
c817c2784224a909152f85163adae2d71de4beac45f73c05311ab0f3cd625cf87c9e03ce9656de24c7ddf3d6fd336f0eff7123783941c53a2a9744ffe65d1818

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/720-254-0x0000000073A60000-0x0000000073C22000-memory.dmp

Filesize
1.8MB

Download
memory/720-258-0x00000000715B0000-0x0000000071630000-memory.dmp

Filesize
512KB

Download
memory/720-249-0x0000000000000000-mapping.dmp

Download
memory/720-264-0x0000000073DA0000-0x0000000074324000-memory.dmp

Filesize
5.5MB

Download
memory/720-255-0x00000000744C0000-0x00000000745B1000-memory.dmp

Filesize
964KB

Download
memory/720-253-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/720-265-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/720-272-0x0000000071400000-0x000000007144B000-memory.dmp

Filesize
300KB

Download
memory/720-252-0x0000000000DC0000-0x0000000000EA1000-memory.dmp

Filesize
900KB

Download
memory/1004-167-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1004-166-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1004-165-0x0000000002B39A6B-mapping.dmp

Download
memory/1004-164-0x0000000002B30000-0x0000000002B45000-memory.dmp

Filesize
84KB

Download
memory/1036-140-0x0000000000000000-mapping.dmp

Download
memory/1036-148-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/1036-147-0x0000000002B90000-0x0000000002CDA000-memory.dmp

Filesize
1.3MB

Download
memory/1036-146-0x0000000002B90000-0x0000000002CDA000-memory.dmp

Filesize
1.3MB

Download
memory/1156-238-0x0000000005120000-0x0000000005726000-memory.dmp

Filesize
6.0MB

Download
memory/1156-231-0x0000000000000000-mapping.dmp

Download
memory/1156-245-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1156-246-0x0000000002752000-0x0000000002753000-memory.dmp

Filesize
4KB

Download
memory/1156-248-0x0000000002754000-0x0000000002756000-memory.dmp

Filesize
8KB

Download
memory/1156-234-0x0000000000611000-0x000000000063D000-memory.dmp

Filesize
176KB

Download
memory/1156-235-0x00000000021D0000-0x0000000002204000-memory.dmp

Filesize
208KB

Download
memory/1156-236-0x0000000004C20000-0x000000000511E000-memory.dmp

Filesize
5.0MB

Download
memory/1156-237-0x00000000023A0000-0x00000000023D2000-memory.dmp

Filesize
200KB

Download
memory/1156-247-0x0000000002753000-0x0000000002754000-memory.dmp

Filesize
4KB

Download
memory/1156-242-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/1156-243-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1156-239-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1156-241-0x0000000005730000-0x000000000576E000-memory.dmp

Filesize
248KB

Download
memory/1156-240-0x00000000027A0000-0x00000000028AA000-memory.dmp

Filesize
1.0MB

Download
memory/1156-244-0x00000000057A0000-0x00000000057EB000-memory.dmp

Filesize
300KB

Download
memory/1196-156-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1196-143-0x0000000000000000-mapping.dmp

Download
memory/1196-162-0x0000000005350000-0x000000000584E000-memory.dmp

Filesize
5.0MB

Download
memory/1196-158-0x0000000004AC0000-0x0000000004ADE000-memory.dmp

Filesize
120KB

Download
memory/1196-149-0x0000000000270000-0x00000000002FA000-memory.dmp

Filesize
552KB

Download
memory/1196-150-0x0000000000270000-0x00000000002FA000-memory.dmp

Filesize
552KB

Download
memory/1196-153-0x0000000004B00000-0x0000000004B76000-memory.dmp

Filesize
472KB

Download
memory/1196-155-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1268-157-0x0000000000000000-mapping.dmp

Download
memory/1476-199-0x0000000000000000-mapping.dmp

Download
memory/1780-194-0x0000000000000000-mapping.dmp

Download
memory/1780-196-0x0000000000550000-0x0000000000557000-memory.dmp

Filesize
28KB

Download
memory/1780-197-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1936-160-0x0000000000000000-mapping.dmp

Download
memory/2172-223-0x0000000000CBC000-0x0000000000D19000-memory.dmp

Filesize
372KB

Download
memory/2172-225-0x0000000002670000-0x0000000002705000-memory.dmp

Filesize
596KB

Download
memory/2172-212-0x0000000000000000-mapping.dmp

Download
memory/2172-229-0x0000000002810000-0x00000000028A2000-memory.dmp

Filesize
584KB

Download
memory/2172-227-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2172-215-0x0000000000C43000-0x0000000000CB7000-memory.dmp

