raccoon | b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c

Analysis

max time kernel
151s
max time network
188s
platform
windows7_x64
resource
win7v20210410
submitted
20-08-2021 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b817002c69c6315e116f14d6fe64151577999eb773842.exe
Size

150KB
MD5

e77188581c0cb93c5821999d39d979e2
SHA1

a11e5624e493ef524fffad14ec2488b00ff601c9
SHA256

b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
SHA512

41ae5252a62ed2cc0f108059e6d6b496f6e9451bb3398137310b5d9907128aedbcf8c3c656522c52f68e392cfac641e7b42fc61c82506a6ba6b6d654b71de1c8

Score

10^/10

raccoon redline smokeloader xmrig #mix 19.08 777 fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer miner spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

Botnet

777

51.254.68.139:8067

Extracted

Family

redline

Botnet

#MIX 19.08

gophamanapr.site:80

Extracted

Family

raccoon

Botnet

fe582536ec580228180f270f7cb80a867860e010

Attributes

url4cnc
https://telete.in/xylichanjk

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\95FC.exe	family_redline
behavioral1/memory/1932-86-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1932-87-0x0000000000418F6E-mapping.dmp	family_redline
behavioral1/memory/1932-89-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1980-101-0x0000000004700000-0x000000000471C000-memory.dmp	family_redline
behavioral1/memory/1980-102-0x0000000004790000-0x00000000047AA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

8141.exe8769.exe9159.exe95FC.exe8769.exe99D3.exe9BA8.exeA20F.exeAD56.exeAFF6.exeAudioDriver.exe11.exenote3dll.exeAudioCodec.exe

pid	process
320	8141.exe
640	8769.exe
480	9159.exe
1520	95FC.exe
1932	8769.exe
952	99D3.exe
1980	9BA8.exe
1964	A20F.exe
1684	AD56.exe
1460	AFF6.exe
1580	AudioDriver.exe
2156	11.exe
2528	note3dll.exe
2732	AudioCodec.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

95FC.exeA20F.exe9159.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	95FC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A20F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A20F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9159.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9159.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	95FC.exe

Deletes itself 1 IoCs

Processes:

pid process

1248
Drops startup file 1 IoCs

Processes:

AudioDriver.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk AudioDriver.exe

pid	process
1248

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	AudioDriver.exe

Loads dropped DLL 24 IoCs

Processes:

8769.exe99D3.exe8769.exe9159.exeAudioDriver.exeWerFault.exeAFF6.exe

pid	process
640	8769.exe
952	99D3.exe
952	99D3.exe
952	99D3.exe
1932	8769.exe
1932	8769.exe
952	99D3.exe
952	99D3.exe
952	99D3.exe
952	99D3.exe
480	9159.exe
1580	AudioDriver.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
1460	AFF6.exe
1460	AFF6.exe
1460	AFF6.exe
1460	AFF6.exe
1460	AFF6.exe
1580	AudioDriver.exe
1580	AudioDriver.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9159.exe	themida
behavioral1/memory/480-80-0x00000000003B0000-0x00000000003B1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\95FC.exe	themida
behavioral1/memory/1520-91-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\A20F.exe	themida
behavioral1/memory/1964-114-0x00000000010D0000-0x00000000010D1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

A20F.exe9159.exe95FC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	A20F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9159.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95FC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

9159.exe95FC.exeA20F.exeAudioCodec.exe

pid process

480 9159.exe
1520 95FC.exe
1964 A20F.exe
2732 AudioCodec.exe
2732 AudioCodec.exe

pid	process
480	9159.exe
1520	95FC.exe
1964	A20F.exe
2732	AudioCodec.exe
2732	AudioCodec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe8769.exe

description	pid	process	target process
PID 1668 set thread context of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 640 set thread context of 1932	640	8769.exe	8769.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2380 2156 WerFault.exe 11.exe

pid	pid_target	process	target process
2380	2156	WerFault.exe	11.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe

Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AFF6.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AFF6.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2604 timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AFF6.exe

pid	process
2604	timeout.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

11.exe99D3.exeAudioDriver.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	99D3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	99D3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AudioDriver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AudioDriver.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AudioDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	11.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	11.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid	process
1400	b817002c69c6315e116f14d6fe64151577999eb773842.exe
1400	b817002c69c6315e116f14d6fe64151577999eb773842.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1248
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid process

