arkei | e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-01-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
Size

294KB
MD5

136d03813106ad7701c94b5ca4fcc6e1
SHA1

4e7e59cd8add72b4f817b6dab960414df3e462ad
SHA256

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f
SHA512

57360299df8529d35261e9f49d6131c645251194b106cd66d2fbd5516cbe269706582d64ec0e2514f673efb0084acffe2dcccd2312f51fc1b142576741d03dab

Score

10^/10

arkei raccoon smokeloader tofsee 10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

tofsee

patmushta.info

parubey.info

Extracted

Family

raccoon

Botnet

10da56e7e71e97bdc1f36eb76813bbc3231de7e4

Attributes

url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar

rc4.plain

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1804 created 1048 1804 WerFault.exe D44A.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

description	pid	process	target process
PID 1804 created 1048	1804	WerFault.exe	D44A.exe

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/600-139-0x0000000000400000-0x0000000002B87000-memory.dmp	family_arkei
behavioral1/memory/1760-204-0x0000000001360000-0x00000000014C0000-memory.dmp	family_arkei
behavioral1/memory/1760-205-0x0000000001360000-0x00000000014C0000-memory.dmp	family_arkei

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

1048.exe2279.exe2279.exe391F.exe4545.exe4EDB.exeoigabqyn.exe4EDB.exeBE40.exeD44A.exeFE78.exe1954.exe

pid	process
3160	1048.exe
1752	2279.exe
2892	2279.exe
600	391F.exe
2760	4545.exe
1108	4EDB.exe
2740	oigabqyn.exe
3948	4EDB.exe
1760	BE40.exe
1048	D44A.exe
1248	FE78.exe
2616	1954.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

3040
Loads dropped DLL 6 IoCs

Processes:

391F.exeBE40.exe

pid process

600 391F.exe
600 391F.exe
600 391F.exe
1760 BE40.exe
1760 BE40.exe
1760 BE40.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3040

pid	process
600	391F.exe
600	391F.exe
600	391F.exe
1760	BE40.exe
1760	BE40.exe
1760	BE40.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BE40.exe1954.exe

pid process

1760 BE40.exe
2616 1954.exe

pid	process
1760	BE40.exe
2616	1954.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe2279.exeoigabqyn.exe4EDB.exe

description	pid	process	target process
PID 3176 set thread context of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 1752 set thread context of 2892	1752	2279.exe	2279.exe
PID 2740 set thread context of 1240	2740	oigabqyn.exe	svchost.exe
PID 1108 set thread context of 3948	1108	4EDB.exe	4EDB.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1804 1048 WerFault.exe D44A.exe

pid	pid_target	process	target process
1804	1048	WerFault.exe	D44A.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe1048.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1048.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1048.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1048.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

391F.exeBE40.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	391F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	391F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BE40.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BE40.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1540 timeout.exe
2888 timeout.exe

pid	process
1540	timeout.exe
2888	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe

pid	process
1156	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
1156	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe1048.exe

pid process

1156 e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
3160 1048.exe
3040
3040
3040
3040

pid	process
3040

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

4EDB.exe4EDB.exeFE78.exe1954.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	1108	4EDB.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	3948	4EDB.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	1248	FE78.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeDebugPrivilege	2616	1954.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeRestorePrivilege	1804	WerFault.exe
Token: SeBackupPrivilege	1804	WerFault.exe
Token: SeDebugPrivilege	1804	WerFault.exe
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe2279.exe4545.exe4EDB.exeoigabqyn.exe

