raccoon | 5982e6eec3dd1aacb5a4b9ecf9202815486c2abb604a14288ed6f6c7e9dd5da4

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
28-04-2021 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file2.exe
Size

2.5MB
MD5

f1c6fe0c69d748c9e49cb86967fea4ee
SHA1

3d502ada0eb4d21d0f427abd7b9bf27172caba3d
SHA256

5982e6eec3dd1aacb5a4b9ecf9202815486c2abb604a14288ed6f6c7e9dd5da4
SHA512

f811cddb213f382cee6bed2928b328ed89c4a06192ffca6c4489f395fcced3b72c3428e39929777564b9eee29e32fafce0cde4f8e91db0f2267e9245d997cf5c

Score

10^/10

raccoon redline smokeloader warzonerat 16992cd33145ccbb6feeacb4e84400a56448fa14 afefd33a49c7cbd55d417545269920f24c85aa37 bea07c54d843fcd5517bbf13341a9e273e06979b byr backdoor discovery infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

16992cd33145ccbb6feeacb4e84400a56448fa14

Attributes

url4cnc
https://telete.in/baudemars

rc4.plain

Extracted

Family

redline

Botnet

BYR

178.20.40.83:50906

Extracted

Family

warzonerat

104.207.138.207:4531

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

bea07c54d843fcd5517bbf13341a9e273e06979b

Attributes

url4cnc
https://tttttt.me/iopioldpsergdg

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8BB.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\8BB.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\20FE.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\20FE.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

pub02.exetoolspab2.exesetup.exeaskinstall37.exetoolspab2.exeD26C.exeD50C.exeE439.exe8BB.exeF12.exe13C4.exe20FE.exe236F.exe236F.exe

pid	process
2044	pub02.exe
1980	toolspab2.exe
1956	setup.exe
1712	askinstall37.exe
828	toolspab2.exe
1720	D26C.exe
1356	D50C.exe
1092	E439.exe
1372	8BB.exe
1512	F12.exe
968	13C4.exe
1628	20FE.exe
952	236F.exe
436	236F.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/436-138-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

file2.exetoolspab2.exetoolspab2.exe236F.exe

pid process

1268 file2.exe
1268 file2.exe
1268 file2.exe
1268 file2.exe
1268 file2.exe
1980 toolspab2.exe
828 toolspab2.exe
952 236F.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.myip.com
8 api.myip.com

pid	process
1268	file2.exe
1268	file2.exe
1268	file2.exe
1268	file2.exe
1268	file2.exe
1980	toolspab2.exe
828	toolspab2.exe
952	236F.exe

flow	ioc
7	api.myip.com
8	api.myip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

toolspab2.exe236F.exe

description	pid	process	target process
PID 1980 set thread context of 828	1980	toolspab2.exe	toolspab2.exe
PID 952 set thread context of 436	952	236F.exe	236F.exe

Drops file in Program Files directory 6 IoCs

Processes:

file2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\setup.exe	file2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\askinstall37.exe	file2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	file2.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	file2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\pub02.exe	file2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\toolspab2.exe	file2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1064 taskkill.exe

pid	process
1064	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall37.exepub02.exeE439.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	pub02.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	pub02.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	pub02.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	pub02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	E439.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	E439.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	pub02.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1096 PING.EXE
540 PING.EXE

pid	process
1096	PING.EXE
540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2.exe

pid	process
828	toolspab2.exe
828	toolspab2.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1196
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspab2.exe