1400 b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid	process
1248

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

9159.exe8769.exe95FC.exe9BA8.exeA20F.exe11.exeWerFault.exenote3dll.exe

description	pid	process
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	480	9159.exe
Token: SeDebugPrivilege	1932	8769.exe
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	1520	95FC.exe
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	1980	9BA8.exe
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	1964	A20F.exe
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	2156	11.exe
Token: SeDebugPrivilege	2380	WerFault.exe
Token: SeShutdownPrivilege	1248
Token: SeLockMemoryPrivilege	2528	note3dll.exe
Token: SeLockMemoryPrivilege	2528	note3dll.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1248
1248
1248
1248
1248
1248
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1248
1248
1248
1248
1248
1248
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8141.exe

pid process

320 8141.exe

pid	process
1248
1248
1248
1248
1248
1248

pid	process
1248
1248
1248
1248
1248
1248

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe8769.exe8769.exe

description	pid	process	target process
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1668 wrote to memory of 1400	1668	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 1248 wrote to memory of 320	1248		8141.exe
PID 1248 wrote to memory of 320	1248		8141.exe
PID 1248 wrote to memory of 320	1248		8141.exe
PID 1248 wrote to memory of 320	1248		8141.exe
PID 1248 wrote to memory of 640	1248		8769.exe
PID 1248 wrote to memory of 640	1248		8769.exe
PID 1248 wrote to memory of 640	1248		8769.exe
PID 1248 wrote to memory of 640	1248		8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 480	1248		9159.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 1248 wrote to memory of 1520	1248		95FC.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 640 wrote to memory of 1932	640	8769.exe	8769.exe
PID 1248 wrote to memory of 952	1248		99D3.exe
PID 1248 wrote to memory of 952	1248		99D3.exe
PID 1248 wrote to memory of 952	1248		99D3.exe
PID 1248 wrote to memory of 952	1248		99D3.exe
PID 1248 wrote to memory of 1980	1248		9BA8.exe
PID 1248 wrote to memory of 1980	1248		9BA8.exe
PID 1248 wrote to memory of 1980	1248		9BA8.exe
PID 1248 wrote to memory of 1980	1248		9BA8.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1964	1248		A20F.exe
PID 1248 wrote to memory of 1684	1248		AD56.exe
PID 1248 wrote to memory of 1684	1248		AD56.exe
PID 1248 wrote to memory of 1684	1248		AD56.exe
PID 1248 wrote to memory of 1684	1248		AD56.exe
PID 1248 wrote to memory of 1460	1248		AFF6.exe
PID 1248 wrote to memory of 1460	1248		AFF6.exe
PID 1248 wrote to memory of 1460	1248		AFF6.exe
PID 1248 wrote to memory of 1460	1248		AFF6.exe
PID 1932 wrote to memory of 1580	1932	8769.exe	AudioDriver.exe
PID 1932 wrote to memory of 1580	1932	8769.exe	AudioDriver.exe
PID 1932 wrote to memory of 1580	1932	8769.exe	AudioDriver.exe

C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe
"C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe
"C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1400

C:\Users\Admin\AppData\Local\Temp\8141.exe
C:\Users\Admin\AppData\Local\Temp\8141.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Users\Admin\AppData\Local\Temp\8769.exe
C:\Users\Admin\AppData\Local\Temp\8769.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\8769.exe
C:\Users\Admin\AppData\Local\Temp\8769.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
"C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
PID:1580

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2732

C:\Users\Admin\AppData\Local\Temp\9159.exe
C:\Users\Admin\AppData\Local\Temp\9159.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1520
3⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\95FC.exe
C:\Users\Admin\AppData\Local\Temp\95FC.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Local\Temp\99D3.exe
C:\Users\Admin\AppData\Local\Temp\99D3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:952

C:\Users\Admin\AppData\Local\Temp\9BA8.exe
C:\Users\Admin\AppData\Local\Temp\9BA8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\A20F.exe
C:\Users\Admin\AppData\Local\Temp\A20F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Local\Temp\AD56.exe
C:\Users\Admin\AppData\Local\Temp\AD56.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\AFF6.exe
C:\Users\Admin\AppData\Local\Temp\AFF6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\AFF6.exe" & exit
2⤵
PID:2556

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\AudioCodec.exe
MD5
e246a85d5b30c95f1354b6db87c2c47f

SHA1
1c34b17ab338f222c6275634c984b6530a5e7909

SHA256
c16daecbdcc64e821bdbdba89183ba9b49858bf488e85b58147694a7e26302ba

SHA512
d93555c498483f9a2ed5849bd4445be28af87265ed57959c25d1e45543c2b72483e248276ce80cda50d94b85d9b449bb1ac6c28f6c008812b89b126aa020aba5

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
605985e2707e0cce4105d608d92af0e0

SHA1
54106faeacf4c869cfe72693eea7c301a7c9a1a8

SHA256
71aa524a253f9f88320a39bbdb7e8588869b3c3b2381581e1cc4ec19db5cd43f

SHA512
4878568303b55d8555c03dd99e154000efcc03d40a3010fc4d2368f8eba4d7c95f4eaf3957d90512d08c863f3bb28d0937420633ac3096405ee86399824f2907

