raccoon | a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
Size

300KB
MD5

53bca8c8cb8ca079f237d2b4d99cbf34
SHA1

15a17d92a1cb886bfae492f87ce6f3448be93b66
SHA256

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa
SHA512

157230e4091c3b5c2bc051ce93c455222be3c0afc86365daa1b8e5551a01f6cde6e37242f358bb36e80091847c7c9ee5c3c20103070899bc44b15cd8d466047c

Score

10^/10

raccoon redline smokeloader vidar 1015 @big_tastyyy sasamba backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

sasamba

91.142.77.155:5469

Extracted

Family

vidar

Version

40.6

Botnet

1015

https://dimonbk83.tumblr.com/

Attributes

profile_id
1015

Extracted

Family

redline

Botnet

@big_tastyyy

87.251.71.44:80

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4992-167-0x00000000022D0000-0x00000000022EF000-memory.dmp	family_redline
behavioral1/memory/4992-170-0x0000000002380000-0x000000000239E000-memory.dmp	family_redline
behavioral1/memory/4264-201-0x0000000003960000-0x000000000399C000-memory.dmp	family_redline
behavioral1/memory/4264-203-0x0000000006260000-0x000000000629A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4016-192-0x00000000009E0000-0x0000000000AB4000-memory.dmp	family_vidar
behavioral1/memory/4016-193-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

BA9B.exeC191.exeC81A.exeD980.exeDFBB.exeE932.exeF19F.exe

pid process

4584 BA9B.exe
4616 C191.exe
4752 C81A.exe
4888 D980.exe
4992 DFBB.exe
4016 E932.exe
4264 F19F.exe

pid	process
4584	BA9B.exe
4616	C191.exe
4752	C81A.exe
4888	D980.exe
4992	DFBB.exe
4016	E932.exe
4264	F19F.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C191.exeD980.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C191.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C191.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D980.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D980.exe

Deletes itself 1 IoCs

Processes:

pid process

3052
Loads dropped DLL 7 IoCs

Processes:

BA9B.exeE932.exe

pid process

4584 BA9B.exe
4584 BA9B.exe
4584 BA9B.exe
4584 BA9B.exe
4584 BA9B.exe
4016 E932.exe
4016 E932.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3052

pid	process
4584	BA9B.exe
4584	BA9B.exe
4584	BA9B.exe
4584	BA9B.exe
4584	BA9B.exe
4016	E932.exe
4016	E932.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C191.exe	themida
C:\Users\Admin\AppData\Local\Temp\C191.exe	themida
behavioral1/memory/4616-133-0x00000000002C0000-0x00000000002C1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\D980.exe	themida
C:\Users\Admin\AppData\Local\Temp\D980.exe	themida
behavioral1/memory/4888-151-0x0000000000330000-0x0000000000331000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

C191.exeD980.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C191.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D980.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

C191.exeD980.exe

pid process

4616 C191.exe
4888 D980.exe

pid	process
4616	C191.exe
4888	D980.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

description	pid	process	target process
PID 4476 set thread context of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E932.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E932.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E932.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5100 timeout.exe
2380 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1556 taskkill.exe

pid	process
5100	timeout.exe
2380	timeout.exe

pid	process
1556	taskkill.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E932.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E932.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E932.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

pid	process
4496	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
4496	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

pid process

4496 a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe

pid	process
3052

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C191.exeD980.exeDFBB.exetaskkill.exeF19F.exe

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	4616	C191.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	4888	D980.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	4992	DFBB.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	4264	F19F.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

3052
3052
3052
3052
3052
3052
3052
3052
3052
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3052
3052

pid	process
3052
3052
3052
3052
3052
3052
3052
3052
3052

pid	process
3052
3052

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exeBA9B.execmd.exeE932.execmd.exe