pid process

828 toolspab2.exe

pid	process
1196

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

askinstall37.exetaskkill.exe8BB.exe

description	pid	process
Token: SeCreateTokenPrivilege	1712	askinstall37.exe
Token: SeAssignPrimaryTokenPrivilege	1712	askinstall37.exe
Token: SeLockMemoryPrivilege	1712	askinstall37.exe
Token: SeIncreaseQuotaPrivilege	1712	askinstall37.exe
Token: SeMachineAccountPrivilege	1712	askinstall37.exe
Token: SeTcbPrivilege	1712	askinstall37.exe
Token: SeSecurityPrivilege	1712	askinstall37.exe
Token: SeTakeOwnershipPrivilege	1712	askinstall37.exe
Token: SeLoadDriverPrivilege	1712	askinstall37.exe
Token: SeSystemProfilePrivilege	1712	askinstall37.exe
Token: SeSystemtimePrivilege	1712	askinstall37.exe
Token: SeProfSingleProcessPrivilege	1712	askinstall37.exe
Token: SeIncBasePriorityPrivilege	1712	askinstall37.exe
Token: SeCreatePagefilePrivilege	1712	askinstall37.exe
Token: SeCreatePermanentPrivilege	1712	askinstall37.exe
Token: SeBackupPrivilege	1712	askinstall37.exe
Token: SeRestorePrivilege	1712	askinstall37.exe
Token: SeShutdownPrivilege	1712	askinstall37.exe
Token: SeDebugPrivilege	1712	askinstall37.exe
Token: SeAuditPrivilege	1712	askinstall37.exe
Token: SeSystemEnvironmentPrivilege	1712	askinstall37.exe
Token: SeChangeNotifyPrivilege	1712	askinstall37.exe
Token: SeRemoteShutdownPrivilege	1712	askinstall37.exe
Token: SeUndockPrivilege	1712	askinstall37.exe
Token: SeSyncAgentPrivilege	1712	askinstall37.exe
Token: SeEnableDelegationPrivilege	1712	askinstall37.exe
Token: SeManageVolumePrivilege	1712	askinstall37.exe
Token: SeImpersonatePrivilege	1712	askinstall37.exe
Token: SeCreateGlobalPrivilege	1712	askinstall37.exe
Token: 31	1712	askinstall37.exe
Token: 32	1712	askinstall37.exe
Token: 33	1712	askinstall37.exe
Token: 34	1712	askinstall37.exe
Token: 35	1712	askinstall37.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1372	8BB.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1196
1196
1196
1196
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1196
1196
1196
1196
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

D26C.exeD50C.exe

pid process

1720 D26C.exe
1356 D50C.exe

pid	process
1196
1196
1196
1196

pid	process
1196
1196
1196
1196

pid	process
1720	D26C.exe
1356	D50C.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file2.exesetup.execmd.exetoolspab2.exepub02.execmd.exeaskinstall37.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 2044	1268	file2.exe	pub02.exe
PID 1268 wrote to memory of 1980	1268	file2.exe	toolspab2.exe
PID 1268 wrote to memory of 1980	1268	file2.exe	toolspab2.exe
PID 1268 wrote to memory of 1980	1268	file2.exe	toolspab2.exe
PID 1268 wrote to memory of 1980	1268	file2.exe	toolspab2.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1956	1268	file2.exe	setup.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1268 wrote to memory of 1712	1268	file2.exe	askinstall37.exe
PID 1956 wrote to memory of 1468	1956	setup.exe	cmd.exe
PID 1956 wrote to memory of 1468	1956	setup.exe	cmd.exe
PID 1956 wrote to memory of 1468	1956	setup.exe	cmd.exe
PID 1956 wrote to memory of 1468	1956	setup.exe	cmd.exe
PID 1468 wrote to memory of 1096	1468	cmd.exe	PING.EXE
PID 1468 wrote to memory of 1096	1468	cmd.exe	PING.EXE
PID 1468 wrote to memory of 1096	1468	cmd.exe	PING.EXE
PID 1468 wrote to memory of 1096	1468	cmd.exe	PING.EXE
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 1980 wrote to memory of 828	1980	toolspab2.exe	toolspab2.exe
PID 2044 wrote to memory of 1532	2044	pub02.exe	cmd.exe
PID 2044 wrote to memory of 1532	2044	pub02.exe	cmd.exe
PID 2044 wrote to memory of 1532	2044	pub02.exe	cmd.exe
PID 2044 wrote to memory of 1532	2044	pub02.exe	cmd.exe
PID 1532 wrote to memory of 540	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 540	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 540	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 540	1532	cmd.exe	PING.EXE
PID 1712 wrote to memory of 616	1712	askinstall37.exe	cmd.exe
PID 1712 wrote to memory of 616	1712	askinstall37.exe	cmd.exe
PID 1712 wrote to memory of 616	1712	askinstall37.exe	cmd.exe
PID 1712 wrote to memory of 616	1712	askinstall37.exe	cmd.exe
PID 616 wrote to memory of 1064	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 1064	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 1064	616	cmd.exe	taskkill.exe
PID 616 wrote to memory of 1064	616	cmd.exe	taskkill.exe
PID 1196 wrote to memory of 1720	1196		D26C.exe
PID 1196 wrote to memory of 1720	1196		D26C.exe
PID 1196 wrote to memory of 1720	1196		D26C.exe
PID 1196 wrote to memory of 1720	1196		D26C.exe
PID 1196 wrote to memory of 1356	1196		D50C.exe
PID 1196 wrote to memory of 1356	1196		D50C.exe
PID 1196 wrote to memory of 1356	1196		D50C.exe
PID 1196 wrote to memory of 1356	1196		D50C.exe

