arkei | 47785efac13a140e2b016324a9b67604bcdb58a2bd140ece780790e063f1f2c0

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zxcvb.exe
Size

1.0MB
MD5

01e485104be49a9f059e6b591273bcd1
SHA1

9dd25e5caa3d591537f519f6a9d0c76e1202451f
SHA256

6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
SHA512

6cb26da4a899889aba0647ec33d6c44a2c05060c8f9753259f29fdebc6b03808d0f9262207a48026f2aef96c35a51d331c04d71fbf4d45a2405ebec8bee6f5a7

Score

10^/10

arkei azorult raccoon remcos 06192022 5f3e2ed386ddeccffbb4e34c56fc2efd default infostealer persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

raccoon

Botnet

5f3e2ed386ddeccffbb4e34c56fc2efd

http://193.106.191.146/

http://185.215.113.89/

rc4.plain

Extracted

Family

arkei

Botnet

Default

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

06192022

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
scxs.dat
keylog_flag
false
keylog_folder
forbas
keylog_path
%AppData%
mouse_option
false
mutex
cvxyttydfsgbghfgfhtd-RXTSAM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

Anwuqahpedbnnlsgekmacy.exeQyO73CjS.exeaW7Z2EQr.exey007f35o.exe2Lf9x14k.exey007f35o.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exe

pid	process
4792	Anwuqahpedbnnlsgekmacy.exe
1940	QyO73CjS.exe
344	aW7Z2EQr.exe
1888	y007f35o.exe
3908	2Lf9x14k.exe
4840	y007f35o.exe
2072	oobeldr.exe
1568	oobeldr.exe
2096	oobeldr.exe
2524	oobeldr.exe
1724	oobeldr.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zxcvb.exeQyO73CjS.exeaW7Z2EQr.exe2Lf9x14k.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	zxcvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	QyO73CjS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	aW7Z2EQr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2Lf9x14k.exe

Loads dropped DLL 5 IoCs

Processes:

InstallUtil.exeInstallUtil.exe

pid process

1424 InstallUtil.exe
1424 InstallUtil.exe
1424 InstallUtil.exe
3176 InstallUtil.exe
3176 InstallUtil.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1424	InstallUtil.exe
1424	InstallUtil.exe
1424	InstallUtil.exe
3176	InstallUtil.exe
3176	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aW7Z2EQr.exe2Lf9x14k.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dwdsyugg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lwwaqb\\Dwdsyugg.exe\""	aW7Z2EQr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qerdo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ppjollp\\Qerdo.exe\""	2Lf9x14k.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

zxcvb.exeAnwuqahpedbnnlsgekmacy.exeQyO73CjS.exey007f35o.exeaW7Z2EQr.exe2Lf9x14k.exeoobeldr.exeoobeldr.exe

description	pid	process	target process
PID 4972 set thread context of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4792 set thread context of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 1940 set thread context of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1888 set thread context of 4840	1888	y007f35o.exe	y007f35o.exe
PID 344 set thread context of 3164	344	aW7Z2EQr.exe	InstallUtil.exe
PID 3908 set thread context of 4832	3908	2Lf9x14k.exe	InstallUtil.exe
PID 2072 set thread context of 2096	2072	oobeldr.exe	oobeldr.exe
PID 2524 set thread context of 1724	2524	oobeldr.exe	oobeldr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2260 3176 WerFault.exe InstallUtil.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5116 schtasks.exe
1468 schtasks.exe

pid	pid_target	process	target process
2260	3176	WerFault.exe	InstallUtil.exe

pid	process
5116	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

zxcvb.exeAnwuqahpedbnnlsgekmacy.exeQyO73CjS.exey007f35o.exepowershell.exepowershell.exeaW7Z2EQr.exe2Lf9x14k.exeInstallUtil.exeoobeldr.exeoobeldr.exe

