redline | 0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2022 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
Size

172KB
MD5

55cb68320852bb8e5c0ce289c7b35525
SHA1

526b65e87a19d7bf97d15a63eb37fe0a1b4f381e
SHA256

0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae
SHA512

9436245760cdb13639e365993dd1c39767225ce3151b5d54abe579a30f658df8e4bf69cd6c98fb7a5da0d90d29c37c5e0d463958b28145f1e75e2b3b9f928a3c
SSDEEP

3072:9OtlftcLZ/BKst/xRoIlR+0vZV4lF1Mcwr/Xs:YuLZ/BKsBn+0RaxHw

Score

10^/10

redline smokeloader 123 google2 backdoor discovery evasion infostealer persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

123

78.153.144.3:2510

Attributes

auth_value
cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-145-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3052-240-0x0000000002310000-0x000000000234E000-memory.dmp	family_redline
behavioral1/memory/3052-247-0x00000000027D0000-0x000000000280C000-memory.dmp	family_redline
behavioral1/memory/1616-852-0x00000000004221AE-mapping.dmp	family_redline
behavioral1/memory/3032-851-0x0000000000A10000-0x0000000000A49000-memory.dmp	family_redline
behavioral1/memory/1616-888-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

BrowserUpdate.exe4B36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4B36.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

DCB.exe13D7.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe1EA6.exe2260.exeLYKAA.exe4B36.exe5BE0.exe1EA6.exeBrowser Update.exeBrowserUpdate.exe

pid	process
3032	DCB.exe
4820	13D7.exe
5080	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
4372	1EA6.exe
3052	2260.exe
4908	LYKAA.exe
4944	4B36.exe
4728	5BE0.exe
4808	1EA6.exe
2312	Browser Update.exe
4812	BrowserUpdate.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1752-358-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/1752-418-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BrowserUpdate.exe4B36.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4B36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4B36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe

Deletes itself 1 IoCs

Processes:

pid process

3012
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3012

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4B36.exe	themida
behavioral1/memory/4944-275-0x0000000000B10000-0x0000000000FA5000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4B36.exe	themida
behavioral1/memory/4944-504-0x0000000000B10000-0x0000000000FA5000-memory.dmp	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	themida
behavioral1/memory/4812-764-0x00000000001C0000-0x0000000000BA6000-memory.dmp	themida
behavioral1/memory/4944-777-0x0000000000B10000-0x0000000000FA5000-memory.dmp	themida
behavioral1/memory/4812-838-0x00000000001C0000-0x0000000000BA6000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Browser Update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Browser Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l google.sup1@yahoo.com"	Browser Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4B36.exeBrowserUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4B36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BrowserUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

5BE0.exe1EA6.exeLYKAA.exeDCB.exe

description	pid	process	target process
PID 4728 set thread context of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4372 set thread context of 4808	4372	1EA6.exe	1EA6.exe
PID 4908 set thread context of 1972	4908	LYKAA.exe	vbc.exe
PID 3032 set thread context of 1616	3032	DCB.exe	vbc.exe

Drops file in Program Files directory 1 IoCs

Processes:

Browser Update.exe

description ioc process

File opened for modification C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe Browser Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4704 4808 WerFault.exe 1EA6.exe
2200 3032 WerFault.exe DCB.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	Browser Update.exe

pid	pid_target	process	target process
4704	4808	WerFault.exe	1EA6.exe
2200	3032	WerFault.exe	DCB.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

384 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2320 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 75 Go-http-client/1.1

pid	process
384	schtasks.exe

pid	process
2320	timeout.exe

description	flow	ioc
HTTP User-Agent header	75	Go-http-client/1.1

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe

pid	process
1680	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
1680	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3012

pid	process
3012

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe

pid	process
1680	0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe2260.exe

description	pid	process
Token: SeDebugPrivilege	5080	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeDebugPrivilege	4908	LYKAA.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	3052	2260.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3012
3012
3012
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3012
3012

pid	process
3012
3012
3012

pid	process
3012
3012

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Browser Update.exeBrowserUpdate.exe

pid	process
2312	Browser Update.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe
4812	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13D7.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.execmd.exeLYKAA.execmd.exe5BE0.exe1EA6.exe

