hawkeye | 21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
Size

1.5MB
MD5

40570856df7efebd7ebda05408224e1b
SHA1

47cc7a0b90c6b79c4416476e5b5ced7422ea6247
SHA256

21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab
SHA512

449fcab507e352bcb736bf03292b269afdc3ae3b8382bfbf19d82f7167951e9bf66fdf2997dc7b625d47162a9fff1a4996a4b2dd380a170f06767e61455cc417
SSDEEP

24576:wGd3O+nY5gC8WlgzkjD2oSOH+nqUmM31ShHT4TSEoSo/6Z6fgVXmCwIhr:w2LYghcgIvbZ+pj04OEto/s6fYmGh

Score

10^/10

hawkeye imminent pony collection discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

pony

http://newwork.hostoi.com/Panel/gate.php

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 12 IoCs

pid	Process
940	FB_BE4.tmp.exe
1008	FB_E36.tmp.exe
240	FB_EA4.tmp.exe
1576	FB_EA4.tmp.exe
1052	FB_BE4.tmp.exe
964	FB_E36.tmp.exe
1520	defragsvc.exe
1524	Windows Update.exe
484	AppReadiness.exe
1744	Windows Update.exe
1996	defragsvc.exe
1236	AppReadiness.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/964-120-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-124-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-123-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-144-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-147-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-148-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-151-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/964-160-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Loads dropped DLL 12 IoCs

pid	Process
472	AppLaunch.exe
472	AppLaunch.exe
472	AppLaunch.exe
240	FB_EA4.tmp.exe
940	FB_BE4.tmp.exe
1008	FB_E36.tmp.exe
240	FB_EA4.tmp.exe
1576	FB_EA4.tmp.exe
1520	defragsvc.exe
1524	Windows Update.exe
1524	Windows Update.exe
484	AppReadiness.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FB_E36.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_E36.tmp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Readiness = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\defragsvc.exe"	defragsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default NKey = "C:\\Users\\Admin\\AppData\\Roaming\\Default NFolder\\Default File.exe"	FB_BE4.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Readiness = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\defragsvc.exe"	defragsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	whatismyipaddress.com
7	whatismyipaddress.com
8	whatismyipaddress.com

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 240 set thread context of 1576	240	FB_EA4.tmp.exe	32
PID 940 set thread context of 1052	940	FB_BE4.tmp.exe	33
PID 1008 set thread context of 964	1008	FB_E36.tmp.exe	34
PID 1524 set thread context of 1744	1524	Windows Update.exe	41
PID 484 set thread context of 1236	484	AppReadiness.exe	44
PID 1744 set thread context of 1364	1744	Windows Update.exe	45
PID 1744 set thread context of 308	1744	Windows Update.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
240	FB_EA4.tmp.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
240	FB_EA4.tmp.exe
1524	Windows Update.exe
1520	defragsvc.exe
240	FB_EA4.tmp.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
Token: SeDebugPrivilege	240	FB_EA4.tmp.exe
Token: SeDebugPrivilege	940	FB_BE4.tmp.exe
Token: SeDebugPrivilege	1008	FB_E36.tmp.exe
Token: SeImpersonatePrivilege	964	FB_E36.tmp.exe
Token: SeTcbPrivilege	964	FB_E36.tmp.exe
Token: SeChangeNotifyPrivilege	964	FB_E36.tmp.exe
Token: SeCreateTokenPrivilege	964	FB_E36.tmp.exe
Token: SeBackupPrivilege	964	FB_E36.tmp.exe
Token: SeRestorePrivilege	964	FB_E36.tmp.exe
Token: SeIncreaseQuotaPrivilege	964	FB_E36.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	964	FB_E36.tmp.exe
Token: SeDebugPrivilege	1052	FB_BE4.tmp.exe
Token: SeImpersonatePrivilege	964	FB_E36.tmp.exe
Token: SeTcbPrivilege	964	FB_E36.tmp.exe
Token: SeChangeNotifyPrivilege	964	FB_E36.tmp.exe
Token: SeCreateTokenPrivilege	964	FB_E36.tmp.exe
Token: SeBackupPrivilege	964	FB_E36.tmp.exe
Token: SeRestorePrivilege	964	FB_E36.tmp.exe
Token: SeIncreaseQuotaPrivilege	964	FB_E36.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	964	FB_E36.tmp.exe
Token: SeImpersonatePrivilege	964	FB_E36.tmp.exe
Token: SeTcbPrivilege	964	FB_E36.tmp.exe
Token: SeChangeNotifyPrivilege	964	FB_E36.tmp.exe
Token: SeCreateTokenPrivilege	964	FB_E36.tmp.exe
Token: SeBackupPrivilege	964	FB_E36.tmp.exe
Token: SeRestorePrivilege	964	FB_E36.tmp.exe
Token: SeIncreaseQuotaPrivilege	964	FB_E36.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	964	FB_E36.tmp.exe
Token: SeImpersonatePrivilege	964	FB_E36.tmp.exe
Token: SeTcbPrivilege	964	FB_E36.tmp.exe
Token: SeChangeNotifyPrivilege	964	FB_E36.tmp.exe
Token: SeCreateTokenPrivilege	964	FB_E36.tmp.exe
Token: SeBackupPrivilege	964	FB_E36.tmp.exe
Token: SeRestorePrivilege	964	FB_E36.tmp.exe
Token: SeIncreaseQuotaPrivilege	964	FB_E36.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	964	FB_E36.tmp.exe
Token: SeDebugPrivilege	1520	defragsvc.exe
Token: SeDebugPrivilege	1524	Windows Update.exe
Token: SeDebugPrivilege	484	AppReadiness.exe
Token: SeDebugPrivilege	1744	Windows Update.exe
Token: SeDebugPrivilege	1364	vbc.exe
Token: SeDebugPrivilege	1996	defragsvc.exe
Token: SeDebugPrivilege	308	vbc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1708	AcroRd32.exe
1708	AcroRd32.exe
1708	AcroRd32.exe
1052	FB_BE4.tmp.exe
1708	AcroRd32.exe
1744	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 1132 wrote to memory of 472	1132	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	27
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 940	472	AppLaunch.exe	28
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 1008	472	AppLaunch.exe	29
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 240	472	AppLaunch.exe	30
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 472 wrote to memory of 1708	472	AppLaunch.exe	31
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 240 wrote to memory of 1576	240	FB_EA4.tmp.exe	32
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 940 wrote to memory of 1052	940	FB_BE4.tmp.exe	33
PID 1008 wrote to memory of 964	1008	FB_E36.tmp.exe	34