C:\Users\Admin\AppData\Local\Temp\file2.exe
"C:\Users\Admin\AppData\Local\Temp\file2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Company\NewProduct\pub02.exe
"C:\Program Files (x86)\Company\NewProduct\pub02.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\Company\NewProduct\pub02.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:540

C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:828

C:\Program Files (x86)\Company\NewProduct\setup.exe
"C:\Program Files (x86)\Company\NewProduct\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Program Files (x86)\Company\NewProduct\setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1096

C:\Program Files (x86)\Company\NewProduct\askinstall37.exe
"C:\Program Files (x86)\Company\NewProduct\askinstall37.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Local\Temp\D26C.exe
C:\Users\Admin\AppData\Local\Temp\D26C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Users\Admin\AppData\Local\Temp\D50C.exe
C:\Users\Admin\AppData\Local\Temp\D50C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Users\Admin\AppData\Local\Temp\E439.exe
C:\Users\Admin\AppData\Local\Temp\E439.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1092

C:\Users\Admin\AppData\Local\Temp\8BB.exe
C:\Users\Admin\AppData\Local\Temp\8BB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\F12.exe
C:\Users\Admin\AppData\Local\Temp\F12.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\13C4.exe
C:\Users\Admin\AppData\Local\Temp\13C4.exe
1⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\20FE.exe
C:\Users\Admin\AppData\Local\Temp\20FE.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Temp\236F.exe
C:\Users\Admin\AppData\Local\Temp\236F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:952

C:\Users\Admin\AppData\Local\Temp\236F.exe
C:\Users\Admin\AppData\Local\Temp\236F.exe
2⤵
- Executes dropped EXE
PID:436

C:\Users\Admin\AppData\Local\Temp\292B.exe
C:\Users\Admin\AppData\Local\Temp\292B.exe
1⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\4248.exe
C:\Users\Admin\AppData\Local\Temp\4248.exe
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\44E8.exe
C:\Users\Admin\AppData\Local\Temp\44E8.exe
1⤵
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\askinstall37.exe
MD5
cb97d6423dd6cbc097f946964d68d55d

SHA1
b6e94ed64b14af764b4406aeb21994afd7e95126

SHA256
f9d31f99ef2c764fc16ad2fc3fb0ad4c0270e31dd2d2155998272b0e96d37db9

SHA512
ea1b1440596dad3b1e3b598c597dfe75d3fb76c2fefee24a6f20b9d8ed002c0ae5b6ed3f0dd269f80ed01a15881a0883853f8f7a20a7e7d765dcdaf5a7244674

