kaiten | 3afc8270bfe909376568076567dd7bcab398e766457d5945a3966d224d8c34ab

Analysis

max time kernel
55s
max time network
12s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
03-07-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f12b3682-6fff-4026-bc66-3b156c781961
Size

3.7MB
MD5

8b40a86b19a8f3ffec80bcc8e03dc5dd
SHA1

21017440a86a230e780d8e851ff42c268d292f64
SHA256

3afc8270bfe909376568076567dd7bcab398e766457d5945a3966d224d8c34ab
SHA512

c50cbceba5e101ba091a31563e30b8dbe7985d3c0cc64b56362474c91d93187ec282fe265ff877183de7bd8f83e80fbe4c3e68de0e312ae142364a8ae4c9274c
SSDEEP

98304:AMAAK4W7MRThAHouqB/cyzN7NCx4sdXVAcFXbPSwasS:2D4WSecXEVBPSwa7

Score

10^/10

kaiten xmrig antivm botnet miner persistence upx

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1756-2-0x00007fe1b1ae7000-0x00007fe1b1afb700-memory.dmp family_kaiten2
Detects Kaiten/Tsunami payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1756-2-0x00007fe1b1ae7000-0x00007fe1b1afb700-memory.dmp family_kaiten
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
XMRig Miner payload 1 IoCs
miner

Processes:

resource yara_rule

behavioral1/memory/1758-3-0x00007f0728f17000-0x00007f07295d5d40-memory.dmp xmrig

resource	yara_rule
behavioral1/memory/1756-2-0x00007fe1b1ae7000-0x00007fe1b1afb700-memory.dmp	family_kaiten2

resource	yara_rule
behavioral1/memory/1756-2-0x00007fe1b1ae7000-0x00007fe1b1afb700-memory.dmp	family_kaiten

resource	yara_rule
behavioral1/memory/1758-3-0x00007f0728f17000-0x00007f07295d5d40-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

dpkg-deb-package-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

ioc	pid	process
/etc/init.d/dpkg-deb-package	1589	dpkg-deb-package
/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	1755	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	1756	-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
/var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	1758	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 upx
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 upx
Attempts to change immutable files 19 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

shhostnamechattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattrchattr

pid process

1759 sh
1762 hostname
1750 chattr
1741 chattr
1744 chattr
1746 chattr
1737 chattr
1742 chattr
1745 chattr
1747 chattr
1748 chattr
1751 chattr
1752 chattr
1740 chattr
1738 chattr
1739 chattr
1743 chattr
1749 chattr
1735 chattr

resource	yara_rule
/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	upx
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	upx

pid	process
1759	sh
1762	hostname
1750	chattr
1741	chattr
1744	chattr
1746	chattr
1737	chattr
1742	chattr
1745	chattr
1747	chattr
1748	chattr
1751	chattr
1752	chattr
1740	chattr
1738	chattr
1739	chattr
1743	chattr
1749	chattr
1735	chattr

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

Creates/modifies Cron job 1 TTPs 6 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

f12b3682-6fff-4026-bc66-3b156c781961

description	ioc	process
File opened for modification	/etc/cron.d/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/var/spool/cron/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/etc/cron.hourly/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/etc/cron.daily/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/etc/cron.weekly/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/etc/cron.monthly/dbus-manager	f12b3682-6fff-4026-bc66-3b156c781961

Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

lsoflsof

description ioc process

File opened for reading /proc/net/tcp lsof
File opened for reading /proc/net/tcp lsof
Enumerates running processes
Discovers information about currently running processes on the system
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

f12b3682-6fff-4026-bc66-3b156c781961

description ioc process

File opened for modification /etc/init.d/dpkg-deb-package f12b3682-6fff-4026-bc66-3b156c781961
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

f12b3682-6fff-4026-bc66-3b156c781961

description ioc process

File opened for modification /etc/systemd/system/dpkg-deb-package.service f12b3682-6fff-4026-bc66-3b156c781961

description	ioc	process
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp	lsof

description	ioc	process
File opened for modification	/etc/init.d/dpkg-deb-package	f12b3682-6fff-4026-bc66-3b156c781961

description	ioc	process
File opened for modification	/etc/systemd/system/dpkg-deb-package.service	f12b3682-6fff-4026-bc66-3b156c781961