Filesize
464KB

Download
memory/2172-226-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2172-228-0x0000000000BD0000-0x0000000000C20000-memory.dmp

Filesize
320KB

Download
memory/2172-224-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2172-230-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2172-216-0x0000000000D30000-0x0000000000DC7000-memory.dmp

Filesize
604KB

Download
memory/2172-217-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2204-221-0x0000000000000000-mapping.dmp

Download
memory/2296-159-0x0000000000000000-mapping.dmp

Download
memory/2456-183-0x0000000005400000-0x000000000543E000-memory.dmp

Filesize
248KB

Download
memory/2456-185-0x0000000005400000-0x0000000005A06000-memory.dmp

Filesize
6.0MB

Download
memory/2456-179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2456-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2456-175-0x0000000000419192-mapping.dmp

Download
memory/2456-180-0x0000000005A10000-0x0000000006016000-memory.dmp

Filesize
6.0MB

Download
memory/2456-178-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2456-182-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/2456-184-0x0000000005440000-0x000000000548B000-memory.dmp

Filesize
300KB

Download
memory/2456-181-0x0000000002F50000-0x0000000002F62000-memory.dmp

Filesize
72KB

Download
memory/2456-191-0x0000000005760000-0x00000000057D6000-memory.dmp

Filesize
472KB

Download
memory/2456-192-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/2456-193-0x0000000006520000-0x0000000006A1E000-memory.dmp

Filesize
5.0MB

Download
memory/2456-195-0x0000000005940000-0x000000000595E000-memory.dmp

Filesize
120KB

Download
memory/2456-198-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/2456-201-0x0000000006E30000-0x0000000006FF2000-memory.dmp

Filesize
1.8MB

Download
memory/2456-202-0x0000000007530000-0x0000000007A5C000-memory.dmp

Filesize
5.2MB

Download
memory/2508-222-0x0000000000000000-mapping.dmp

Download
memory/2544-200-0x0000000000000000-mapping.dmp

Download
memory/2708-208-0x00000000000A0000-0x0000000000200000-memory.dmp

Filesize
1.4MB

Download
memory/2708-211-0x0000000073A60000-0x0000000073C22000-memory.dmp

Filesize
1.8MB

Download
memory/2708-209-0x00000000013F0000-0x0000000001436000-memory.dmp

Filesize
280KB

Download
memory/2708-203-0x0000000000000000-mapping.dmp

Download
memory/2708-210-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/2708-207-0x00000000000A0000-0x0000000000200000-memory.dmp

Filesize
1.4MB

Download
memory/2708-206-0x00000000000A0000-0x0000000000200000-memory.dmp

Filesize
1.4MB

Download
memory/2720-126-0x0000000002BF0000-0x0000000002C06000-memory.dmp

Filesize
88KB

Download
memory/2720-133-0x0000000003190000-0x00000000031A6000-memory.dmp

Filesize
88KB

Download
memory/2720-119-0x0000000001280000-0x0000000001296000-memory.dmp

Filesize
88KB

Download
memory/2808-137-0x0000000002B90000-0x0000000002C3E000-memory.dmp

Filesize
696KB

Download
memory/2808-138-0x0000000002B90000-0x0000000002C3E000-memory.dmp

Filesize
696KB

Download
memory/2808-139-0x0000000000400000-0x0000000002B87000-memory.dmp

Filesize
39.5MB

Download
memory/2808-134-0x0000000000000000-mapping.dmp

Download
memory/3008-127-0x0000000000000000-mapping.dmp

Download
memory/3008-131-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3008-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3008-130-0x0000000000683000-0x0000000000694000-memory.dmp

Filesize
68KB

Download
memory/3180-152-0x0000000000000000-mapping.dmp

Download
memory/3236-120-0x0000000000000000-mapping.dmp

Download
memory/3240-116-0x0000000000402F47-mapping.dmp

Download
memory/3240-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3328-163-0x0000000000000000-mapping.dmp

Download
memory/3356-170-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3356-168-0x0000000002BF0000-0x0000000002BFD000-memory.dmp

Filesize
52KB

Download
memory/3356-169-0x0000000002DB0000-0x0000000002DC3000-memory.dmp

Filesize
76KB

Download
memory/3432-151-0x0000000000000000-mapping.dmp

Download
memory/3844-118-0x00000000048A0000-0x00000000048A9000-memory.dmp

Filesize
36KB

Download
memory/3844-117-0x0000000004890000-0x0000000004898000-memory.dmp

Filesize
32KB

Download
memory/3976-190-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/3976-188-0x0000000000000000-mapping.dmp

Download
memory/3976-189-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/4020-124-0x0000000000402F47-mapping.dmp

Download