raccoon | 3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d

Resubmissions

11-09-2021 09:47

210911-lr7snabca6 10

10-09-2021 20:48

210910-zlwebsaeh8 10

Analysis

max time kernel
289s
max time network
610s
platform
windows7_x64
resource
win7-de
submitted
10-09-2021 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

4.4MB
MD5

65eed0fdbee8b81c1b9118f86700c6fd
SHA1

fcca1e88a99e2f20403e963b798e3f68f58d638d
SHA256

3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
SHA512

f4c88eea9b410ea353ca9dc10c97dcfb360f9ef115d17eca1f12a4a702bc0b787cf48bfb2e6d993b8ad64ff4a0f9a2165d70eb1ae7b48652a3f5d8862543b3ac

Score

10^/10

raccoon redline smokeloader socelars vidar 706 pab123 aspackv2 backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

pab123

45.14.49.169:22411

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2288	rundll32.exe	60

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral4/memory/1424-190-0x0000000000330000-0x000000000034F000-memory.dmp	family_redline
behavioral4/memory/1424-200-0x0000000003210000-0x000000000322E000-memory.dmp	family_redline
behavioral4/memory/2084-252-0x0000000003C50000-0x0000000003C6F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral4/files/0x0001000000012f29-109.dat	family_socelars
behavioral4/files/0x0001000000012f29-165.dat	family_socelars
behavioral4/files/0x0001000000012f29-170.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral4/memory/1560-186-0x0000000000400000-0x00000000021B7000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0001000000012f2b-70.dat	aspack_v212_v242
behavioral4/files/0x0001000000012f2a-72.dat	aspack_v212_v242
behavioral4/files/0x0001000000012f2a-71.dat	aspack_v212_v242
behavioral4/files/0x0001000000012f2b-69.dat	aspack_v212_v242
behavioral4/files/0x0001000000012f2d-76.dat	aspack_v212_v242
behavioral4/files/0x0001000000012f2d-75.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 31 IoCs

pid	Process
1128	setup_installer.exe
1300	setup_install.exe
1560	Fri192902b3c24.exe
1892	Fri19b9b73e83c948b1d.exe
1092	Fri192c305b4a.exe
460	Fri192f077acf656dd.exe
1204	Fri191454c4b4.exe
1232	Fri1921f7a9d3.exe
1408	Fri19870e2febf5544.exe
1672	Fri19d30056588.exe
1424	Fri19927b4fe38a9d1.exe
1696	Fri19ca03f05489b.exe
2264	Chrome 5.exe
2312	1.exe
2336	2.exe
2420	3.exe
2460	4.exe
2492	5.exe
2520	6.exe
2588	7.exe
2672	BearVpn 3.exe
2084	LzmwAqmV.exe
1668	LzmwAqmV.exe
268	6664971.exe
1712	3437833.exe
644	6219772.exe
1972	tmpDFE4_tmp.exe
2644	Adorarti.exe.com
1672	Adorarti.exe.com
2088	Adorarti.exe.com
1780	Adorarti.exe.com