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

f12b3682-6fff-4026-bc66-3b156c781961

description ioc process

File opened for modification /bin/dpkg-debian f12b3682-6fff-4026-bc66-3b156c781961
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself (sysv-install) 1629
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887grepgrep

description ioc process

File opened for reading /proc/cpuinfo -bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading /proc/cpuinfo grep
File opened for reading /proc/cpuinfo grep

description	ioc	process
File opened for modification	/bin/dpkg-debian	f12b3682-6fff-4026-bc66-3b156c781961

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1629

description	ioc	process
File opened for reading	/proc/cpuinfo	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

T1082

Processes:

pgreppgreppgrepps-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887pspgreppspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/cpu/possible	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/types	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads system network configuration 1 TTPs 36 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

lsoflsof

description	ioc	process
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/netlink	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/udp	lsof
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/udp	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/netlink	lsof

Enumerates kernel/hardware configuration 1 TTPs 63 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887f12b3682-6fff-4026-bc66-3b156c781961

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/dax/target_node	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/node/online	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/virtual/dmi/id	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/meminfo	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	f12b3682-6fff-4026-bc66-3b156c781961
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/dax/devices/target_node	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/fs/cgroup/cgroup.controllers	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/kernel/mm/hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/dax/devices	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for reading	/sys/firmware/dmi/tables/DMI	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

lsoflsofpspspspgreppgreppgreppspgrepps

description	ioc	process
File opened for reading	/proc/690/fdinfo/10	lsof
File opened for reading	/proc/739/stat	lsof
File opened for reading	/proc/1/fdinfo/87	lsof
File opened for reading	/proc/962/cmdline	ps
File opened for reading	/proc/1117/status	ps
File opened for reading	/proc/15/fd	lsof
File opened for reading	/proc/589/fdinfo/10	lsof
File opened for reading	/proc/593/fdinfo/2	lsof
File opened for reading	/proc/870/fdinfo/1	lsof
File opened for reading	/proc/1080/fdinfo/1	lsof
File opened for reading	/proc/822/fdinfo/7	lsof
File opened for reading	/proc/991/stat	lsof
File opened for reading	/proc/539/cmdline	ps
File opened for reading	/proc/1109/stat	ps
File opened for reading	/proc/1161/status	ps
File opened for reading	/proc/427/stat	lsof
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/1164/status	ps
File opened for reading	/proc/593/cmdline	pgrep
File opened for reading	/proc/1/fdinfo/21	lsof
File opened for reading	/proc/1222/cmdline	pgrep
File opened for reading	/proc/1164/fdinfo/16	lsof
File opened for reading	/proc/1230/fdinfo/1	lsof
File opened for reading	/proc/211/cmdline	pgrep
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/83/status	ps
File opened for reading	/proc/1241/status	pgrep
File opened for reading	/proc/635/fdinfo/13	lsof
File opened for reading	/proc/1173/fdinfo/7	lsof
File opened for reading	/proc/971/status	ps
File opened for reading	/proc/408/status	pgrep
File opened for reading	/proc/1/fdinfo/52	lsof
File opened for reading	/proc/8/fd	lsof
File opened for reading	/proc/1195/cmdline	ps
File opened for reading	/proc/98/cmdline	ps
File opened for reading	/proc/1035/status	ps
File opened for reading	/proc/1/fdinfo/22	lsof
File opened for reading	/proc/377/fdinfo/58	lsof
File opened for reading	/proc/507/stat	lsof
File opened for reading	/proc/1186/status	ps
File opened for reading	/proc/1173/status	ps
File opened for reading	/proc/1159/cmdline	pgrep
File opened for reading	/proc/96/stat	ps
File opened for reading	/proc/608/cmdline	pgrep
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/649/stat	ps
File opened for reading	/proc/377/fdinfo/100	lsof
File opened for reading	/proc/854/status	ps
File opened for reading	/proc/209/cmdline	pgrep
File opened for reading	/proc/413/cmdline	pgrep
File opened for reading	/proc/377/fdinfo/27	lsof
File opened for reading	/proc/113/stat	ps
File opened for reading	/proc/1085/status	pgrep
File opened for reading	/proc/1/fdinfo/61	lsof
File opened for reading	/proc/217/cmdline	ps
File opened for reading	/proc/263/cmdline	pgrep
File opened for reading	/proc/1173/cmdline	pgrep
File opened for reading	/proc/866/fdinfo/62	lsof
File opened for reading	/proc/1519/fd	lsof
File opened for reading	/proc/1251/stat	ps
File opened for reading	/proc/411/status	pgrep
File opened for reading	/proc/589/fdinfo/25	lsof
File opened for reading	/proc/1013/fdinfo/30	lsof
File opened for reading	/proc/13/cmdline	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

