hawkeye | b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

Analysis

max time kernel
156s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2014-12-22 #32/41378f6611e67fca821266bd8d84698c.exe
Size

1.4MB
MD5

41378f6611e67fca821266bd8d84698c
SHA1

a58b71aebb697170d778d4bef79f0b3df308a930
SHA256

4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8
SHA512

ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2
SSDEEP

12288:4cGjcPsHfoxY5JBNVQ6QL5fDgA1FsHFGjzSU7ucK0rxEwYN6u04XX4ZSBrOZzsmB:hPkPvS3uGkQxEwYzTVFsfyU97GYxa

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral18/memory/1152-137-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral18/memory/4052-196-0x0000000000000000-mapping.dmp	MailPassView
behavioral18/memory/4052-197-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral18/memory/4052-201-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral18/memory/4052-208-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral18/memory/4052-209-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral18/memory/1152-137-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral18/memory/1524-213-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral18/memory/1524-214-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral18/memory/1524-216-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral18/memory/1524-217-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral18/memory/1524-219-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 19 IoCs

Processes:

resource	yara_rule
behavioral18/memory/1152-137-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral18/memory/4052-196-0x0000000000000000-mapping.dmp	Nirsoft
behavioral18/memory/4052-197-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral18/memory/4052-201-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral18/memory/4052-208-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral18/memory/4052-209-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral18/memory/1524-213-0x0000000000000000-mapping.dmp	Nirsoft
behavioral18/memory/1524-214-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral18/memory/1524-216-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral18/memory/1524-217-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral18/memory/1524-219-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral18/memory/4512-221-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral18/memory/4512-220-0x0000000000000000-mapping.dmp	Nirsoft
behavioral18/memory/4512-223-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral18/memory/4512-225-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral18/memory/732-226-0x0000000000000000-mapping.dmp	Nirsoft
behavioral18/memory/732-227-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral18/memory/732-229-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral18/memory/732-231-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 13 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exeWindows Update.exe41378f6611e67fca821266bd8d84698c.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exeWindows Update.exe

pid	process
1152	41378f6611e67fca821266bd8d84698c.exe
3704	Windows Update.exe
4740	41378f6611e67fca821266bd8d84698c.exe
2216	Windows Update.exe
1300	Windows Update.exe
1896	Windows Update.exe
4024	Windows Update.exe
4360	Windows Update.exe
2756	Windows Update.exe
2380	Windows Update.exe
4672	Windows Update.exe
5040	Windows Update.exe
308	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41378f6611e67fca821266bd8d84698c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	41378f6611e67fca821266bd8d84698c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41378f6611e67fca821266bd8d84698c.exeWindows Update.exe41378f6611e67fca821266bd8d84698c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Sample.lnk"	41378f6611e67fca821266bd8d84698c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Sample.lnk"	Windows Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	41378f6611e67fca821266bd8d84698c.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 whatismyipaddress.com
47 whatismyipaddress.com

flow	ioc
45	whatismyipaddress.com
47	whatismyipaddress.com

Suspicious use of SetThreadContext 11 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exeWindows Update.exe41378f6611e67fca821266bd8d84698c.exe

description	pid	process	target process
PID 4308 set thread context of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 set thread context of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 3704 set thread context of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 set thread context of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 set thread context of 4672	3704	Windows Update.exe	Windows Update.exe
PID 3704 set thread context of 5040	3704	Windows Update.exe	Windows Update.exe
PID 4740 set thread context of 4052	4740	41378f6611e67fca821266bd8d84698c.exe	vbc.exe
PID 3704 set thread context of 308	3704	Windows Update.exe	Windows Update.exe
PID 4740 set thread context of 1524	4740	41378f6611e67fca821266bd8d84698c.exe	vbc.exe
PID 4740 set thread context of 4512	4740	41378f6611e67fca821266bd8d84698c.exe	vbc.exe
PID 4740 set thread context of 732	4740	41378f6611e67fca821266bd8d84698c.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exeWindows Update.exe41378f6611e67fca821266bd8d84698c.exe

pid	process
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
3704	Windows Update.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4308	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe
4740	41378f6611e67fca821266bd8d84698c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exeWindows Update.exe41378f6611e67fca821266bd8d84698c.exe

description	pid	process
Token: SeDebugPrivilege	4308	41378f6611e67fca821266bd8d84698c.exe
Token: SeDebugPrivilege	3704	Windows Update.exe
Token: SeDebugPrivilege	4740	41378f6611e67fca821266bd8d84698c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exe

pid process

4740 41378f6611e67fca821266bd8d84698c.exe

pid	process
4740	41378f6611e67fca821266bd8d84698c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41378f6611e67fca821266bd8d84698c.exe41378f6611e67fca821266bd8d84698c.exeWindows Update.exe

description	pid	process	target process
PID 4308 wrote to memory of 2416	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 2416	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 2416	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 2912	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 2912	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 2912	4308	41378f6611e67fca821266bd8d84698c.exe	CMD.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 1152	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 1152 wrote to memory of 3704	1152	41378f6611e67fca821266bd8d84698c.exe	Windows Update.exe
PID 1152 wrote to memory of 3704	1152	41378f6611e67fca821266bd8d84698c.exe	Windows Update.exe
PID 1152 wrote to memory of 3704	1152	41378f6611e67fca821266bd8d84698c.exe	Windows Update.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 4308 wrote to memory of 4740	4308	41378f6611e67fca821266bd8d84698c.exe	41378f6611e67fca821266bd8d84698c.exe
PID 3704 wrote to memory of 4984	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 4984	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 4984	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 2936	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 2936	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 2936	3704	Windows Update.exe	CMD.exe
PID 3704 wrote to memory of 2216	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2216	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2216	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1300	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1300	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1300	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 1896	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4024	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4024	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4024	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4360	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4360	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4360	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2756	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2756	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2756	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 2380	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4672	3704	Windows Update.exe	Windows Update.exe
PID 3704 wrote to memory of 4672	3704	Windows Update.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:2416