description	pid	process	target process
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3176 wrote to memory of 1156	3176	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe	e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
PID 3040 wrote to memory of 3160	3040		1048.exe
PID 3040 wrote to memory of 3160	3040		1048.exe
PID 3040 wrote to memory of 3160	3040		1048.exe
PID 3040 wrote to memory of 1752	3040		2279.exe
PID 3040 wrote to memory of 1752	3040		2279.exe
PID 3040 wrote to memory of 1752	3040		2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 1752 wrote to memory of 2892	1752	2279.exe	2279.exe
PID 3040 wrote to memory of 600	3040		391F.exe
PID 3040 wrote to memory of 600	3040		391F.exe
PID 3040 wrote to memory of 600	3040		391F.exe
PID 3040 wrote to memory of 2760	3040		4545.exe
PID 3040 wrote to memory of 2760	3040		4545.exe
PID 3040 wrote to memory of 2760	3040		4545.exe
PID 3040 wrote to memory of 1108	3040		4EDB.exe
PID 3040 wrote to memory of 1108	3040		4EDB.exe
PID 3040 wrote to memory of 1108	3040		4EDB.exe
PID 2760 wrote to memory of 2424	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 2424	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 2424	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 1296	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 1296	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 1296	2760	4545.exe	cmd.exe
PID 2760 wrote to memory of 3988	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 3988	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 3988	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 1840	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 1840	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 1840	2760	4545.exe	sc.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 2760 wrote to memory of 2124	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 2124	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 2124	2760	4545.exe	sc.exe
PID 2760 wrote to memory of 2980	2760	4545.exe	netsh.exe
PID 2760 wrote to memory of 2980	2760	4545.exe	netsh.exe
PID 2760 wrote to memory of 2980	2760	4545.exe	netsh.exe
PID 2740 wrote to memory of 1240	2740	oigabqyn.exe	svchost.exe
PID 2740 wrote to memory of 1240	2740	oigabqyn.exe	svchost.exe
PID 2740 wrote to memory of 1240	2740	oigabqyn.exe	svchost.exe
PID 2740 wrote to memory of 1240	2740	oigabqyn.exe	svchost.exe
PID 2740 wrote to memory of 1240	2740	oigabqyn.exe	svchost.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 1108 wrote to memory of 3948	1108	4EDB.exe	4EDB.exe
PID 3040 wrote to memory of 8	3040		explorer.exe
PID 3040 wrote to memory of 8	3040		explorer.exe
PID 3040 wrote to memory of 8	3040		explorer.exe
PID 3040 wrote to memory of 8	3040		explorer.exe
PID 3040 wrote to memory of 1536	3040		explorer.exe
PID 3040 wrote to memory of 1536	3040		explorer.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
"C:\Users\Admin\AppData\Local\Temp\e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe
"C:\Users\Admin\AppData\Local\Temp\e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1156

C:\Users\Admin\AppData\Local\Temp\1048.exe
C:\Users\Admin\AppData\Local\Temp\1048.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3160

C:\Users\Admin\AppData\Local\Temp\2279.exe
C:\Users\Admin\AppData\Local\Temp\2279.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\2279.exe
C:\Users\Admin\AppData\Local\Temp\2279.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\391F.exe
C:\Users\Admin\AppData\Local\Temp\391F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\391F.exe" & exit
2⤵
PID:3824

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1540

C:\Users\Admin\AppData\Local\Temp\4545.exe
C:\Users\Admin\AppData\Local\Temp\4545.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yguvyhgx\
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oigabqyn.exe" C:\Windows\SysWOW64\yguvyhgx\
2⤵
PID:1296

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create yguvyhgx binPath= "C:\Windows\SysWOW64\yguvyhgx\oigabqyn.exe /d\"C:\Users\Admin\AppData\Local\Temp\4545.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description yguvyhgx "wifi internet conection"
2⤵
PID:1840

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start yguvyhgx
2⤵
PID:2124

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\4EDB.exe
C:\Users\Admin\AppData\Local\Temp\4EDB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\4EDB.exe
C:\Users\Admin\AppData\Local\Temp\4EDB.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SysWOW64\yguvyhgx\oigabqyn.exe
C:\Windows\SysWOW64\yguvyhgx\oigabqyn.exe /d"C:\Users\Admin\AppData\Local\Temp\4545.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:8

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\BE40.exe
C:\Users\Admin\AppData\Local\Temp\BE40.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\BE40.exe" & exit
2⤵
PID:3988

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2888

C:\Users\Admin\AppData\Local\Temp\D44A.exe
C:\Users\Admin\AppData\Local\Temp\D44A.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 944
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Local\Temp\FE78.exe
C:\Users\Admin\AppData\Local\Temp\FE78.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Local\Temp\1954.exe
C:\Users\Admin\AppData\Local\Temp\1954.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4EDB.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1048.exe
MD5
1f935bfff0f8128972bc69625e5b2a6c

SHA1
18db55c519bbe14311662a06faeecc97566e2afd

SHA256
2bfa0884b172c9eaff7358741c164f571f0565389ab9cf99a8e0b90ae8ad914d

SHA512
2c94c1ea43b008ce164d7cd22a2d0ff3b60a623017007a2f361bdff69ed72e97b0cc0897590be9cc56333e014cd003786741eb6bb7887590cb2aad832ea8a32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1048.exe
MD5
1f935bfff0f8128972bc69625e5b2a6c