f12b3682-6fff-4026-bc66-3b156c781961-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

description	ioc	process
File opened for modification	/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887	f12b3682-6fff-4026-bc66-3b156c781961
File opened for modification	/tmp/.bashirc	-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
File opened for modification	/tmp/.lock	-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887

/tmp/f12b3682-6fff-4026-bc66-3b156c781961
/tmp/f12b3682-6fff-4026-bc66-3b156c781961
1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1566

/usr/bin/pgrep
pgrep -f ksysr
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1570

/usr/bin/pgrep
pgrep -f sysrv
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1571

/usr/bin/pgrep
pgrep -f klibsystem4
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1572

/usr/bin/pgrep
pgrep -f klibsystem5
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1573

/usr/bin/bash
bash -c "ufw disable"
2⤵
PID:1584

/usr/bin/lsof
lsof -t -i :444
2⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1585

/usr/bin/lsof
lsof -t -i :59475
2⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1586

/usr/bin/ps
ps -eo "pid,ppid,comm,%cpu" "--sort=-%cpu"
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1587

/usr/bin/chattr
chattr +ia /etc/init.d/dpkg-deb-package
2⤵
PID:1588

/etc/init.d/dpkg-deb-package
/etc/init.d/dpkg-deb-package start
2⤵
- Executes dropped EXE
PID:1589

/usr/bin/cp
cp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package
3⤵
PID:1590

/usr/bin/rm
rm -rf -- dpkg-deb-package
3⤵
PID:1592

/usr/bin/chattr
chattr +ia /etc/systemd/system/dpkg-deb-package.service
2⤵
PID:1593

/usr/bin/systemctl
systemctl daemon-reload
2⤵
PID:1594

/usr/bin/systemctl
systemctl enable dpkg-deb-package.service
2⤵
PID:1628

/lib/systemd/systemd-sysv-install
/lib/systemd/systemd-sysv-install enable dpkg-deb-package
3⤵
PID:1629

/usr/bin/getopt
getopt -o r: --long root: -- enable dpkg-deb-package
4⤵
PID:1630

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d dpkg-deb-package defaults
4⤵
PID:1631

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1632

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1632

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1632

/usr/bin/systemctl
systemctl daemon-reload
5⤵
PID:1632

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d dpkg-deb-package enable
4⤵
PID:1666

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1667

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1667

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1667

/usr/bin/systemctl
systemctl daemon-reload
5⤵
PID:1667

/usr/bin/chattr
chattr +ia /bin/dpkg-debian
2⤵
PID:1734

/bin/chattr
chattr -ia /etc/cron.d/.placeholder
2⤵
- Attempts to change immutable files
PID:1735

/bin/chattr
chattr -ia /etc/cron.d/anacron
2⤵
- Attempts to change immutable files
PID:1737