Loads dropped DLL 64 IoCs

pid	Process
1892	setup_x86_x64_install.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
1300	setup_install.exe
304	cmd.exe
304	cmd.exe
2028	cmd.exe
2028	cmd.exe
1524	cmd.exe
1560	Fri192902b3c24.exe
1560	Fri192902b3c24.exe
1340	cmd.exe
1064	cmd.exe
1596	cmd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
1892	Fri19b9b73e83c948b1d.exe
1892	Fri19b9b73e83c948b1d.exe
1700	cmd.exe
1700	cmd.exe
656	cmd.exe
1232	Fri1921f7a9d3.exe
1232	Fri1921f7a9d3.exe
1736	cmd.exe
1736	cmd.exe
1408	Fri19870e2febf5544.exe
1408	Fri19870e2febf5544.exe
1424	Fri19927b4fe38a9d1.exe
1424	Fri19927b4fe38a9d1.exe
1904	cmd.exe
1672	Fri19d30056588.exe
1672	Fri19d30056588.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
460	Fri192f077acf656dd.exe
2672	BearVpn 3.exe
2672	BearVpn 3.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
1668	LzmwAqmV.exe
1668	LzmwAqmV.exe
2084	LzmwAqmV.exe
2084	LzmwAqmV.exe
552	WerFault.exe
552	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmpDFE4_tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmpDFE4_tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2016	2520	WerFault.exe	66
944	2588	WerFault.exe	67
2392	2492	WerFault.exe	65
1656	2336	WerFault.exe	62
552	1560	WerFault.exe	41
1608	268	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2756	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Fri19d30056588.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Fri19d30056588.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fri192902b3c24.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fri192902b3c24.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	Fri19870e2febf5544.exe
1408	Fri19870e2febf5544.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1240	Process not Found
944	WerFault.exe
2392	WerFault.exe
1656	WerFault.exe
552	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1408	Fri19870e2febf5544.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1672	Fri19d30056588.exe
Token: SeAssignPrimaryTokenPrivilege	1672	Fri19d30056588.exe
Token: SeLockMemoryPrivilege	1672	Fri19d30056588.exe
Token: SeIncreaseQuotaPrivilege	1672	Fri19d30056588.exe
Token: SeMachineAccountPrivilege	1672	Fri19d30056588.exe
Token: SeTcbPrivilege	1672	Fri19d30056588.exe
Token: SeSecurityPrivilege	1672	Fri19d30056588.exe
Token: SeTakeOwnershipPrivilege	1672	Fri19d30056588.exe
Token: SeLoadDriverPrivilege	1672	Fri19d30056588.exe
Token: SeSystemProfilePrivilege	1672	Fri19d30056588.exe
Token: SeSystemtimePrivilege	1672	Fri19d30056588.exe
Token: SeProfSingleProcessPrivilege	1672	Fri19d30056588.exe
Token: SeIncBasePriorityPrivilege	1672	Fri19d30056588.exe
Token: SeCreatePagefilePrivilege	1672	Fri19d30056588.exe
Token: SeCreatePermanentPrivilege	1672	Fri19d30056588.exe
Token: SeBackupPrivilege	1672	Fri19d30056588.exe
Token: SeRestorePrivilege	1672	Fri19d30056588.exe
Token: SeShutdownPrivilege	1672	Fri19d30056588.exe
Token: SeDebugPrivilege	1672	Fri19d30056588.exe
Token: SeAuditPrivilege	1672	Fri19d30056588.exe
Token: SeSystemEnvironmentPrivilege	1672	Fri19d30056588.exe
Token: SeChangeNotifyPrivilege	1672	Fri19d30056588.exe
Token: SeRemoteShutdownPrivilege	1672	Fri19d30056588.exe
Token: SeUndockPrivilege	1672	Fri19d30056588.exe
Token: SeSyncAgentPrivilege	1672	Fri19d30056588.exe
Token: SeEnableDelegationPrivilege	1672	Fri19d30056588.exe
Token: SeManageVolumePrivilege	1672	Fri19d30056588.exe
Token: SeImpersonatePrivilege	1672	Fri19d30056588.exe
Token: SeCreateGlobalPrivilege	1672	Fri19d30056588.exe
Token: 31	1672	Fri19d30056588.exe
Token: 32	1672	Fri19d30056588.exe
Token: 33	1672	Fri19d30056588.exe
Token: 34	1672	Fri19d30056588.exe
Token: 35	1672	Fri19d30056588.exe
Token: SeDebugPrivilege	2588	7.exe
Token: SeDebugPrivilege	2312	1.exe
Token: SeDebugPrivilege	2460	4.exe
Token: SeDebugPrivilege	2520	6.exe
Token: SeDebugPrivilege	2336	2.exe
Token: SeDebugPrivilege	2420	3.exe
Token: SeDebugPrivilege	2492	5.exe
Token: SeDebugPrivilege	1204	Fri191454c4b4.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	1780	Adorarti.exe.com
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	944	WerFault.exe
Token: SeDebugPrivilege	2392	WerFault.exe
Token: SeDebugPrivilege	268	6664971.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	1656	WerFault.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	2084	LzmwAqmV.exe
Token: SeDebugPrivilege	1424	Fri19927b4fe38a9d1.exe
Token: SeDebugPrivilege	1668	LzmwAqmV.exe
Token: SeDebugPrivilege	552	WerFault.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	1608	WerFault.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	1092	Fri192c305b4a.exe
Token: SeShutdownPrivilege	1240	Process not Found