Download Submit
C:\Program Files (x86)\Company\NewProduct\pub02.exe
MD5
6d25118d3943696f7da7a50cbf348a3c

SHA1
097152dd10525c968d1ca8b0abe32d89bcbb309d

SHA256
cb2827314996213bcbb61ffc5c4416049c7b9a2225fecf93d077d2c44e0a6015

SHA512
ca0b6368656078991bdca17d240c4997ba56de84ac13ea77cf0b5176ab606824db3e3ddda683e9c94703dae8dddeaa7d2122dd05ba64480ecc97352a46f4d833

Download Submit
C:\Program Files (x86)\Company\NewProduct\pub02.exe
MD5
6d25118d3943696f7da7a50cbf348a3c

SHA1
097152dd10525c968d1ca8b0abe32d89bcbb309d

SHA256
cb2827314996213bcbb61ffc5c4416049c7b9a2225fecf93d077d2c44e0a6015

SHA512
ca0b6368656078991bdca17d240c4997ba56de84ac13ea77cf0b5176ab606824db3e3ddda683e9c94703dae8dddeaa7d2122dd05ba64480ecc97352a46f4d833

Download Submit
C:\Program Files (x86)\Company\NewProduct\setup.exe
MD5
b749832e5d6ebfc73a61cde48a1b890b

SHA1
a6b4fda0e4ab8137b6e8cdfea85ba66ff4b11b4b

SHA256
b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123

SHA512
fc197954eaa1b651ed8dc1b32b6547542281633acbfcd29a3acbb4eb5859a9aad00effcce40d76115ffbb8d0ee189b25813beabeafabee2d419dee6fa8383a21

Download Submit
C:\Program Files (x86)\Company\NewProduct\setup.exe
MD5
b749832e5d6ebfc73a61cde48a1b890b

SHA1
a6b4fda0e4ab8137b6e8cdfea85ba66ff4b11b4b

SHA256
b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123

SHA512
fc197954eaa1b651ed8dc1b32b6547542281633acbfcd29a3acbb4eb5859a9aad00effcce40d76115ffbb8d0ee189b25813beabeafabee2d419dee6fa8383a21

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\13C4.exe
MD5
e4e848858e7d0094273ee2fc9005a83b

SHA1
b014e6f76fd373ee7c3fd6540d757c5553ae3edd

SHA256
77d8eef74ddd2dd89aa1dcab3ff29a6d4d69d11b7c39c7df3849bcfd9dbf3a97

SHA512
202f0fbebdb6dd342c9fb5439c858f5c141c33c7e6e72cbb720b2b1f98de7a17070adc6c7ef272c2aedddd8eaa6ca113d3c424fe07bf381f5e4f0b6aed188a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13C4.exe
MD5
e4e848858e7d0094273ee2fc9005a83b

SHA1
b014e6f76fd373ee7c3fd6540d757c5553ae3edd

SHA256
77d8eef74ddd2dd89aa1dcab3ff29a6d4d69d11b7c39c7df3849bcfd9dbf3a97

SHA512
202f0fbebdb6dd342c9fb5439c858f5c141c33c7e6e72cbb720b2b1f98de7a17070adc6c7ef272c2aedddd8eaa6ca113d3c424fe07bf381f5e4f0b6aed188a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20FE.exe
MD5
ba8ca271057606f948b3878a36602b7d

SHA1
1faa404d8cd643faf12494f1010c2ce142edfda5

SHA256
5b631bfdbe5ea13be18a6fa4c0dc418033ba17622f7519a20566eea201ef06bc

SHA512
1179f31a204a4f291634a37fb18b88a957cc303c8f74da3002d52380607c3208f9d7e47ec503ac8bb9af5f88f4e3ba9a444c473cdf8d05671ad8a024156a9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\20FE.exe
MD5
ba8ca271057606f948b3878a36602b7d