SHA1
18db55c519bbe14311662a06faeecc97566e2afd

SHA256
2bfa0884b172c9eaff7358741c164f571f0565389ab9cf99a8e0b90ae8ad914d

SHA512
2c94c1ea43b008ce164d7cd22a2d0ff3b60a623017007a2f361bdff69ed72e97b0cc0897590be9cc56333e014cd003786741eb6bb7887590cb2aad832ea8a32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1954.exe
MD5
b035525a5300eee5d055c90964923c0b

SHA1
fc4ea5f2a58b7b70cd64f2ec0fb5cd2f1b0d8ed0

SHA256
5e2e4e6fac056fa3b75d65f72d4a4dbc4827c68708e7788102a9539305211c53

SHA512
c3358cfea800e1bdfe135758a8ae909c61ebe9a4f2e76f2bae3edbbd2830e6b0d0cc032f50a71d28d7bde2b3e3f1982a750b30f8c4098153000be8bc6c08d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\1954.exe
MD5
b035525a5300eee5d055c90964923c0b

SHA1
fc4ea5f2a58b7b70cd64f2ec0fb5cd2f1b0d8ed0

SHA256
5e2e4e6fac056fa3b75d65f72d4a4dbc4827c68708e7788102a9539305211c53

SHA512
c3358cfea800e1bdfe135758a8ae909c61ebe9a4f2e76f2bae3edbbd2830e6b0d0cc032f50a71d28d7bde2b3e3f1982a750b30f8c4098153000be8bc6c08d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\2279.exe
MD5
136d03813106ad7701c94b5ca4fcc6e1

SHA1
4e7e59cd8add72b4f817b6dab960414df3e462ad

SHA256
e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f

SHA512
57360299df8529d35261e9f49d6131c645251194b106cd66d2fbd5516cbe269706582d64ec0e2514f673efb0084acffe2dcccd2312f51fc1b142576741d03dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2279.exe
MD5
136d03813106ad7701c94b5ca4fcc6e1

SHA1
4e7e59cd8add72b4f817b6dab960414df3e462ad

SHA256
e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f

SHA512
57360299df8529d35261e9f49d6131c645251194b106cd66d2fbd5516cbe269706582d64ec0e2514f673efb0084acffe2dcccd2312f51fc1b142576741d03dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2279.exe
MD5
136d03813106ad7701c94b5ca4fcc6e1

SHA1
4e7e59cd8add72b4f817b6dab960414df3e462ad

SHA256
e9f3765c70410b3e20488f2193f77aa201f0d6657ceabdd686e6d6546615264f

SHA512
57360299df8529d35261e9f49d6131c645251194b106cd66d2fbd5516cbe269706582d64ec0e2514f673efb0084acffe2dcccd2312f51fc1b142576741d03dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\391F.exe
MD5
49761bdaf5eebc8bbbd0a13fb928c452

SHA1
f54ba146d53788dda3db7351c7c7cacebda75b43

SHA256
bf9f65ea86859da7bfbba30758bd0210f371b45fe6f764abee322b5fcb3a66e8

SHA512
e5ad04f0704f19e1e7b10d2529bfc6a4c42253abefd91abc42a2239691db3ca11dec7ddb1a13b6e70ed3e4afb5ebdf6c04fd25490c12f433fc7b5fa0a13911d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\391F.exe
MD5
49761bdaf5eebc8bbbd0a13fb928c452

SHA1
f54ba146d53788dda3db7351c7c7cacebda75b43

SHA256
bf9f65ea86859da7bfbba30758bd0210f371b45fe6f764abee322b5fcb3a66e8

SHA512
e5ad04f0704f19e1e7b10d2529bfc6a4c42253abefd91abc42a2239691db3ca11dec7ddb1a13b6e70ed3e4afb5ebdf6c04fd25490c12f433fc7b5fa0a13911d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4545.exe
MD5
b6de8a25705e5d1c22468de300ed8fcb

SHA1
3392b025ec12339ce76e15fd907b68a102e5ce43

SHA256
a8294917e63382c16d2e965316145ed9110d687ee575f7ca01f462dfc2873f31

SHA512
479af2a8fc3e0cf9ef5276485b799156d133dd59d547720655c1b2db627277ed8fcdb0a13d9293a3b75825673f415dc66fa6239d35d3dd78865ba665aeee62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\4545.exe
MD5
b6de8a25705e5d1c22468de300ed8fcb