description	pid	process	target process
PID 3012 wrote to memory of 3032	3012		DCB.exe
PID 3012 wrote to memory of 3032	3012		DCB.exe
PID 3012 wrote to memory of 3032	3012		DCB.exe
PID 3012 wrote to memory of 4820	3012		13D7.exe
PID 3012 wrote to memory of 4820	3012		13D7.exe
PID 4820 wrote to memory of 5080	4820	13D7.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 4820 wrote to memory of 5080	4820	13D7.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 5080 wrote to memory of 3744	5080	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 5080 wrote to memory of 3744	5080	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 3012 wrote to memory of 4372	3012		1EA6.exe
PID 3012 wrote to memory of 4372	3012		1EA6.exe
PID 3744 wrote to memory of 2320	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 2320	3744	cmd.exe	timeout.exe
PID 3012 wrote to memory of 3052	3012		2260.exe
PID 3012 wrote to memory of 3052	3012		2260.exe
PID 3012 wrote to memory of 3052	3012		2260.exe
PID 3744 wrote to memory of 4908	3744	cmd.exe	LYKAA.exe
PID 3744 wrote to memory of 4908	3744	cmd.exe	LYKAA.exe
PID 4908 wrote to memory of 3276	4908	LYKAA.exe	cmd.exe
PID 4908 wrote to memory of 3276	4908	LYKAA.exe	cmd.exe
PID 3276 wrote to memory of 384	3276	cmd.exe	schtasks.exe
PID 3276 wrote to memory of 384	3276	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 4944	3012		4B36.exe
PID 3012 wrote to memory of 4944	3012		4B36.exe
PID 3012 wrote to memory of 4944	3012		4B36.exe
PID 3012 wrote to memory of 4728	3012		5BE0.exe
PID 3012 wrote to memory of 4728	3012		5BE0.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 4728 wrote to memory of 1752	4728	5BE0.exe	RegSvcs.exe
PID 3012 wrote to memory of 540	3012		explorer.exe
PID 3012 wrote to memory of 540	3012		explorer.exe
PID 3012 wrote to memory of 540	3012		explorer.exe
PID 3012 wrote to memory of 540	3012		explorer.exe
PID 3012 wrote to memory of 4040	3012		explorer.exe
PID 3012 wrote to memory of 4040	3012		explorer.exe
PID 3012 wrote to memory of 4040	3012		explorer.exe
PID 3012 wrote to memory of 2272	3012		explorer.exe
PID 3012 wrote to memory of 2272	3012		explorer.exe
PID 3012 wrote to memory of 2272	3012		explorer.exe
PID 3012 wrote to memory of 2272	3012		explorer.exe
PID 3012 wrote to memory of 3228	3012		explorer.exe
PID 3012 wrote to memory of 3228	3012		explorer.exe
PID 3012 wrote to memory of 3228	3012		explorer.exe
PID 3012 wrote to memory of 1160	3012		explorer.exe
PID 3012 wrote to memory of 1160	3012		explorer.exe
PID 3012 wrote to memory of 1160	3012		explorer.exe
PID 3012 wrote to memory of 1160	3012		explorer.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe
PID 4372 wrote to memory of 4808	4372	1EA6.exe	1EA6.exe

C:\Users\Admin\AppData\Local\Temp\0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe
"C:\Users\Admin\AppData\Local\Temp\0d6d2da308144214650b23d40f7839e5f31af3ed42cdac6f3bad9ed9875451ae.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1680

C:\Users\Admin\AppData\Local\Temp\DCB.exe
C:\Users\Admin\AppData\Local\Temp\DCB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 268
2⤵
- Program crash
PID:2200

C:\Users\Admin\AppData\Local\Temp\13D7.exe
C:\Users\Admin\AppData\Local\Temp\13D7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E46.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2320

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
5⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\1EA6.exe
C:\Users\Admin\AppData\Local\Temp\1EA6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\1EA6.exe
"C:\Users\Admin\AppData\Local\Temp\1EA6.exe"
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4808 -s 600
3⤵
- Program crash
PID:4704

C:\Users\Admin\AppData\Local\Temp\2260.exe
C:\Users\Admin\AppData\Local\Temp\2260.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\4B36.exe
C:\Users\Admin\AppData\Local\Temp\4B36.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4944

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
"C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l google.sup1@yahoo.com
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Users\Admin\AppData\Local\Temp\5BE0.exe
C:\Users\Admin\AppData\Local\Temp\5BE0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:1752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2272