pid	process
4972	zxcvb.exe
4972	zxcvb.exe
4972	zxcvb.exe
4972	zxcvb.exe
4972	zxcvb.exe
4972	zxcvb.exe
4792	Anwuqahpedbnnlsgekmacy.exe
4792	Anwuqahpedbnnlsgekmacy.exe
4792	Anwuqahpedbnnlsgekmacy.exe
4792	Anwuqahpedbnnlsgekmacy.exe
4792	Anwuqahpedbnnlsgekmacy.exe
4792	Anwuqahpedbnnlsgekmacy.exe
1940	QyO73CjS.exe
1940	QyO73CjS.exe
1888	y007f35o.exe
1888	y007f35o.exe
1900	powershell.exe
1900	powershell.exe
4872	powershell.exe
4872	powershell.exe
344	aW7Z2EQr.exe
344	aW7Z2EQr.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3908	2Lf9x14k.exe
3164	InstallUtil.exe
3164	InstallUtil.exe
2072	oobeldr.exe
2072	oobeldr.exe
2072	oobeldr.exe
2072	oobeldr.exe
2072	oobeldr.exe
2072	oobeldr.exe
3164	InstallUtil.exe
3164	InstallUtil.exe
3164	InstallUtil.exe
3164	InstallUtil.exe
2524	oobeldr.exe
2524	oobeldr.exe
3164	InstallUtil.exe
3164	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

zxcvb.exeAnwuqahpedbnnlsgekmacy.exey007f35o.exeaW7Z2EQr.exe2Lf9x14k.exepowershell.exepowershell.exeInstallUtil.exeoobeldr.exeoobeldr.exe

description	pid	process
Token: SeDebugPrivilege	4972	zxcvb.exe
Token: SeDebugPrivilege	4792	Anwuqahpedbnnlsgekmacy.exe
Token: SeDebugPrivilege	1888	y007f35o.exe
Token: SeDebugPrivilege	344	aW7Z2EQr.exe
Token: SeDebugPrivilege	3908	2Lf9x14k.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	3164	InstallUtil.exe
Token: SeDebugPrivilege	2072	oobeldr.exe
Token: SeDebugPrivilege	2524	oobeldr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

4832 InstallUtil.exe

pid	process
4832	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

zxcvb.exeAnwuqahpedbnnlsgekmacy.exeInstallUtil.exeQyO73CjS.exey007f35o.exeaW7Z2EQr.exey007f35o.exe2Lf9x14k.exe