SHA1
3392b025ec12339ce76e15fd907b68a102e5ce43

SHA256
a8294917e63382c16d2e965316145ed9110d687ee575f7ca01f462dfc2873f31

SHA512
479af2a8fc3e0cf9ef5276485b799156d133dd59d547720655c1b2db627277ed8fcdb0a13d9293a3b75825673f415dc66fa6239d35d3dd78865ba665aeee62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EDB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EDB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EDB.exe
MD5
9c40df5e45e0c3095f7b920664a902d3

SHA1
795049f091e0d3a31e7b9c1091bd62bed71fb62e

SHA256
7afbff30f47ab9d8e3fc2b67a72453161b93424f680c0caf270a57e05dd2478b

SHA512
7c7da0d86ef8ff09f63d0b63812149bbb9482075547814739b1bf3211b8df4eb366fd9ee735907cf7946ada77479771422904a2bd121839eaebb33b431805eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE40.exe
MD5
aec70ded586cfe6f9bae06560b0fe7a6

SHA1
8da695d69d3e3c3df85767b57c24f46576d1aeef

SHA256
a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

SHA512
14a2f13cb24652d0e3d230d5c05a90d9312ea26a7dacd81de9482fa87d7dab9b718c6af6be28ca7e747da156f136193b328cff662cd50d5f7fb8e684ead0edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE40.exe
MD5
aec70ded586cfe6f9bae06560b0fe7a6

SHA1
8da695d69d3e3c3df85767b57c24f46576d1aeef

SHA256
a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

SHA512
14a2f13cb24652d0e3d230d5c05a90d9312ea26a7dacd81de9482fa87d7dab9b718c6af6be28ca7e747da156f136193b328cff662cd50d5f7fb8e684ead0edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44A.exe
MD5
c085684db882063c21f18d251679b0cc

SHA1
2b5e71123abdb276913e4438ad89f4ed1616950a

SHA256
cda92bb8e0734752dc6366275020ce48d75f95d78af9793b40512895ecd2d470

SHA512
8158aa6d5a6d2130b711671d3dac1a335b01d08118fb8ac91dc491ed17ee04cca8559b634edd4c03decbd8278709ad70db7fb0615df73f25d42242ea4b2555b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44A.exe
MD5
c085684db882063c21f18d251679b0cc

SHA1
2b5e71123abdb276913e4438ad89f4ed1616950a

SHA256
cda92bb8e0734752dc6366275020ce48d75f95d78af9793b40512895ecd2d470

SHA512
8158aa6d5a6d2130b711671d3dac1a335b01d08118fb8ac91dc491ed17ee04cca8559b634edd4c03decbd8278709ad70db7fb0615df73f25d42242ea4b2555b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE78.exe
MD5
63eb415c553b5c2204f1bb46213b10c4

SHA1
340e4b38773bf186749b0055c2ab3696efb61718

SHA256
0e3e2247090efb74201b9aa5a5965cdf0b1b09edc4747bc0c3515f9a4bb46023

SHA512
92fbd179c7902bdc197e493bb7f88aa1ebfe1c54910cf8f91bd0fb2ce4641caccde8cf1851eb09febadb71f18e62e600e4f20340c9a11ab18d90c450ba1d042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE78.exe
MD5
63eb415c553b5c2204f1bb46213b10c4

SHA1
340e4b38773bf186749b0055c2ab3696efb61718

SHA256
0e3e2247090efb74201b9aa5a5965cdf0b1b09edc4747bc0c3515f9a4bb46023

SHA512
92fbd179c7902bdc197e493bb7f88aa1ebfe1c54910cf8f91bd0fb2ce4641caccde8cf1851eb09febadb71f18e62e600e4f20340c9a11ab18d90c450ba1d042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oigabqyn.exe
MD5
15c6c362455d6ae9285a03b6b8f6306b

SHA1
d28985608a015a3c098702bd413967cc642d66e8

SHA256
1d413dc3835c1421f50f1be53062ad70eb9b2e17a54e7553cfb54eeecf232139

SHA512
c550527e7c35460028b7185a33f32902cd5800d1c291663d87e43a032daeb4c5ae2d1fb5af040b6a47dab6f642c40c7c0c0e422f600daacc857edc52fee9ae2a

Download Submit
C:\Windows\SysWOW64\yguvyhgx\oigabqyn.exe
MD5
15c6c362455d6ae9285a03b6b8f6306b