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4824

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
Filesize
9.9MB

MD5
fa0733b9fea77460a5c006e384779577

SHA1
d34ad581d313b353c1f74209fcc8a659f236f79a

SHA256
b439153b2144bb1566c0454cf563d54d7bcd6983488555bdc170f0414f60d2bd

SHA512
efec566a345a318fff8cece6f41d7db29263b3ac0bd95b15603148ed9c02a4122821827eb1e0cbcc25335d9d37910c1da098a2f46bf2b78efea92d37e95b193b

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D7.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D7.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA6.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA6.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA6.exe
Filesize
110KB

MD5
8f5b12d2ebe6e2c29b1778a72963c59c

SHA1
bf3a68954935657f0089d712d48570e755783bfd

SHA256
0f0f69a705a280dac2f7476c1d3d267d5d3c238fee412dbeb14079beeeb40f29

SHA512
d50bc3b34e663655ebf3b139d400f919b0ae49be4f2e6a0f5ad647f1228a551072a89802f5c7fd078df124ffcd1145d92435638d76ce149fb125b0c6a7b64e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\2260.exe
Filesize
303KB

MD5
4440d497b457be6604c52292f836e466

SHA1
275f3de7df0525c437289b04ff19ea90f2632b43

SHA256
f785c09861dc2705f5e235d840b31e7894c584ecc6591c5f06b60107e3aa43e3

SHA512
d72d6a09f732bfe04ed77052e18798f0003acc8c46ad4906182d42b5d3a2c120f3ae3eca7a6fa8718c7bb4a4fee3f85514ec819af65f5025bb48bd379e6565d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2260.exe
Filesize
303KB

MD5
4440d497b457be6604c52292f836e466

SHA1
275f3de7df0525c437289b04ff19ea90f2632b43

SHA256
f785c09861dc2705f5e235d840b31e7894c584ecc6591c5f06b60107e3aa43e3

SHA512
d72d6a09f732bfe04ed77052e18798f0003acc8c46ad4906182d42b5d3a2c120f3ae3eca7a6fa8718c7bb4a4fee3f85514ec819af65f5025bb48bd379e6565d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B36.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B36.exe
Filesize
9.0MB

MD5
c47c7dfe045ceacd443ec8c7d120ba0a

SHA1
51cd904e7a4e48a2e4d78f27e3d565f1e76278d4

SHA256
9ccd93137d9574e16bb2a94b9725981c65a7b1dcc295f5ed31f4a5c76b11cbdb

SHA512
fc36364aee5ade506c24d798b871f81d23f7e2774b14b439ef811f65d0e395d915e76c36267ef1d1b7974da7e92850aa129cc9c50f9e6c7ada1549c6971dd100

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BE0.exe
Filesize
3.0MB

MD5
d409094639a5947b77c6a64640091af3

SHA1
931072e7d54ab8416114a625d3dc9e29b51d28b1

SHA256
47075b19250a67dd90a8e8c3a243e5d9f3b05716e3de6ddd0e2dcdb7857494c4

SHA512
20095edb7d835b4e4c9e45fe351d538bf12d136e4fe7fdaeaef13411c7221ba684f2bc0891fa0d20c5ebb0b7224e3e3d35b78db5933ea86f9ab0bca84dbb3980

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BE0.exe
Filesize
3.0MB

MD5
d409094639a5947b77c6a64640091af3

SHA1
931072e7d54ab8416114a625d3dc9e29b51d28b1

SHA256
47075b19250a67dd90a8e8c3a243e5d9f3b05716e3de6ddd0e2dcdb7857494c4

SHA512
20095edb7d835b4e4c9e45fe351d538bf12d136e4fe7fdaeaef13411c7221ba684f2bc0891fa0d20c5ebb0b7224e3e3d35b78db5933ea86f9ab0bca84dbb3980

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCB.exe
Filesize
218KB

MD5
3de8df56c864e0f5a715f0a1e9383c48

SHA1
c4d5f366616430ecc5ab0123803b7586fcd90943

SHA256
3f4a2d676bc1ad155e33f1e5e6c2a19a7d3cd37ba9b30bfaffdf6e1a37456290

SHA512
88639641215375669dc56a5b0504b247b089848abcd0a2a901090f026f26928d8e5933b756fe9400f62f5579b94c7bc22e18fe83c25a99268686cca0ab29fdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCB.exe
Filesize
218KB