SHA1
1faa404d8cd643faf12494f1010c2ce142edfda5

SHA256
5b631bfdbe5ea13be18a6fa4c0dc418033ba17622f7519a20566eea201ef06bc

SHA512
1179f31a204a4f291634a37fb18b88a957cc303c8f74da3002d52380607c3208f9d7e47ec503ac8bb9af5f88f4e3ba9a444c473cdf8d05671ad8a024156a9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\236F.exe
MD5
4aa5664039c05514edb168c33835352e

SHA1
79a4f922ed6d39e50a080625cc458db03ec824f3

SHA256
43bd75c55b34db032d9de58849e6df0fb96224e46cc284e698f56d6f29e4e17e

SHA512
9b8255261c8090aa830fa2df7ab7082e619d2b46d0e492e5f2697cf0260212d655cbf614426f9f0a9f68d8e8b0c51b2fb1fdee4b515465ed19afac3946bfea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\236F.exe
MD5
4aa5664039c05514edb168c33835352e

SHA1
79a4f922ed6d39e50a080625cc458db03ec824f3

SHA256
43bd75c55b34db032d9de58849e6df0fb96224e46cc284e698f56d6f29e4e17e

SHA512
9b8255261c8090aa830fa2df7ab7082e619d2b46d0e492e5f2697cf0260212d655cbf614426f9f0a9f68d8e8b0c51b2fb1fdee4b515465ed19afac3946bfea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\236F.exe
MD5
4aa5664039c05514edb168c33835352e

SHA1
79a4f922ed6d39e50a080625cc458db03ec824f3

SHA256
43bd75c55b34db032d9de58849e6df0fb96224e46cc284e698f56d6f29e4e17e

SHA512
9b8255261c8090aa830fa2df7ab7082e619d2b46d0e492e5f2697cf0260212d655cbf614426f9f0a9f68d8e8b0c51b2fb1fdee4b515465ed19afac3946bfea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\292B.exe
MD5
cbd7390a7aa5ee5bb47bd8d2d29d0d82

SHA1
cc5e34bc8f1b2f8746fec10c0e153c1137fc21d7

SHA256
1523691b6e08d2c473aa7a23b1d2a89690f2b6f27cf22168ea967436d15aaa85

SHA512
66b7ea8c7cc62e60d770163e0bbfbdf8f04f4a5f487803eda55c912f0ef048b88c894b5cec4e2a99cd34bb8e478d0c277dd25d195ed2c1c40d3dbae33e7b36d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4248.exe
MD5
2b70d88ea939de5db3d0f525fb8abfe2

SHA1
29e1e8c65a35cb5de9b4808bdb8caac8c5b7d3c9

SHA256
e4fcd434d10c63bbb8686667dbec4c9c80d7ad25d1b587d3d152e557492a874a

SHA512
306e18036a31d51a09e920f5f345014c5605a3f8d2632ad1c7bad5175beb26c60c9f8acfc3d99a8fad5ed3d549f3f4982ad173c851d46382dcc4f07976770494

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BB.exe
MD5
2e31a1e00211fba7ad18620ee2e4e450

SHA1
a7359850bf075cfc0b10f74e36dde85a2831e228

SHA256
8b46f5a08efd73cb5dda91db582a5774514dc6d747c51e129d7279fae10bc3b0

SHA512
991ec8e1493166bd32a89444c13b86a51ee40fe84fa67bdcdd263d8cfb5b2f21eb101ab5ece8b7f7b3de4f8ab4e743ddb47d171f151ac4bd76544f4e4fb029d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BB.exe
MD5
2e31a1e00211fba7ad18620ee2e4e450