description	pid	process	target process
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 4476 wrote to memory of 4496	4476	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe	a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
PID 3052 wrote to memory of 4584	3052		BA9B.exe
PID 3052 wrote to memory of 4584	3052		BA9B.exe
PID 3052 wrote to memory of 4584	3052		BA9B.exe
PID 3052 wrote to memory of 4616	3052		C191.exe
PID 3052 wrote to memory of 4616	3052		C191.exe
PID 3052 wrote to memory of 4616	3052		C191.exe
PID 3052 wrote to memory of 4752	3052		C81A.exe
PID 3052 wrote to memory of 4752	3052		C81A.exe
PID 3052 wrote to memory of 4752	3052		C81A.exe
PID 3052 wrote to memory of 4888	3052		D980.exe
PID 3052 wrote to memory of 4888	3052		D980.exe
PID 3052 wrote to memory of 4888	3052		D980.exe
PID 3052 wrote to memory of 4992	3052		DFBB.exe
PID 3052 wrote to memory of 4992	3052		DFBB.exe
PID 3052 wrote to memory of 4992	3052		DFBB.exe
PID 4584 wrote to memory of 5064	4584	BA9B.exe	cmd.exe
PID 4584 wrote to memory of 5064	4584	BA9B.exe	cmd.exe
PID 4584 wrote to memory of 5064	4584	BA9B.exe	cmd.exe
PID 5064 wrote to memory of 5100	5064	cmd.exe	timeout.exe
PID 5064 wrote to memory of 5100	5064	cmd.exe	timeout.exe
PID 5064 wrote to memory of 5100	5064	cmd.exe	timeout.exe
PID 3052 wrote to memory of 4016	3052		E932.exe
PID 3052 wrote to memory of 4016	3052		E932.exe
PID 3052 wrote to memory of 4016	3052		E932.exe
PID 3052 wrote to memory of 4264	3052		F19F.exe
PID 3052 wrote to memory of 4264	3052		F19F.exe
PID 3052 wrote to memory of 4264	3052		F19F.exe
PID 4016 wrote to memory of 1796	4016	E932.exe	cmd.exe
PID 4016 wrote to memory of 1796	4016	E932.exe	cmd.exe
PID 4016 wrote to memory of 1796	4016	E932.exe	cmd.exe
PID 1796 wrote to memory of 1556	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1556	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1556	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 2380	1796	cmd.exe	timeout.exe
PID 1796 wrote to memory of 2380	1796	cmd.exe	timeout.exe
PID 1796 wrote to memory of 2380	1796	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
"C:\Users\Admin\AppData\Local\Temp\a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe
"C:\Users\Admin\AppData\Local\Temp\a60fc65e381dfd5f9f8d8381235e36802d8824cacd6a4fd048a447b276cbb9aa.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4496

C:\Users\Admin\AppData\Local\Temp\BA9B.exe
C:\Users\Admin\AppData\Local\Temp\BA9B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\BA9B.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5100

C:\Users\Admin\AppData\Local\Temp\C191.exe
C:\Users\Admin\AppData\Local\Temp\C191.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\C81A.exe
C:\Users\Admin\AppData\Local\Temp\C81A.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Users\Admin\AppData\Local\Temp\D980.exe
C:\Users\Admin\AppData\Local\Temp\D980.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Users\Admin\AppData\Local\Temp\DFBB.exe
C:\Users\Admin\AppData\Local\Temp\DFBB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\E932.exe
C:\Users\Admin\AppData\Local\Temp\E932.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im E932.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E932.exe" & del C:\ProgramData\*.dll & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /im E932.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2380

C:\Users\Admin\AppData\Local\Temp\F19F.exe
C:\Users\Admin\AppData\Local\Temp\F19F.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA9B.exe
MD5
817ac34d1ded306b9ac0a1afd049d014

SHA1
0977e75da937405c1a486e3c530f84f32b0c9374

SHA256
bae92c8e5a1bd4894f7c0931f281afface73430f43b8ce0eace583fff764ee5d

SHA512
8683e59745ba5a4c4949a864bc45193070f636dae79a40fea87f97cd32c64c3165ee4050ce5d31534d2d5013ffe358f40115662fdec802799f89a0af731257dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA9B.exe
MD5
817ac34d1ded306b9ac0a1afd049d014

SHA1
0977e75da937405c1a486e3c530f84f32b0c9374

SHA256
bae92c8e5a1bd4894f7c0931f281afface73430f43b8ce0eace583fff764ee5d

SHA512
8683e59745ba5a4c4949a864bc45193070f636dae79a40fea87f97cd32c64c3165ee4050ce5d31534d2d5013ffe358f40115662fdec802799f89a0af731257dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C191.exe
MD5
41a70f114bda5249101c447699138072

SHA1
c8cc8a9c38750b73b0846525ebe46057dca6347b

SHA256
f97814c36e18f9b2e5c0c31854dfe9b07377b8db9597e9719a5006b94a899803

SHA512
1e70b8aae5fb51bdfec176a05c0c74407cf32e02a11c864e277a698b8fc79ce39a9b02657fde9ed47f2964859b51c4bb12b04c2a44b3270348f8c84170e78fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C191.exe
MD5
41a70f114bda5249101c447699138072