MD5
3de8df56c864e0f5a715f0a1e9383c48

SHA1
c4d5f366616430ecc5ab0123803b7586fcd90943

SHA256
3f4a2d676bc1ad155e33f1e5e6c2a19a7d3cd37ba9b30bfaffdf6e1a37456290

SHA512
88639641215375669dc56a5b0504b247b089848abcd0a2a901090f026f26928d8e5933b756fe9400f62f5579b94c7bc22e18fe83c25a99268686cca0ab29fdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Browser Update.exe
Filesize
4.8MB

MD5
0c1006412fcbf7c4ca14c0fdf9c1e3e3

SHA1
e2d465a6ffa1a6b27774cbaf8e58323e522eb683

SHA256
eec760898b55a73fba8d66aaedcea6f71d45d340a30b9966646d7cdcf3f7434b

SHA512
0602da1f56923666806308012c31e0782427f7a96ba9bd8f71eda5d72bf256fedbb002c6d8a008eacfa1736e11ff94e66cd6e24663ecbe9f3ebf9fa75e215c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E46.tmp.bat
Filesize
153B

MD5
1aefbfc490c713273c33bafcb31a10c6

SHA1
ab1fb3c87dd7fffe798df8637bcb2cff37b630c5

SHA256
edb958133011dc2406bbaf091d86266de773ae2b782ac510dbcee4efe5f97fda

SHA512
16f09da77db55149bdeb5bf74411ecc832e6f0f26bf36990199cc0da99c94d731d1afdcaa8bdcd1aca7329386ec6e5360166d5e6f75260a08c26a743ad5fe1ba

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
memory/384-234-0x0000000000000000-mapping.dmp

Download
memory/540-330-0x0000000000000000-mapping.dmp

Download
memory/540-513-0x0000000003280000-0x000000000328B000-memory.dmp

Filesize
44KB

Download
memory/540-783-0x0000000003290000-0x0000000003297000-memory.dmp

Filesize
28KB

Download
memory/540-508-0x0000000003290000-0x0000000003297000-memory.dmp

Filesize
28KB

Download
memory/1160-437-0x0000000003200000-0x0000000003227000-memory.dmp

Filesize
156KB

Download
memory/1160-430-0x0000000003230000-0x0000000003252000-memory.dmp

Filesize
136KB

Download
memory/1160-758-0x0000000003230000-0x0000000003252000-memory.dmp

Filesize
136KB

Download
memory/1160-409-0x0000000000000000-mapping.dmp

Download
memory/1524-843-0x0000000000000000-mapping.dmp

Download
memory/1540-501-0x0000000000000000-mapping.dmp

Download
memory/1540-552-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/1540-517-0x00000000009F0000-0x00000000009FD000-memory.dmp

Filesize
52KB

Download
memory/1540-805-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/1616-888-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1616-852-0x00000000004221AE-mapping.dmp

Download
memory/1616-916-0x0000000009B80000-0x0000000009BCB000-memory.dmp

Filesize
300KB

Download
memory/1680-145-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1680-140-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-121-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-122-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-156-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-120-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-123-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-155-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-154-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-153-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-152-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-151-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-150-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-124-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-149-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-148-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-125-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-126-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-127-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-142-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-144-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-146-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-147-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1680-143-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/1680-141-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-157-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1680-139-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-138-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-128-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-137-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-136-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-134-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-129-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-133-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-132-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-131-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-130-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1752-325-0x0000000000BE8EA0-mapping.dmp

Download
memory/1752-418-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1752-358-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1972-845-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1972-844-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1972-840-0x000000014006EE80-mapping.dmp

Download
memory/2272-587-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/2272-620-0x0000000002AA0000-0x0000000002AA9000-memory.dmp

Filesize
36KB

Download
memory/2272-371-0x0000000000000000-mapping.dmp

Download
memory/2312-481-0x0000000000000000-mapping.dmp

Download
memory/2320-188-0x0000000000000000-mapping.dmp

Download
memory/2504-435-0x0000000000000000-mapping.dmp

Download
memory/2504-681-0x0000000003250000-0x0000000003255000-memory.dmp

Filesize
20KB

Download
memory/2504-710-0x0000000003240000-0x0000000003249000-memory.dmp

Filesize
36KB

Download
memory/3032-165-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-851-0x0000000000A10000-0x0000000000A49000-memory.dmp

Filesize
228KB

Download
memory/3032-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-173-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-177-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-167-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-164-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-158-0x0000000000000000-mapping.dmp