SHA1
d28985608a015a3c098702bd413967cc642d66e8

SHA256
1d413dc3835c1421f50f1be53062ad70eb9b2e17a54e7553cfb54eeecf232139

SHA512
c550527e7c35460028b7185a33f32902cd5800d1c291663d87e43a032daeb4c5ae2d1fb5af040b6a47dab6f642c40c7c0c0e422f600daacc857edc52fee9ae2a

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/8-185-0x00000000006D0000-0x000000000073B000-memory.dmp

Filesize
428KB

Download
memory/8-184-0x0000000000740000-0x00000000007B4000-memory.dmp

Filesize
464KB

Download
memory/8-183-0x0000000000000000-mapping.dmp

Download
memory/600-135-0x0000000000000000-mapping.dmp

Download
memory/600-140-0x0000000002B90000-0x0000000002C3E000-memory.dmp

Filesize
696KB

Download
memory/600-138-0x0000000002B90000-0x0000000002C3E000-memory.dmp

Filesize
696KB

Download
memory/600-139-0x0000000000400000-0x0000000002B87000-memory.dmp

Filesize
39.5MB

Download
memory/1048-224-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1048-225-0x0000000000BE0000-0x0000000000C30000-memory.dmp

Filesize
320KB

Download
memory/1048-220-0x0000000000A2C000-0x0000000000A89000-memory.dmp

Filesize
372KB

Download
memory/1048-221-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1048-222-0x0000000002650000-0x00000000026E5000-memory.dmp

Filesize
596KB

Download
memory/1048-223-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1048-209-0x0000000000000000-mapping.dmp

Download
memory/1048-212-0x00000000009B3000-0x0000000000A27000-memory.dmp

Filesize
464KB

Download
memory/1048-214-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1048-213-0x0000000000E10000-0x0000000000EA7000-memory.dmp

Filesize
604KB

Download
memory/1048-226-0x00000000026F0000-0x0000000002782000-memory.dmp

Filesize
584KB

Download
memory/1048-227-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1108-147-0x0000000000CF0000-0x0000000000D7A000-memory.dmp

Filesize
552KB

Download
memory/1108-161-0x0000000005DD0000-0x00000000062CE000-memory.dmp

Filesize
5.0MB

Download
memory/1108-153-0x0000000005560000-0x00000000055D6000-memory.dmp

Filesize
472KB

Download
memory/1108-157-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1108-154-0x0000000005540000-0x000000000555E000-memory.dmp

Filesize
120KB

Download
memory/1108-148-0x0000000000CF0000-0x0000000000D7A000-memory.dmp

Filesize
552KB

Download
memory/1108-158-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/1108-144-0x0000000000000000-mapping.dmp

Download
memory/1156-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1156-116-0x0000000000402F47-mapping.dmp

Download
memory/1240-166-0x00000000029A9A6B-mapping.dmp

Download
memory/1240-165-0x00000000029A0000-0x00000000029B5000-memory.dmp

Filesize
84KB

Download
memory/1240-168-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1240-167-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1248-228-0x0000000000000000-mapping.dmp

Download
memory/1248-236-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1248-237-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1248-238-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/1248-240-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/1248-239-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/1248-242-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/1248-235-0x00000000001C0000-0x00000000001F9000-memory.dmp

Filesize
228KB

Download
memory/1248-234-0x00000000049E0000-0x0000000004A12000-memory.dmp

Filesize
200KB

Download
memory/1248-233-0x0000000004B40000-0x000000000503E000-memory.dmp

Filesize
5.0MB

Download
memory/1248-232-0x00000000022F0000-0x0000000002324000-memory.dmp

Filesize
208KB

Download
memory/1248-244-0x0000000005760000-0x000000000579E000-memory.dmp

Filesize
248KB

Download
memory/1248-231-0x0000000000671000-0x000000000069D000-memory.dmp

Filesize
176KB

Download
memory/1248-243-0x0000000004B34000-0x0000000004B36000-memory.dmp

Filesize
8KB

Download
memory/1248-241-0x0000000004B33000-0x0000000004B34000-memory.dmp

Filesize
4KB

Download
memory/1248-245-0x00000000057A0000-0x00000000057EB000-memory.dmp

Filesize
300KB

Download
memory/1296-155-0x0000000000000000-mapping.dmp

Download
memory/1536-187-0x0000000000FD0000-0x0000000000FD7000-memory.dmp

Filesize
28KB

Download
memory/1536-186-0x0000000000000000-mapping.dmp

Download
memory/1536-188-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/1540-199-0x0000000000000000-mapping.dmp