/bin/chattr
chattr -ia /etc/cron.d/e2scrub_all
2⤵
- Attempts to change immutable files
PID:1738

/bin/chattr
chattr -ia /var/spool/cron/crontabs
2⤵
- Attempts to change immutable files
PID:1739

/bin/chattr
chattr -ia /etc/cron.hourly/.placeholder
2⤵
- Attempts to change immutable files
PID:1740

/bin/chattr
chattr -ia /etc/cron.daily/.placeholder
2⤵
- Attempts to change immutable files
PID:1741

/bin/chattr
chattr -ia /etc/cron.daily/0anacron
2⤵
- Attempts to change immutable files
PID:1742

/bin/chattr
chattr -ia /etc/cron.daily/apport
2⤵
- Attempts to change immutable files
PID:1743

/bin/chattr
chattr -ia /etc/cron.daily/apt-compat
2⤵
- Attempts to change immutable files
PID:1744

/bin/chattr
chattr -ia /etc/cron.daily/cracklib-runtime
2⤵
- Attempts to change immutable files
PID:1745

/bin/chattr
chattr -ia /etc/cron.daily/dpkg
2⤵
- Attempts to change immutable files
PID:1746

/bin/chattr
chattr -ia /etc/cron.daily/man-db
2⤵
- Attempts to change immutable files
PID:1747

/bin/chattr
chattr -ia /etc/cron.weekly/.placeholder
2⤵
- Attempts to change immutable files
PID:1748

/bin/chattr
chattr -ia /etc/cron.weekly/0anacron
2⤵
- Attempts to change immutable files
PID:1749

/bin/chattr
chattr -ia /etc/cron.weekly/man-db
2⤵
- Attempts to change immutable files
PID:1750

/bin/chattr
chattr -ia /etc/cron.monthly/.placeholder
2⤵
- Attempts to change immutable files
PID:1751

/bin/chattr
chattr -ia /etc/cron.monthly/0anacron
2⤵
- Attempts to change immutable files
PID:1752

/bin/bash
bash -c "find /tmp -type f -regextype egrep -regex '.*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' -exec rm -rf {} +"
2⤵
PID:1753

/bin/find
find /tmp -type f -regextype egrep -regex ".*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}" -exec rm -rf "{}" +
2⤵
PID:1753

/bin/rm
rm -rf /tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /tmp/f12b3682-6fff-4026-bc66-3b156c781961
3⤵
PID:1754

/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
2⤵
- Executes dropped EXE
PID:1755

/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1756

/var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
/var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1758

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
- Attempts to change immutable files
PID:1759

/bin/hostname
hostname -I
4⤵
- Attempts to change immutable files
PID:1762

/bin/awk
awk "{print \$1}"
4⤵
PID:1764

/bin/awk
awk "{print \"-\"\$2}"
4⤵
PID:1769

/bin/head
head -n 1
4⤵
PID:1768

/bin/grep
grep "Port "
4⤵
PID:1767

/bin/cat
cat /etc/ssh/sshd_config
4⤵
PID:1766

/bin/whoami
whoami
4⤵
PID:1770

/bin/hostname
hostname
4⤵
PID:1771

/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1772

/bin/sed
sed -e "s/\$//"
4⤵
PID:1778

/bin/sed
sed -e "s/^ *//"
4⤵
PID:1777

/bin/cut
cut -d: -f2
4⤵
PID:1776

/bin/grep
grep -m 1 "model name" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1775