SHA1
a7359850bf075cfc0b10f74e36dde85a2831e228

SHA256
8b46f5a08efd73cb5dda91db582a5774514dc6d747c51e129d7279fae10bc3b0

SHA512
991ec8e1493166bd32a89444c13b86a51ee40fe84fa67bdcdd263d8cfb5b2f21eb101ab5ece8b7f7b3de4f8ab4e743ddb47d171f151ac4bd76544f4e4fb029d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D26C.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\D50C.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\E439.exe
MD5
13c4dec5170909e63e9362fdc7004d25

SHA1
80ef63bc344ce33db21cb7393f96c4ce678dec5d

SHA256
6d82b854e3e94ff95781d5d6e5a100e3864fdfddd5a2c21bfb09c1b8c3244e84

SHA512
880c77fd4f2db5232043aa7b58037169bf9bfaddfaa5ba5c0a755aa12ae1576b26ddd4e7e66b95a0221e136372932e9c9ae48cdac75c987a26dffafb660e226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F12.exe
MD5
267b5fcac05132b029934169a39ee7d7

SHA1
738f75bbf4f86bbb815939ce6709b7902575b95b

SHA256
18a4b5be7e5a6c144e7158387e65bcc38349b730c85abe8a62308d6f6fa043e0

SHA512
430ad3f146999b934fa2f743760f4b719581d06066902e06d82672924a7c3e45538ce900c52da2a7e5cfdc7f4a58b954871107e1e45f99e50a54bb653c3d76ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD
MD5
0a64a1b457008ba81889e30e582d3535

SHA1
f8aef0f3ac1024880b813601a94c7f0f49640caf

SHA256
2d35e3ac2f695cb610b7142d7ef5067186f4b23ce31f509af247378ba1b21978

SHA512
14b0eedea21bff24f22a63a0dec440472065848c9a9f5af198dfec6ae930f99ef77f5fda246311aad0e98aa32ca4db6cf682b8074f7c1e909ddb0927ca10968e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD
MD5
94f70083532a6f2d5821123cdc96e92a

SHA1
eb9d68e737ea1dc2dbf1b77970550fa913952914

SHA256
291a077b01abb73b9bb60572bc636753afe6b91913f48b60ef13972c57d89cc5

SHA512
39f8ef2aff8d58506bdf32df83fc2acf3cac4b01f83283179e501824f1d28dd30d5dd998f41a14d702d7ba32e8b7c2b037b6d61e9ae8f8ccb31ebe39eba17bad

Download Submit
\Program Files (x86)\Company\NewProduct\askinstall37.exe
MD5
cb97d6423dd6cbc097f946964d68d55d

SHA1
b6e94ed64b14af764b4406aeb21994afd7e95126

SHA256
f9d31f99ef2c764fc16ad2fc3fb0ad4c0270e31dd2d2155998272b0e96d37db9

SHA512
ea1b1440596dad3b1e3b598c597dfe75d3fb76c2fefee24a6f20b9d8ed002c0ae5b6ed3f0dd269f80ed01a15881a0883853f8f7a20a7e7d765dcdaf5a7244674

Download Submit
\Program Files (x86)\Company\NewProduct\pub02.exe
MD5
6d25118d3943696f7da7a50cbf348a3c

SHA1
097152dd10525c968d1ca8b0abe32d89bcbb309d

SHA256
cb2827314996213bcbb61ffc5c4416049c7b9a2225fecf93d077d2c44e0a6015

SHA512
ca0b6368656078991bdca17d240c4997ba56de84ac13ea77cf0b5176ab606824db3e3ddda683e9c94703dae8dddeaa7d2122dd05ba64480ecc97352a46f4d833

Download Submit
\Program Files (x86)\Company\NewProduct\setup.exe
MD5
b749832e5d6ebfc73a61cde48a1b890b

SHA1
a6b4fda0e4ab8137b6e8cdfea85ba66ff4b11b4b

SHA256
b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123

SHA512
fc197954eaa1b651ed8dc1b32b6547542281633acbfcd29a3acbb4eb5859a9aad00effcce40d76115ffbb8d0ee189b25813beabeafabee2d419dee6fa8383a21