Download
memory/3032-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-160-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-163-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-162-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3032-161-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-189-0x0000000000000000-mapping.dmp

Download
memory/3052-247-0x00000000027D0000-0x000000000280C000-memory.dmp

Filesize
240KB

Download
memory/3052-216-0x0000000000720000-0x000000000075E000-memory.dmp

Filesize
248KB

Download
memory/3052-299-0x0000000005370000-0x00000000053AE000-memory.dmp

Filesize
248KB

Download
memory/3052-204-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-206-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-331-0x00000000007A6000-0x00000000007D7000-memory.dmp

Filesize
196KB

Download
memory/3052-205-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-332-0x0000000000720000-0x000000000075E000-memory.dmp

Filesize
248KB

Download
memory/3052-203-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-227-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3052-202-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-360-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3052-812-0x0000000006320000-0x00000000064E2000-memory.dmp

Filesize
1.8MB

Download
memory/3052-816-0x0000000006500000-0x0000000006A2C000-memory.dmp

Filesize
5.2MB

Download
memory/3052-201-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-211-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-240-0x0000000002310000-0x000000000234E000-memory.dmp

Filesize
248KB

Download
memory/3052-200-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-835-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3052-199-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-197-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-196-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-438-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/3052-195-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-194-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-292-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/3052-286-0x0000000005260000-0x000000000536A000-memory.dmp

Filesize
1.0MB

Download
memory/3052-214-0x00000000007A6000-0x00000000007D7000-memory.dmp

Filesize
196KB

Download
memory/3052-193-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-192-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-284-0x00000000053C0000-0x00000000059C6000-memory.dmp

Filesize
6.0MB

Download
memory/3052-191-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-210-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/3052-245-0x0000000004D60000-0x000000000525E000-memory.dmp

Filesize
5.0MB

Download
memory/3052-836-0x00000000007A6000-0x00000000007D7000-memory.dmp

Filesize
196KB

Download
memory/3052-249-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/3052-307-0x0000000005AD0000-0x0000000005B1B000-memory.dmp

Filesize
300KB

Download
memory/3228-404-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/3228-407-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/3228-389-0x0000000000000000-mapping.dmp

Download
memory/3228-733-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/3276-222-0x0000000000000000-mapping.dmp

Download
memory/3744-183-0x0000000000000000-mapping.dmp

Download
memory/4040-677-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/4040-365-0x00000000004B0000-0x00000000004BF000-memory.dmp

Filesize
60KB

Download
memory/4040-362-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/4040-351-0x0000000000000000-mapping.dmp

Download
memory/4372-184-0x0000000000000000-mapping.dmp

Download
memory/4728-314-0x0000000000000000-mapping.dmp

Download
memory/4808-467-0x0000000140000000-0x0000000140050000-memory.dmp

Filesize
320KB

Download
memory/4808-429-0x000000014000F758-mapping.dmp

Download
memory/4812-743-0x0000000000000000-mapping.dmp

Download
memory/4812-764-0x00000000001C0000-0x0000000000BA6000-memory.dmp

Filesize
9.9MB

Download
memory/4812-838-0x00000000001C0000-0x0000000000BA6000-memory.dmp

Filesize
9.9MB

Download
memory/4820-178-0x0000000000FA0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/4820-172-0x0000000000000000-mapping.dmp

Download
memory/4824-714-0x00000000030B0000-0x00000000030BB000-memory.dmp

Filesize
44KB

Download
memory/4824-713-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/4824-830-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/4824-464-0x0000000000000000-mapping.dmp

Download
memory/4908-207-0x0000000000000000-mapping.dmp

Download
memory/4944-504-0x0000000000B10000-0x0000000000FA5000-memory.dmp

Filesize
4.6MB

Download
memory/4944-275-0x0000000000B10000-0x0000000000FA5000-memory.dmp

Filesize
4.6MB

Download
memory/4944-256-0x0000000000000000-mapping.dmp

Download
memory/4944-777-0x0000000000B10000-0x0000000000FA5000-memory.dmp

Filesize
4.6MB

Download
memory/4956-736-0x00000000029E0000-0x00000000029EB000-memory.dmp

Filesize
44KB

Download
memory/4956-535-0x0000000000000000-mapping.dmp

Download
memory/4956-837-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/4956-734-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/5080-182-0x00000000000B0000-0x0000000000186000-memory.dmp

Filesize
856KB

Download
memory/5080-179-0x0000000000000000-mapping.dmp

Download