Download Submit
C:\ProgramData\Systemd\config.json
MD5
fa1d69a92278c02bde09e56f53f17e7c

SHA1
18bf7aeb76a9dab8dfbc54fd6c44c9c31ab96c6a

SHA256
b7530d98b7fbfaf91eaf37c184adf3d2f0d7fe0be0161f94cf01a66a8b8334c2

SHA512
86260deb08d8e17cab9aa84c156988343ac567b45a9b437a67443983d5143e5979ee775ba01a33cdad57d87ab6fd4dca56489df4da2b9a529202dad5a26c93e2

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
0b85eae86038116041ecc8d24ba2fadb

SHA1
bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

SHA256
cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

SHA512
ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8141.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\8769.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8769.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8769.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9159.exe
MD5
cc078e133d1c8a2a07dbb784463a5390

SHA1
5eccaa99757c4201d90d7904f546952039e747d6

SHA256
1fa26edc32e7af8d9de8ecbe2e68f8307a3d936dabe730af6976e73a2528c388

SHA512
cd9edd7b858a81a4a46b8831c94a7abcaa74754c5a5a52689843b44fca4455d74767cf4f85c45f4ef2f2011fd17282c51f5110fefa60ea94c95e836c72283b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\95FC.exe
MD5
07fd20f2ef24f16c0d0ce1bea427ff02

SHA1
212f5d0cb59ed1626c1c687ccef54b88d11aab22

SHA256
f5d0012b834951cde77890781dcb8e3787377f7682777eb4fb29185682e8d92c

SHA512
6307f379adde919841336a98c034efd9cba9caec791a9d2b0d8ec531a39d818b35a9a107650029e580c54efd9a1a799d3c56dfab721a8b068238901ee9ada909

Download Submit
C:\Users\Admin\AppData\Local\Temp\99D3.exe
MD5
8f5840ed3d0afcd582700adbb02ac00e

SHA1
0ce0b3e5e61fd328e37cebf47029f36f29582a32

SHA256
ec75f6425faec59679a112ddf3cfa69acdd45afeb46806067ebc52b4acc6332e

SHA512
700fe17a8bec9a34c2582c7abbbeda2750cda87f9cb3f6913b61b8f42d4c4b520fd52ea95c0a98d0072fa682f7823e03fc2a00854827d22ffba582d1b723ac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BA8.exe
MD5
d89443e3bc2fc8605e467ec0597b635f

SHA1
741bbced5cca825914c68f93be93ce927b61ef4f

SHA256
5d745fa3e32482728c1f2ad6e28263d9061345a6a05a9cf290098ad4864990d2

SHA512
b5cc6076488af3f07666ef2fbb3c868948c3620e301a098749210cdc7dbc80e640061aa024c181c60f98f503b96195238183aff75d4020ce83b962132f793f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A20F.exe
MD5
44dc3130f089718a02b53aceeb7b8980

SHA1
66fe679d4960f1f6a395a40e1a2e64025cafbddb

SHA256
b71e691b4023157ca65c44f764ffc4c2ba1263ad634b4a4acc17b1c249b1d5f9

SHA512
5a4413be7b9e3e232084e6429594610dbb7a8b3b97071da714b24ff9445e41a26c0ba4392e437d8a09894d27707dcb9bf1c2a65f27561a644d3ff44507da97d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD56.exe
MD5
7cf2af3a5b5f6df3e2b5aee02504022b

SHA1
19d4481ead548df3982e7e2d17265724af8b92e6

SHA256
010ec844c209e11b7eec52cebdc39b6464952079eee052e3e2241ad0009ff44a

SHA512
3e13f85c2af5026833e7b46399773125da0a81e2a72f61ec6e7e498224357aeec58dc17f438edcf91173dc9264dd180d733df5abd6589b386560e4255667b0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD56.exe
MD5
7cf2af3a5b5f6df3e2b5aee02504022b

SHA1
19d4481ead548df3982e7e2d17265724af8b92e6

SHA256
010ec844c209e11b7eec52cebdc39b6464952079eee052e3e2241ad0009ff44a

SHA512
3e13f85c2af5026833e7b46399773125da0a81e2a72f61ec6e7e498224357aeec58dc17f438edcf91173dc9264dd180d733df5abd6589b386560e4255667b0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFF6.exe
MD5
6cac46f77a08178ac8ba3186cc83051a

SHA1
43db8ad4f6334e7309ad6947d5b8d6b44f86efb1

SHA256
5b447482fcc1ef9939b7144b1ded517067afe56f0ea984ae132086dade2dae30

SHA512
42c8bed4d7104104431bf517490b8fa2ac67cf9d9e9e1ba14d5a06b8d2cd97891fba3af64e39872360ec0ecaf804f93b64b1b28733ae939402b0e9e37875a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk
MD5
9204c4067037570fbbd3db1398b08d29