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe
MD5
a62013161b8d1cbbdbd61978ac9b9144

SHA1
f77d3d56365f734ce44a459416db73b48c287b51

SHA256
f676a8410a4b92785d1789557d0feac9f0b08e437aebf6adf7202e74b703d189

SHA512
376b5cd6066121f6d6ff1030f081d53d969209284ff66f6de317890c49f8b979ae8a504b99090f68c97c760f8ce6c03708f9c4377ce8c9aed276bd86147043ff

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dll
MD5
bcc7fb8243fa2bb6412153d1cc65ee21

SHA1
ef8ab90ad8657b2da28d2f93ef24fb7535246499

SHA256
8f81e92804823aea6a6f452c6e1b9f81f4fa1b4c80c62063859f8bd2d8b0de55

SHA512
1f14992bef880ed7e46229f978adb1ee6901d5cbdd735d2e6f01cdcfac2cfae2dd2145e3516e575451a2ee4763a34a8031db3c361120b15d4fd0081fd1512130

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\236F.exe
MD5
4aa5664039c05514edb168c33835352e

SHA1
79a4f922ed6d39e50a080625cc458db03ec824f3

SHA256
43bd75c55b34db032d9de58849e6df0fb96224e46cc284e698f56d6f29e4e17e

SHA512
9b8255261c8090aa830fa2df7ab7082e619d2b46d0e492e5f2697cf0260212d655cbf614426f9f0a9f68d8e8b0c51b2fb1fdee4b515465ed19afac3946bfea82

Download Submit
\Users\Admin\AppData\Local\Temp\AE30.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/436-138-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/436-139-0x000000000045AE90-mapping.dmp

Download
memory/540-95-0x0000000000000000-mapping.dmp

Download
memory/616-96-0x0000000000000000-mapping.dmp

Download
memory/828-86-0x0000000000402F68-mapping.dmp

Download
memory/828-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/952-133-0x0000000000000000-mapping.dmp

Download
memory/952-145-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/968-120-0x0000000000000000-mapping.dmp

Download
memory/968-123-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/968-124-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download
memory/1064-97-0x0000000000000000-mapping.dmp

Download
memory/1092-106-0x0000000000000000-mapping.dmp

Download
memory/1092-110-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1092-111-0x0000000000400000-0x0000000003DF0000-memory.dmp

Filesize
57.9MB

Download
memory/1096-82-0x0000000000000000-mapping.dmp

Download
memory/1196-92-0x0000000003E30000-0x0000000003E47000-memory.dmp

Filesize
92KB

Download
memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1356-102-0x0000000000000000-mapping.dmp

Download
memory/1372-115-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1372-117-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1372-112-0x0000000000000000-mapping.dmp

Download
memory/1468-81-0x0000000000000000-mapping.dmp

Download
memory/1496-156-0x0000000000000000-mapping.dmp

Download
memory/1512-118-0x0000000000000000-mapping.dmp

Download
memory/1512-127-0x0000000000400000-0x0000000002BEC000-memory.dmp

Filesize
39.9MB

Download
memory/1512-126-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/1532-94-0x0000000000000000-mapping.dmp

Download
memory/1628-131-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1628-128-0x0000000000000000-mapping.dmp

Download
memory/1628-135-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1712-74-0x0000000000000000-mapping.dmp

Download
memory/1720-98-0x0000000000000000-mapping.dmp

Download
memory/1956-69-0x0000000000000000-mapping.dmp

Download
memory/1980-90-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1980-66-0x0000000000000000-mapping.dmp

Download
memory/1988-147-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1988-148-0x0000000000400000-0x0000000003DE4000-memory.dmp

Filesize
57.9MB

Download
memory/1988-142-0x0000000000000000-mapping.dmp

Download
memory/2044-78-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/2044-61-0x0000000000000000-mapping.dmp

Download