/bin/awk
awk "{print \$1}"
4⤵
PID:1781

/bin/awk
awk "{print \$4}"
4⤵
PID:1784

/bin/awk
awk "{print \$4}"
4⤵
PID:1787

/bin/awk
awk "{print \$3}"
4⤵
PID:1790

/bin/awk
awk "{print \$4}"
4⤵
PID:1793

/bin/awk
awk "{print \$1}"
4⤵
PID:1796

/bin/awk
awk "{print \$2\" \"\$3\" \"\$4}"
4⤵
PID:1798

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1799

/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:1801

/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1800

/bin/id
id -u
4⤵
PID:1803

/bin/grep
grep -v grep
4⤵
PID:1806

/bin/grep
grep /etc/cron
4⤵
PID:1805

/bin/ps
ps x
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1804

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1808

/bin/id
id -u
4⤵
PID:1809

/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:1814

/bin/grep
grep -v /usr/sbin/httpd
4⤵
PID:1813

/bin/grep
grep -v -- "-bash[[:space:]]*\$"
4⤵
PID:1812

/bin/grep
grep -v grep
4⤵
PID:1811

/bin/ps
ps aux
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1810

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
3⤵
PID:1816

/bin/id
id -u
4⤵
PID:1817

/bin/wc
wc -l
4⤵
PID:1823

/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:1822

/bin/grep
grep -- "-bash[[:space:]]*\$"
4⤵
PID:1821

/bin/grep
grep -v grep
4⤵
PID:1820

/bin/ps
ps aux
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1819

/usr/bin/nohup
nohup ./dpkg-deb-package
1⤵
PID:1591

/usr/bin/dpkg-deb-package
./dpkg-deb-package
1⤵
PID:1591

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.d/dbus-manager
Filesize
177B

MD5
cb15fc1aeb315b203f6d6c49fc97d754

SHA1
33baee08c1adf776175ed6f94d9c192d4d36949c

SHA256
f33416850da138c66d6054d7a315a0040623326236c1c62d32e94d52aca6f495

SHA512
5dffb2864a87b3004971092255948c30996acfeff3b3980bce0adb8bf593fc79a7f1320dc350d86fee166bb74c47fb23928236db04eded85823dc856ea96f834

Download Submit
/etc/init.d/dpkg-deb-package
Filesize
366B

MD5
906d7ce63c7466c6c65f509156bb1529

SHA1
1e3dcb514ce8007a594f6805c7bdde98fe2f7667

SHA256
e3d6f2b6cc53564780785e6efb9e415b83e40342fe7afe210631fe84fd492476

SHA512
f488084c847b471330dbef23bbb7e3c9def2b961a66406d8ae36de9fe168f9ae1c3db3b001f8e58bd2a0dbf91696a8512812a87bb805df71972a76b82e11cd4d

Download Submit
/etc/systemd/system/dpkg-deb-package.service
Filesize
368B

MD5
c4b8df941d21bfdef588739132cd7a14

SHA1
2ead781a01cc9375ed6c8baab5dfda0cebe1fcfd

SHA256
10d05ae87e80189eead21851fdd757b60d7c7710adce029176847516387cfc5e

SHA512
bd82c37868c18bbf9c4acde45fb4368d0ac87af741797fca71049f763a665c94651db5e18aed249a99e8b1491c04c476ce1c9039bc8583c89bb071293fe9dae3

Download Submit
/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
Filesize
2.3MB

MD5
b9f096559e923787ebb1288c93ce2902

SHA1
94851bcc8f9c651bcda0ff33d17356cb0b16cf12

SHA256
1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

SHA512
ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be

Download Submit
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887
Filesize
184KB

MD5
8a68585066330f536d6fb376d15cfc4f

SHA1
587dfdb1a3607af9ed32e0561bbab944f510b17b

SHA256
c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b

SHA512
6a5ec5083e58cc3e70bf8a395c85bf66c913737b17266f24925339b26dfa4d641cc9cd83922ef7e9dc7ed6febfceb171b7e051dd4c4741028e0328a431f080a6

Download Submit
memory/1566-1-0x0000000000400000-0x0000000000949580-memory.dmp

Download
memory/1756-2-0x00007fe1b1ae7000-0x00007fe1b1afb700-memory.dmp

Download
memory/1758-3-0x00007f0728f17000-0x00007f07295d5d40-memory.dmp

Download