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
2644	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
2644	Adorarti.exe.com
2644	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
1672	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
1672	Adorarti.exe.com
1672	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
2088	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
2088	Adorarti.exe.com
2088	Adorarti.exe.com
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
2644	Adorarti.exe.com
2644	Adorarti.exe.com
2644	Adorarti.exe.com
1672	Adorarti.exe.com
1672	Adorarti.exe.com
1672	Adorarti.exe.com
2088	Adorarti.exe.com
2088	Adorarti.exe.com
2088	Adorarti.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1892 wrote to memory of 1128	1892	setup_x86_x64_install.exe	26
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1128 wrote to memory of 1300	1128	setup_installer.exe	29
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 980	1300	setup_install.exe	33
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 1340	1300	setup_install.exe	34
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 688	1300	setup_install.exe	35
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 1524	1300	setup_install.exe	36
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 828	1300	setup_install.exe	37
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 1300 wrote to memory of 304	1300	setup_install.exe	38
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 980 wrote to memory of 1780	980	cmd.exe	39
PID 1300 wrote to memory of 656	1300	setup_install.exe	40

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS86442D24\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192c305b4a.exe
      4⤵
      Loads dropped DLL
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri192c305b4a.exe
        
        Fri192c305b4a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\tmpDFE4_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDFE4_tmp.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        7⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Attesa.wmv
        7⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
        9⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        Adorarti.exe.com u
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        11⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        9⤵
        Runs ping.exe
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192b9eeaa03b.exe
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri191454c4b4.exe
      4⤵
      Loads dropped DLL
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri191454c4b4.exe
        
        Fri191454c4b4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
      - C:\ProgramData\6664971.exe
        
        "C:\ProgramData\6664971.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 268 -s 1732
        7⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\ProgramData\3437833.exe
        
        "C:\ProgramData\3437833.exe"
        6⤵
        Executes dropped EXE
        
        PID:1712
      - C:\ProgramData\6219772.exe
        
        "C:\ProgramData\6219772.exe"
        6⤵
        Executes dropped EXE
        
        PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri195cd4dbfdf37897.exe
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192902b3c24.exe
      4⤵
      Loads dropped DLL
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri192902b3c24.exe
        
        Fri192902b3c24.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 980
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19d30056588.exe
      4⤵
      Loads dropped DLL
      PID:656
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19d30056588.exe
        
        Fri19d30056588.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19b9b73e83c948b1d.exe /mixone
      4⤵
      Loads dropped DLL
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19b9b73e83c948b1d.exe
        
        Fri19b9b73e83c948b1d.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri19b9b73e83c948b1d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19b9b73e83c948b1d.exe" & exit
        6⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Fri19b9b73e83c948b1d.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1921f7a9d3.exe
      4⤵
      Loads dropped DLL
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri1921f7a9d3.exe
        
        Fri1921f7a9d3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192f077acf656dd.exe
      4⤵
      Loads dropped DLL
      PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri192f077acf656dd.exe
        
        Fri192f077acf656dd.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:460
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        Executes dropped EXE
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2336 -s 1400
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2492 -s 892
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2520 -s 1372
        7⤵
        Program crash
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2588 -s 888
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19870e2febf5544.exe
      4⤵
      Loads dropped DLL
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19870e2febf5544.exe
        
        Fri19870e2febf5544.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19ca03f05489b.exe
      4⤵
      Loads dropped DLL
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19ca03f05489b.exe
        
        Fri19ca03f05489b.exe
        5⤵
        Executes dropped EXE
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19927b4fe38a9d1.exe
      4⤵
      Loads dropped DLL
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\7zS86442D24\Fri19927b4fe38a9d1.exe
        
        Fri19927b4fe38a9d1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3028

C:\Users\Admin\AppData\Local\Temp\780D.exe
C:\Users\Admin\AppData\Local\Temp\780D.exe
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1895469865-8498329301246038403814107787-1007475950-1181793167-9084965541512701918"
1⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\14C9.exe
C:\Users\Admin\AppData\Local\Temp\14C9.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\7486.exe
C:\Users\Admin\AppData\Local\Temp\7486.exe
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\E257.exe
C:\Users\Admin\AppData\Local\Temp\E257.exe
1⤵
PID:2424

C:\Windows\system32\taskeng.exe
taskeng.exe {4C8FF7E3-AFED-4C96-BB36-7ED37236C9B6} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-278-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/460-189-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/552-295-0x0000000000310000-0x0000000000390000-memory.dmp