SHA1
56a86082143a7c94bec42dbb5e6e9b3fdc0d2218

SHA256
1e5bfa5bdc7c9a4fc286f2aa1eaaa52452741f4fe940845428376370ab080370

SHA512
a83575bf4563665b4cec3a6986da8b6daed247ae9340bd4a442ccb3f9927d780d6b9f1a39a0dd6a5978435e2f095e2b7d6fcf2b34f71248c495a39ffb01a39e5

Download Submit
\ProgramData\Data\AudioCodec.exe
MD5
f623d077698e11fda151d97a77929409

SHA1
992c8995692ed3fb6c9373b3169c1d5607561509

SHA256
4d2a36cb915644cc62328096ddfafbf226bb556785212539ed5a4ca6118bac68

SHA512
09bdf1220176084555ab7b49aed7080c3af0535318023c2328f74e7f33e1cd7d4fb7bbd7756884fe5e68181e3ad5c668e976ae7c747e99edb55a74c20d2c408f

Download Submit
\ProgramData\Microsoft Network\System.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
\ProgramData\Systemd\note3dll.exe
MD5
0b85eae86038116041ecc8d24ba2fadb

SHA1
bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

SHA256
cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

SHA512
ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe
MD5
be4ede5e88f7c98f1c00147019da42ac

SHA1
46621b653521b697f125b9beec4dd4afbaa3eef5

SHA256
f5c0f868f65d7cb5787eda39a880e5be884458f4d4ef560e6a119bf0640274c4

SHA512
6a9965ca9cd8fc739dd7519e9de27a0c5205532fdf3de48c41043d5ec7c99edbf087ba5392092bcd74c94ae6578706f7fb596ce58e59946ca7a87eb5ffe4bcb2

Download Submit
\Users\Admin\AppData\Local\Temp\8769.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
memory/320-65-0x0000000000000000-mapping.dmp

Download
memory/480-80-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/480-76-0x0000000000000000-mapping.dmp

Download
memory/480-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/640-75-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/640-72-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/640-69-0x0000000000000000-mapping.dmp

Download
memory/952-93-0x0000000000000000-mapping.dmp

Download
memory/952-98-0x0000000000230000-0x00000000002BF000-memory.dmp

Filesize
572KB

Download
memory/952-103-0x0000000000400000-0x0000000002CFA000-memory.dmp

Filesize
41.0MB

Download
memory/1248-64-0x0000000002B90000-0x0000000002BA6000-memory.dmp

Filesize
88KB

Download
memory/1400-61-0x0000000000402FAB-mapping.dmp

Download
memory/1400-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1400-62-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1460-127-0x0000000000400000-0x0000000002CB9000-memory.dmp

Filesize
40.7MB

Download
memory/1460-124-0x0000000000000000-mapping.dmp

Download
memory/1460-126-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/1520-91-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1520-97-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1520-82-0x0000000000000000-mapping.dmp

Download
memory/1580-133-0x0000000000000000-mapping.dmp

Download
memory/1668-63-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1684-117-0x0000000000000000-mapping.dmp

Download
memory/1684-120-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1684-122-0x0000000000410000-0x0000000000421000-memory.dmp

Filesize
68KB

Download
memory/1684-123-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1932-87-0x0000000000418F6E-mapping.dmp

Download
memory/1932-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1932-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1932-96-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1964-110-0x0000000000000000-mapping.dmp

Download
memory/1964-114-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1964-116-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1980-107-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/1980-99-0x0000000000000000-mapping.dmp

Download
memory/1980-109-0x0000000004C64000-0x0000000004C66000-memory.dmp

Filesize
8KB

Download
memory/1980-101-0x0000000004700000-0x000000000471C000-memory.dmp

Filesize
112KB

Download
memory/1980-102-0x0000000004790000-0x00000000047AA000-memory.dmp

Filesize
104KB

Download
memory/1980-108-0x0000000004C63000-0x0000000004C64000-memory.dmp

Filesize
4KB

Download
memory/1980-104-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/1980-106-0x0000000004C61000-0x0000000004C62000-memory.dmp

Filesize
4KB

Download
memory/1980-105-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/2156-144-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2156-149-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2156-141-0x0000000000000000-mapping.dmp

Download
memory/2380-151-0x0000000000000000-mapping.dmp

Download
memory/2380-157-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2528-167-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2528-165-0x0000000000000000-mapping.dmp

Download
memory/2528-175-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/2528-176-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2556-168-0x0000000000000000-mapping.dmp

Download
memory/2604-170-0x0000000000000000-mapping.dmp

Download
memory/2732-172-0x0000000000000000-mapping.dmp

Download
memory/2732-177-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download