Download
memory/1752-133-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/1752-130-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/1752-126-0x0000000000000000-mapping.dmp

Download
memory/1760-207-0x0000000073A80000-0x0000000073C42000-memory.dmp

Filesize
1.8MB

Download
memory/1760-205-0x0000000001360000-0x00000000014C0000-memory.dmp

Filesize
1.4MB

Download
memory/1760-206-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1760-203-0x0000000001360000-0x00000000014C0000-memory.dmp

Filesize
1.4MB

Download
memory/1760-208-0x00000000006F0000-0x000000000083A000-memory.dmp

Filesize
1.3MB

Download
memory/1760-204-0x0000000001360000-0x00000000014C0000-memory.dmp

Filesize
1.4MB

Download
memory/1760-200-0x0000000000000000-mapping.dmp

Download
memory/1840-160-0x0000000000000000-mapping.dmp

Download
memory/2124-162-0x0000000000000000-mapping.dmp

Download
memory/2424-152-0x0000000000000000-mapping.dmp

Download
memory/2616-250-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2616-252-0x0000000076CD0000-0x0000000076DC1000-memory.dmp

Filesize
964KB

Download
memory/2616-251-0x0000000073A80000-0x0000000073C42000-memory.dmp

Filesize
1.8MB

Download
memory/2616-261-0x0000000074A50000-0x0000000075D98000-memory.dmp

Filesize
19.3MB

Download
memory/2616-249-0x0000000000C20000-0x0000000000D01000-memory.dmp

Filesize
900KB

Download
memory/2616-266-0x0000000071C20000-0x0000000071C6B000-memory.dmp

Filesize
300KB

Download
memory/2616-260-0x0000000073C60000-0x00000000741E4000-memory.dmp

Filesize
5.5MB

Download
memory/2616-255-0x0000000072A50000-0x0000000072AD0000-memory.dmp

Filesize
512KB

Download
memory/2616-246-0x0000000000000000-mapping.dmp

Download
memory/2616-253-0x0000000000C20000-0x0000000000D01000-memory.dmp

Filesize
900KB

Download
memory/2740-177-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2760-141-0x0000000000000000-mapping.dmp

Download
memory/2760-151-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2760-149-0x00000000001E0000-0x00000000001ED000-memory.dmp

Filesize
52KB

Download
memory/2760-150-0x00000000047B0000-0x00000000047C3000-memory.dmp

Filesize
76KB

Download
memory/2888-219-0x0000000000000000-mapping.dmp

Download
memory/2892-131-0x0000000000402F47-mapping.dmp

Download
memory/2980-164-0x0000000000000000-mapping.dmp

Download
memory/3040-119-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/3040-134-0x00000000026B0000-0x00000000026C6000-memory.dmp

Filesize
88KB

Download
memory/3160-125-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3160-124-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3160-120-0x0000000000000000-mapping.dmp

Download
memory/3176-117-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/3176-118-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/3824-198-0x0000000000000000-mapping.dmp

Download
memory/3948-190-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/3948-189-0x0000000005760000-0x00000000057D6000-memory.dmp

Filesize
472KB

Download
memory/3948-169-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-170-0x0000000000419192-mapping.dmp

Download
memory/3948-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3948-175-0x00000000058F0000-0x0000000005EF6000-memory.dmp

Filesize
6.0MB

Download
memory/3948-176-0x0000000005360000-0x0000000005372000-memory.dmp

Filesize
72KB

Download
memory/3948-178-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/3948-194-0x0000000006DD0000-0x0000000006F92000-memory.dmp

Filesize
1.8MB

Download
memory/3948-179-0x00000000052E0000-0x00000000058E6000-memory.dmp

Filesize
6.0MB

Download
memory/3948-180-0x00000000053C0000-0x00000000053FE000-memory.dmp

Filesize
248KB

Download
memory/3948-181-0x0000000005400000-0x000000000544B000-memory.dmp

Filesize
300KB

Download
memory/3948-193-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/3948-195-0x00000000074D0000-0x00000000079FC000-memory.dmp

Filesize
5.2MB

Download
memory/3948-191-0x0000000006400000-0x00000000068FE000-memory.dmp

Filesize
5.0MB

Download
memory/3948-192-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/3988-159-0x0000000000000000-mapping.dmp

Download
memory/3988-218-0x0000000000000000-mapping.dmp

Download