description	pid	process	target process
PID 4972 wrote to memory of 4792	4972	zxcvb.exe	Anwuqahpedbnnlsgekmacy.exe
PID 4972 wrote to memory of 4792	4972	zxcvb.exe	Anwuqahpedbnnlsgekmacy.exe
PID 4972 wrote to memory of 4792	4972	zxcvb.exe	Anwuqahpedbnnlsgekmacy.exe
PID 4972 wrote to memory of 2072	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 2072	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 2072	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4972 wrote to memory of 1424	4972	zxcvb.exe	InstallUtil.exe
PID 4792 wrote to memory of 4140	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 4140	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 4140	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 4792 wrote to memory of 3176	4792	Anwuqahpedbnnlsgekmacy.exe	InstallUtil.exe
PID 1424 wrote to memory of 1940	1424	InstallUtil.exe	QyO73CjS.exe
PID 1424 wrote to memory of 1940	1424	InstallUtil.exe	QyO73CjS.exe
PID 1424 wrote to memory of 1940	1424	InstallUtil.exe	QyO73CjS.exe
PID 1424 wrote to memory of 344	1424	InstallUtil.exe	aW7Z2EQr.exe
PID 1424 wrote to memory of 344	1424	InstallUtil.exe	aW7Z2EQr.exe
PID 1424 wrote to memory of 1888	1424	InstallUtil.exe	y007f35o.exe
PID 1424 wrote to memory of 1888	1424	InstallUtil.exe	y007f35o.exe
PID 1424 wrote to memory of 1888	1424	InstallUtil.exe	y007f35o.exe
PID 1424 wrote to memory of 3908	1424	InstallUtil.exe	2Lf9x14k.exe
PID 1424 wrote to memory of 3908	1424	InstallUtil.exe	2Lf9x14k.exe
PID 1424 wrote to memory of 3908	1424	InstallUtil.exe	2Lf9x14k.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1940 wrote to memory of 3708	1940	QyO73CjS.exe	InstallUtil.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 344 wrote to memory of 1900	344	aW7Z2EQr.exe	powershell.exe
PID 344 wrote to memory of 1900	344	aW7Z2EQr.exe	powershell.exe
PID 1888 wrote to memory of 4840	1888	y007f35o.exe	y007f35o.exe
PID 4840 wrote to memory of 5116	4840	y007f35o.exe	schtasks.exe
PID 4840 wrote to memory of 5116	4840	y007f35o.exe	schtasks.exe
PID 4840 wrote to memory of 5116	4840	y007f35o.exe	schtasks.exe
PID 3908 wrote to memory of 4872	3908	2Lf9x14k.exe	powershell.exe
PID 3908 wrote to memory of 4872	3908	2Lf9x14k.exe	powershell.exe
PID 3908 wrote to memory of 4872	3908	2Lf9x14k.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\Anwuqahpedbnnlsgekmacy.exe
"C:\Users\Admin\AppData\Local\Temp\Anwuqahpedbnnlsgekmacy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Loads dropped DLL
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1360
4⤵
- Program crash
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\QyO73CjS.exe
"C:\Users\Admin\AppData\Local\Temp\QyO73CjS.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\aW7Z2EQr.exe
"C:\Users\Admin\AppData\Local\Temp\aW7Z2EQr.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
"C:\Users\Admin\AppData\Local\Temp\y007f35o.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
5⤵
- Creates scheduled task(s)
PID:5116

C:\Users\Admin\AppData\Local\Temp\2Lf9x14k.exe
"C:\Users\Admin\AppData\Local\Temp\2Lf9x14k.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3176 -ip 3176
1⤵
PID:1668

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
3⤵
- Creates scheduled task(s)
PID:1468

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
Filesize
805B

MD5
30afe21576e1624b2aeb7db78fe71000

SHA1
1b42524960ab5f8ef3495429c8f0858bd947b504

SHA256
bd1a22f1c51755acd77bd1743ff4c3c458818d6ebc42ec9c2305ee572592f404

SHA512
75a43af00fa23a8a5cc4aac181141546abd79b29f7387aa7d3c40c15cf0658527bbf804e5e3e1f5c25d2bb4ccaf6d1396b6525cbcf5bdf0cdc19fa5af6d0b5a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
68c13ed915f99f6af73c92145bb48cb1

SHA1
9e71b0fda2b6643a65fc10ee9d7a4d2052365512

SHA256
b71d8118d8085047f0ee8cea5eddc9923eaaa769a7eb14d92668254e9579f32d

SHA512
3173e0eb81608bdf7aa7ae1e164a48758c4505de42812f08421af16e74a7c8acc68d34e20f057d9d8216f9684a0901c0cda1fb26f5a95954694d3e53eaf0a59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Lf9x14k.exe
Filesize
718KB

MD5
972334f0c55d0aeab0b32efe41ea3470

SHA1
e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa

SHA256
eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb

SHA512
df120f43fa17b2c37ad6d31e528495241146420cd017c18116bd074498cef3834f408c50d289f8bdce2955c464664a6c446800cb7b55c1461fb3cc0accc7fe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Lf9x14k.exe
Filesize
718KB

MD5
972334f0c55d0aeab0b32efe41ea3470

SHA1
e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa

SHA256
eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb

SHA512
df120f43fa17b2c37ad6d31e528495241146420cd017c18116bd074498cef3834f408c50d289f8bdce2955c464664a6c446800cb7b55c1461fb3cc0accc7fe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anwuqahpedbnnlsgekmacy.exe
Filesize
576KB