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_E36.tmp.exe

C:\Users\Admin\AppData\Local\Temp\21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
"C:\Users\Admin\AppData\Local\Temp\21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1052
- - C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_win_path
      PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7188744.bat" "C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe" "
        5⤵
        
        PID:304
- - C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1576
    - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Users\Admin\AppData\Roaming\Windows Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
      - C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
    - - C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
      - C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"
        6⤵
        Executes dropped EXE
        
        PID:1236
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FB_F60.tmp.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7188744.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_F60.tmp.pdf

Filesize
19KB

MD5
78ce19a2ec6b1d5045b26600cdde2ba2

SHA1
f600c7449d0f843de4941b77971af731f11a8976

SHA256
ba1768f6bd4e00591e88f94709ff7b97b1d9961dd2daa9be1431a945e6506f36

SHA512
d071d196948586818e31de11b7b507f792649180b6c521569fbf85bea9d683dac48cea98a9abda95ef921e3872154b63e5cb05891801d42d4fcc81cdc0a7d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
48B

MD5
dad2c7b6d966954ecfff3f3374c430d6

SHA1
eb45e91185fb4b57a6218fa9ba06ab2a6dc2681e

SHA256
939a95ac61961dd812b4766c47850f8991f5a5851325fd63d0108445c20d5a1b

SHA512
ea1665da5229702cae2aa1e088e540b309849eaad4913f52e9aebdaeecdde4c9a0ca4c8a9ca9633bae379431040712667befe2b1620046f9b630c7b8f71ae09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
329B

MD5
f8ddf0fe04f214d64c3e5094ed622858

SHA1
245a91a1c968c45820fbbb319c1bcfc98b01b04e

SHA256
f73d76c930aa76b78390a50ee72b9169c7064b9e1256de76ab9ffb43bca8f5d3

SHA512
e6385a3d47f8969f2079ae28a4e2753c2da60e37601ebd15049e21f1490e7a1ec760a3cc6c8b75a8049aa8a08735a9f24187d7ad13c6ac8d4a5510dc88718900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
418ef6127e44214882c61e372e866691

SHA1
16b5eb5172fe24f3ec4dafdd4593f04f50c205cc

SHA256
0c75ccaac2812081198391f595e46d12ec1d3cbb0f5aa664e6631f110ae4526c

SHA512
7e946b2b431f21195347497d5b6f3d3a49784414d5a457f6f2b3d7bffc29fc4c50062cc8d1a4f8c1b2937e715634ae191d6b4fe88bd85d2a186c870054565274

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
\Users\Admin\AppData\Local\Temp\FB_BE4.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
\Users\Admin\AppData\Local\Temp\FB_E36.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
\Users\Admin\AppData\Local\Temp\FB_EA4.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
memory/240-191-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/240-95-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/240-89-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/308-252-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/472-58-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-63-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-61-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-60-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-59-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-85-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-57-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/472-67-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/484-189-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/484-168-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/940-90-0x0000000000B56000-0x0000000000B67000-memory.dmp

Filesize
68KB

Download
memory/940-87-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/940-93-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/940-139-0x0000000000B56000-0x0000000000B67000-memory.dmp

Filesize
68KB

Download
memory/940-137-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/964-147-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-124-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-123-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-120-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-151-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-160-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-148-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-118-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/964-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1008-94-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-136-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-88-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-140-0x0000000000B06000-0x0000000000B17000-memory.dmp

Filesize
68KB

Download
memory/1008-91-0x0000000000B06000-0x0000000000B17000-memory.dmp

Filesize
68KB

Download
memory/1052-119-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-116-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-113-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-130-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-149-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1052-117-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-112-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-133-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1052-169-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1132-68-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-55-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-56-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1236-254-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-218-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-234-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1520-170-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-190-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-150-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-171-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-158-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1576-107-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-109-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-102-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-100-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-97-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-131-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1576-98-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-103-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1576-157-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-235-0x0000000000C65000-0x0000000000C76000-memory.dmp

Filesize
68KB

Download
memory/1744-236-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-187-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-255-0x0000000000C65000-0x0000000000C76000-memory.dmp

Filesize
68KB

Download
memory/1996-253-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-196-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download