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:4984

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:2936

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:308

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:4052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:4512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
3⤵
PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\41378f6611e67fca821266bd8d84698c.exe.log
Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.log
Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Sample.lnk
Filesize
1KB

MD5
c32eecd19945ce85a12e68fd9760e987

SHA1
5f5f49fecfb8081bd62bb99cd0ca96ceabede63f

SHA256
9a42faac714c1b6cf233a226161c91a041d0e42bfcbb95ad165b7c2edbea4cf7

SHA512
2ddb42a3c34674223ea138c5bf2a5339739474f6b43418d47080358cecfa06c3f74314338857757ca1bf92e289c21e9ed702b10670c98e2c067e0b96848d9137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\wDy\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\41378f6611e67fca821266bd8d84698c.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
85B

MD5
466a5b41631fe471574883aa53bf8852

SHA1
c314533d51ccfba399e92a92cc5eb8c8af263866

SHA256
39d6da0fd4a17cd9325bfb21520ec09722c731139cb94a37c8eaeba994d229f1

SHA512
4dc66d68bcf4ed0d3700e028d9cc0568f79b3d962a777ffee567230ed234cc069f5923393de222458cb3a8475f54ac2a898d41877dc56bc6fbcd8b90eb1eac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
Filesize
725B

MD5
0d086ba9f795fbab14626d24fc760820

SHA1
4088aa6eb55816930c116550bcbb58a049b9e27b

SHA256
6fd1e21d66175604efff543b78d314d103ade734b3a8a772d731da55f3d119d4

SHA512
43d4adcc7dc3811955a742deb9ea98c2647611036662f031575af6c75a45c97d0359c4b482e0926447cd5fee2ee7efb7f0f354e57c203890f81bca3f5ee75df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\010112.txt
Filesize
10B

MD5
0dc1e24c1de278786e10eeda29a056d5

SHA1
c3c23e0cfa885044dddb753f1209b68a31780892

SHA256
631bd53f22371339f63e4f0bcbce0d434ba1aa8f89b1007ec7f4e4f161c764a3

SHA512
78dba090dc722f9c837de410052ba7d13ae5cf467e9430ae5d6a41e338c8a85ba0630169cd277c943aa1ccf1fe0a0e20637602c15f767f258a63772e4a7026ca

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
41378f6611e67fca821266bd8d84698c

SHA1
a58b71aebb697170d778d4bef79f0b3df308a930

SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

Download Submit
memory/308-204-0x0000000000000000-mapping.dmp

Download
memory/308-211-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/308-207-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/732-226-0x0000000000000000-mapping.dmp

Download
memory/732-231-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-227-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-229-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1152-136-0x0000000000000000-mapping.dmp

Download
memory/1152-139-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/1152-137-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1152-145-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/1300-164-0x0000000000000000-mapping.dmp

Download
memory/1524-214-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-213-0x0000000000000000-mapping.dmp

Download
memory/1524-216-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-217-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-219-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1896-166-0x0000000000000000-mapping.dmp

Download
memory/1896-171-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/1896-174-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2216-162-0x0000000000000000-mapping.dmp

Download
memory/2380-181-0x0000000000000000-mapping.dmp

Download
memory/2380-187-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2380-185-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2416-134-0x0000000000000000-mapping.dmp

Download
memory/2756-179-0x0000000000000000-mapping.dmp

Download
memory/2912-135-0x0000000000000000-mapping.dmp

Download
memory/2936-155-0x0000000000000000-mapping.dmp

Download
memory/3704-144-0x0000000001361000-0x0000000001363000-memory.dmp

Filesize
8KB

Download
memory/3704-149-0x0000000001361000-0x0000000001363000-memory.dmp

Filesize
8KB

Download
memory/3704-143-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3704-153-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3704-140-0x0000000000000000-mapping.dmp

Download
memory/3704-212-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4024-175-0x0000000000000000-mapping.dmp

Download
memory/4052-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4052-196-0x0000000000000000-mapping.dmp

Download
memory/4052-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4052-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4052-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4308-132-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4308-133-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4360-177-0x0000000000000000-mapping.dmp

Download
memory/4512-225-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4512-221-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4512-220-0x0000000000000000-mapping.dmp

Download
memory/4512-223-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4672-192-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4672-188-0x0000000000000000-mapping.dmp

Download
memory/4740-158-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4740-146-0x0000000000000000-mapping.dmp

Download
memory/4740-152-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4984-154-0x0000000000000000-mapping.dmp

Download
memory/5040-202-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/5040-198-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/5040-193-0x0000000000000000-mapping.dmp

Download