MD5
6033fc2cf6e73f5ca5cf76206d4f2232

SHA1
a01fae21dfd9319f332c3cb717f8a8467514e8ce

SHA256
eaa5fb40a306c308eead3848fe6b4c16c7b271ddc63a89cc876b54248f8b1d08

SHA512
795df2b76dd23c09e5e90d1b5f2f4b88d1be8b44eb072001fb1bdfca210a6106a38cdafdc4df4e429f7acbbf5c8be3fe093e906280571acbf4458c9c6563233a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anwuqahpedbnnlsgekmacy.exe
Filesize
576KB

MD5
6033fc2cf6e73f5ca5cf76206d4f2232

SHA1
a01fae21dfd9319f332c3cb717f8a8467514e8ce

SHA256
eaa5fb40a306c308eead3848fe6b4c16c7b271ddc63a89cc876b54248f8b1d08

SHA512
795df2b76dd23c09e5e90d1b5f2f4b88d1be8b44eb072001fb1bdfca210a6106a38cdafdc4df4e429f7acbbf5c8be3fe093e906280571acbf4458c9c6563233a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyO73CjS.exe
Filesize
519KB

MD5
aebcc14e15e4194c659d5dd4b84e1e77

SHA1
6505e129f5fac5e192e14153763827d07e1674db

SHA256
885e232a7bfad8cdbe87ebe9716534d4f5572142eaf8666d87a9bd7688e009a0

SHA512
66eddd815a7f397e4d5197f47cda58f59c66d024f55936118853c074b02d3a759a00af21281bd9fcd9f3dca09600be3f8e1797762b138182187c8f90b915dfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyO73CjS.exe
Filesize
519KB

MD5
aebcc14e15e4194c659d5dd4b84e1e77

SHA1
6505e129f5fac5e192e14153763827d07e1674db

SHA256
885e232a7bfad8cdbe87ebe9716534d4f5572142eaf8666d87a9bd7688e009a0

SHA512
66eddd815a7f397e4d5197f47cda58f59c66d024f55936118853c074b02d3a759a00af21281bd9fcd9f3dca09600be3f8e1797762b138182187c8f90b915dfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aW7Z2EQr.exe
Filesize
933KB

MD5
808c44b1b4e11b8b5428c05de17884c7

SHA1
7ae0a547f38f21b6035e1726bd4700d963ceb8a2

SHA256
70199c37ff74d3feebd76f55ef786284132979a9b8f14bf1180d1f6b30ebb6a3

SHA512
eeb85c7b758e24c5a9ab9b44cc8a80b41a5b488504e4a302a653dd077f7518e7d992319a41debfd429b6fadd2f1345fc23e5f5f409c11578b79b5f43b6fbe008

Download Submit
C:\Users\Admin\AppData\Local\Temp\aW7Z2EQr.exe
Filesize
933KB

MD5
808c44b1b4e11b8b5428c05de17884c7

SHA1
7ae0a547f38f21b6035e1726bd4700d963ceb8a2

SHA256
70199c37ff74d3feebd76f55ef786284132979a9b8f14bf1180d1f6b30ebb6a3

SHA512
eeb85c7b758e24c5a9ab9b44cc8a80b41a5b488504e4a302a653dd077f7518e7d992319a41debfd429b6fadd2f1345fc23e5f5f409c11578b79b5f43b6fbe008

Download Submit
C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\y007f35o.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
468KB

MD5
b86dba3da19c4c8c3b1ff11a254cf614

SHA1
1327650ce7ee98a1c60245d5e7151f880ec7f6a8

SHA256
b227ba29bda37f89b315c06f77ae46f0ca0558fb4e3bd1f35f0565af8a758c45

SHA512
4018fe1b7bfc9fc815112be44fbaa96747d5f8e58816291c4fba1bb0768ed64bc4d8eea3b009ff6aeab88981fa23fbaad74f17f5dedc5eb4b11ebd3d5a67d3e4