SHA1
c8cc8a9c38750b73b0846525ebe46057dca6347b

SHA256
f97814c36e18f9b2e5c0c31854dfe9b07377b8db9597e9719a5006b94a899803

SHA512
1e70b8aae5fb51bdfec176a05c0c74407cf32e02a11c864e277a698b8fc79ce39a9b02657fde9ed47f2964859b51c4bb12b04c2a44b3270348f8c84170e78fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C81A.exe
MD5
47bdea74548516d51b0ac9b85d661deb

SHA1
733b97c4c175480387c86987b9f123083b9fa7e5

SHA256
0bb61fdc4e43601f153257d0e9ade2bf93a268405f1b401b59e0b16b517ccb13

SHA512
8b1e1d967750270750997b7164181be385f4df16009b69d3fe9dcd610adde383d14a06ca763f41ac326ddbcaaac4c3de365b488d6529c8a94dca0c28b9f205ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\C81A.exe
MD5
47bdea74548516d51b0ac9b85d661deb

SHA1
733b97c4c175480387c86987b9f123083b9fa7e5

SHA256
0bb61fdc4e43601f153257d0e9ade2bf93a268405f1b401b59e0b16b517ccb13

SHA512
8b1e1d967750270750997b7164181be385f4df16009b69d3fe9dcd610adde383d14a06ca763f41ac326ddbcaaac4c3de365b488d6529c8a94dca0c28b9f205ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\D980.exe
MD5
1a5d3dbb0678bd20d09c5074e3f64cd5

SHA1
8545b126080e4369d899089bf0cd8e9e16d6dd48

SHA256
cd1cd63d6c7c732c91ab36752fb223f0dd4eafc8067506ede50d4d3580d4bbf5

SHA512
d3165a0e631c30c1a873d3478077290d167a1b610f925a7ae0bf494fc198815bd29636101b25e7921b5fb251fab0eec17f67a6ecea29fd85287bd866f2ca96dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D980.exe
MD5
1a5d3dbb0678bd20d09c5074e3f64cd5

SHA1
8545b126080e4369d899089bf0cd8e9e16d6dd48

SHA256
cd1cd63d6c7c732c91ab36752fb223f0dd4eafc8067506ede50d4d3580d4bbf5

SHA512
d3165a0e631c30c1a873d3478077290d167a1b610f925a7ae0bf494fc198815bd29636101b25e7921b5fb251fab0eec17f67a6ecea29fd85287bd866f2ca96dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFBB.exe
MD5
fd48e69b6ea5d633d9aa0d721c20d0bf

SHA1
fbcfc0a82ba710cb8844c309155b74228bcf9349

SHA256
a7b2d9e96a4f5f9a3fe80c67240ffb3a0491907682d624585646502361063cc8

SHA512
191ce52d5790f286a84cf7044b31bc54707e21379453af7b533e46d3624ab9922611c50438ec7db652e0d244723a5b763088e23c666b2cc83b0bfd8e685acd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFBB.exe
MD5
fd48e69b6ea5d633d9aa0d721c20d0bf

SHA1
fbcfc0a82ba710cb8844c309155b74228bcf9349

SHA256
a7b2d9e96a4f5f9a3fe80c67240ffb3a0491907682d624585646502361063cc8

SHA512
191ce52d5790f286a84cf7044b31bc54707e21379453af7b533e46d3624ab9922611c50438ec7db652e0d244723a5b763088e23c666b2cc83b0bfd8e685acd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E932.exe
MD5
a127234410cd8b9d8d935137b9398900

SHA1
880474048eb6e28bb6e6eef74410a8c79e44a06b

SHA256
bbe0ebff112af889656dbef9e28102679c28757a15f327752cb608ef3b54dc01

SHA512
da8b16c51b2dac8ad134f77dd4e1ec77555e1bfe68a826287847616aefe0d76f5d999dc6444322ce742d408a120cab3dd8f3b588a7bbb33a303ad5cdcfeaa5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E932.exe
MD5
a127234410cd8b9d8d935137b9398900

SHA1
880474048eb6e28bb6e6eef74410a8c79e44a06b

SHA256
bbe0ebff112af889656dbef9e28102679c28757a15f327752cb608ef3b54dc01

SHA512
da8b16c51b2dac8ad134f77dd4e1ec77555e1bfe68a826287847616aefe0d76f5d999dc6444322ce742d408a120cab3dd8f3b588a7bbb33a303ad5cdcfeaa5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19F.exe
MD5
5f8c7f3b20e246492de7cad004272aa8

SHA1
54bab390988695c578434617ad48dffb22ca832f

SHA256
a0db1741e7ffdef5bd489b94106130679b16a51654bea963d919b6805113d41a

SHA512
e0460c088320469efb0099dc4130d2e87def04195389d4b9974f8309fc7e4a9e60ab3a818a32c2c748a7e27c2851b0d9c2cc94163869e3dc9e38f1c8413c63df