Filesize
512KB

Download
memory/944-283-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1092-211-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download
memory/1092-184-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1092-243-0x0000000000140000-0x000000000014B000-memory.dmp

Filesize
44KB

Download
memory/1092-300-0x000000001B206000-0x000000001B225000-memory.dmp

Filesize
124KB

Download
memory/1204-183-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1204-199-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1204-194-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1204-198-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/1204-224-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/1240-197-0x0000000002B10000-0x0000000002B25000-memory.dmp

Filesize
84KB

Download
memory/1300-87-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1300-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1300-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1300-88-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1300-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1300-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1300-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1300-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1300-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1300-85-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1316-324-0x0000000000400000-0x000000000215F000-memory.dmp

Filesize
29.4MB

Download
memory/1316-322-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1316-325-0x0000000006481000-0x0000000006482000-memory.dmp

Filesize
4KB

Download
memory/1376-328-0x0000000002190000-0x0000000002220000-memory.dmp

Filesize
576KB

Download
memory/1376-329-0x0000000000400000-0x000000000218C000-memory.dmp

Filesize
29.5MB

Download
memory/1408-180-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1408-181-0x0000000000400000-0x0000000002145000-memory.dmp

Filesize
29.3MB

Download
memory/1424-190-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/1424-185-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/1424-196-0x0000000007163000-0x0000000007164000-memory.dmp

Filesize
4KB

Download
memory/1424-193-0x0000000007161000-0x0000000007162000-memory.dmp

Filesize
4KB

Download
memory/1424-182-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1424-200-0x0000000003210000-0x000000000322E000-memory.dmp

Filesize
120KB

Download
memory/1424-223-0x0000000007164000-0x0000000007166000-memory.dmp

Filesize
8KB

Download
memory/1424-195-0x0000000007162000-0x0000000007163000-memory.dmp

Filesize
4KB

Download
memory/1560-186-0x0000000000400000-0x00000000021B7000-memory.dmp

Filesize
29.7MB

Download
memory/1560-179-0x00000000027C0000-0x0000000004577000-memory.dmp

Filesize
29.7MB

Download
memory/1608-298-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1656-293-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1668-275-0x0000000006692000-0x0000000006693000-memory.dmp

Filesize
4KB

Download
memory/1668-276-0x0000000006693000-0x0000000006694000-memory.dmp

Filesize
4KB

Download
memory/1668-277-0x0000000006694000-0x0000000006696000-memory.dmp

Filesize
8KB

Download
memory/1668-274-0x0000000006691000-0x0000000006692000-memory.dmp

Filesize
4KB

Download
memory/1668-268-0x0000000000400000-0x000000000215F000-memory.dmp

Filesize
29.4MB

Download
memory/1780-245-0x0000000002000000-0x0000000002C4A000-memory.dmp

Filesize
12.3MB

Download
memory/1780-192-0x0000000002000000-0x0000000002C4A000-memory.dmp

Filesize
12.3MB

Download
memory/1892-53-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1892-178-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/1892-177-0x0000000000270000-0x00000000002B8000-memory.dmp

Filesize
288KB

Download
memory/2084-255-0x0000000006631000-0x0000000006632000-memory.dmp

Filesize
4KB

Download
memory/2084-254-0x0000000000400000-0x000000000215F000-memory.dmp

Filesize
29.4MB

Download
memory/2084-257-0x0000000006633000-0x0000000006634000-memory.dmp

Filesize
4KB

Download
memory/2084-256-0x0000000006632000-0x0000000006633000-memory.dmp

Filesize
4KB

Download
memory/2084-258-0x0000000006634000-0x0000000006636000-memory.dmp

Filesize
8KB

Download
memory/2084-251-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2084-252-0x0000000003C50000-0x0000000003C6F000-memory.dmp

Filesize
124KB

Download
memory/2264-205-0x000000013FA10000-0x000000013FA11000-memory.dmp

Filesize
4KB

Download
memory/2312-228-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/2312-206-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2336-232-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/2336-204-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2392-284-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2420-227-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/2420-215-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2424-341-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2460-216-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2460-225-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/2492-217-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2492-242-0x000000001B030000-0x000000001B032000-memory.dmp

Filesize
8KB

Download
memory/2520-234-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/2520-218-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2588-229-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2588-241-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/2672-236-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2692-335-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download