Download Submit
memory/344-223-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/344-157-0x0000000000000000-mapping.dmp

Download
memory/344-218-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/344-169-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/344-160-0x000001F3F0400000-0x000001F3F04EE000-memory.dmp

Filesize
952KB

Download
memory/1420-236-0x0000000000000000-mapping.dmp

Download
memory/1424-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-138-0x0000000000000000-mapping.dmp

Download
memory/1424-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1468-253-0x0000000000000000-mapping.dmp

Download
memory/1568-246-0x0000000000000000-mapping.dmp

Download
memory/1724-256-0x0000000000000000-mapping.dmp

Download
memory/1888-164-0x0000000000150000-0x00000000001CC000-memory.dmp

Filesize
496KB

Download
memory/1888-161-0x0000000000000000-mapping.dmp

Download
memory/1900-219-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/1900-186-0x0000021C1AF00000-0x0000021C1AF22000-memory.dmp

Filesize
136KB

Download
memory/1900-176-0x0000000000000000-mapping.dmp

Download
memory/1900-185-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/1900-220-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/1940-156-0x0000000000E70000-0x0000000000EF8000-memory.dmp

Filesize
544KB

Download
memory/1940-153-0x0000000000000000-mapping.dmp

Download
memory/2072-137-0x0000000000000000-mapping.dmp

Download
memory/2096-248-0x0000000000000000-mapping.dmp

Download
memory/3164-222-0x0000000140000000-mapping.dmp

Download
memory/3164-221-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/3164-242-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/3164-224-0x00007FFE2E4C0000-0x00007FFE2EF81000-memory.dmp

Filesize
10.8MB

Download
memory/3176-192-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3176-144-0x0000000000000000-mapping.dmp

Download
memory/3176-145-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3176-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3176-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3176-217-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3708-187-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3708-171-0x0000000000000000-mapping.dmp

Download
memory/3708-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3708-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3708-182-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3908-170-0x0000000000550000-0x000000000060A000-memory.dmp

Filesize
744KB

Download
memory/3908-165-0x0000000000000000-mapping.dmp

Download
memory/4088-235-0x0000000000000000-mapping.dmp

Download
memory/4140-143-0x0000000000000000-mapping.dmp

Download
memory/4404-234-0x0000000000000000-mapping.dmp

Download
memory/4792-135-0x0000000000520000-0x00000000005B6000-memory.dmp

Filesize
600KB

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download
memory/4832-243-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-238-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-237-0x0000000000000000-mapping.dmp

Download
memory/4832-239-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-240-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4840-183-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4840-180-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4840-172-0x0000000000000000-mapping.dmp

Download
memory/4840-177-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4872-193-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4872-189-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/4872-227-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

Filesize
120KB

Download
memory/4872-226-0x0000000071050000-0x000000007109C000-memory.dmp

Filesize
304KB

Download
memory/4872-225-0x0000000006ED0000-0x0000000006F02000-memory.dmp

Filesize
200KB

Download
memory/4872-216-0x00000000061A0000-0x00000000061BA000-memory.dmp

Filesize
104KB

Download
memory/4872-215-0x00000000072F0000-0x000000000796A000-memory.dmp

Filesize
6.5MB

Download
memory/4872-212-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/4872-191-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4872-231-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/4872-190-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4872-228-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/4872-188-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/4872-184-0x0000000000000000-mapping.dmp

Download
memory/4872-232-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/4872-230-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/4872-229-0x0000000007250000-0x00000000072E6000-memory.dmp

Filesize
600KB

Download
memory/4972-130-0x0000000000550000-0x000000000065C000-memory.dmp

Filesize
1.0MB

Download
memory/4972-136-0x00000000065C0000-0x0000000006652000-memory.dmp

Filesize
584KB

Download
memory/4972-131-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/5116-181-0x0000000000000000-mapping.dmp

Download