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19F.exe
MD5
5f8c7f3b20e246492de7cad004272aa8

SHA1
54bab390988695c578434617ad48dffb22ca832f

SHA256
a0db1741e7ffdef5bd489b94106130679b16a51654bea963d919b6805113d41a

SHA512
e0460c088320469efb0099dc4130d2e87def04195389d4b9974f8309fc7e4a9e60ab3a818a32c2c748a7e27c2851b0d9c2cc94163869e3dc9e38f1c8413c63df

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/1556-226-0x0000000000000000-mapping.dmp

Download
memory/1796-225-0x0000000000000000-mapping.dmp

Download
memory/2380-227-0x0000000000000000-mapping.dmp

Download
memory/3052-249-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3052-255-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-280-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-279-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-278-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-277-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-276-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3052-275-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-274-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-272-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-273-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-271-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-270-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-269-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3052-268-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-267-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-266-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-264-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-265-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-262-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/3052-245-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-263-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-261-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-258-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-260-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-259-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-257-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3052-256-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-254-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-243-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/3052-246-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-253-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-244-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-241-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/3052-242-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-118-0x0000000003050000-0x0000000003066000-memory.dmp

Filesize
88KB

Download
memory/3052-247-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-248-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-250-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-252-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/3052-251-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/4016-192-0x00000000009E0000-0x0000000000AB4000-memory.dmp

Filesize
848KB

Download
memory/4016-180-0x0000000000000000-mapping.dmp

Download
memory/4016-193-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4264-213-0x00000000034F3000-0x00000000034F4000-memory.dmp

Filesize
4KB

Download
memory/4264-212-0x00000000034F2000-0x00000000034F3000-memory.dmp

Filesize
4KB

Download
memory/4264-211-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4264-210-0x0000000000400000-0x00000000017A2000-memory.dmp

Filesize
19.6MB

Download
memory/4264-209-0x00000000017F0000-0x0000000001844000-memory.dmp

Filesize
336KB

Download
memory/4264-189-0x0000000000000000-mapping.dmp

Download
memory/4264-201-0x0000000003960000-0x000000000399C000-memory.dmp

Filesize
240KB

Download
memory/4264-203-0x0000000006260000-0x000000000629A000-memory.dmp

Filesize
232KB

Download
memory/4264-215-0x00000000034F4000-0x00000000034F6000-memory.dmp

Filesize
8KB

Download
memory/4476-115-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4496-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4496-117-0x0000000000402E68-mapping.dmp

Download
memory/4584-119-0x0000000000000000-mapping.dmp

Download
memory/4584-122-0x0000000003410000-0x00000000034A0000-memory.dmp

Filesize
576KB

Download
memory/4584-126-0x0000000000400000-0x00000000017C1000-memory.dmp

Filesize
19.8MB

Download
memory/4616-127-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4616-179-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/4616-140-0x0000000005130000-0x0000000005736000-memory.dmp

Filesize
6.0MB

Download
memory/4616-176-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/4616-133-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/4616-135-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4616-214-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/4616-136-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4616-137-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4616-188-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/4616-187-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/4616-177-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/4616-123-0x0000000000000000-mapping.dmp

Download
memory/4616-139-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4616-184-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/4616-138-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4752-142-0x0000000000400000-0x00000000017CA000-memory.dmp

Filesize
19.8MB

Download
memory/4752-130-0x0000000000000000-mapping.dmp

Download
memory/4752-141-0x0000000001C60000-0x0000000001CF0000-memory.dmp

Filesize
576KB

Download
memory/4888-162-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4888-151-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/4888-154-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-147-0x0000000000000000-mapping.dmp

Download
memory/4992-170-0x0000000002380000-0x000000000239E000-memory.dmp

Filesize
120KB

Download
memory/4992-165-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4992-166-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4992-167-0x00000000022D0000-0x00000000022EF000-memory.dmp

Filesize
124KB

Download
memory/4992-168-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4992-169-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4992-159-0x0000000000000000-mapping.dmp

Download
memory/4992-183-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/4992-186-0x0000000004B84000-0x0000000004B86000-memory.dmp

Filesize
8KB

Download
memory/4992-185-0x0000000004B83000-0x0000000004B84000-memory.dmp

Filesize
4KB

Download
memory/5064-163-0x0000000000000000-mapping.dmp

Download
memory/5100-164-0x0000000000000000-mapping.dmp

Download