raccoon | 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27

Resubmissions

15-09-2021 19:17

210915-xznwasbbg4 10

15-09-2021 19:07

210915-xs5kgabbf5 10

Analysis

max time kernel
1801s
max time network
1609s
platform
windows11_x64
resource
win11
submitted
15-09-2021 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Size

164KB
MD5

47501bca2d855a6792f7cd363796356c
SHA1

43f3eb90cb3edceba86c682958af8c825a587cfd
SHA256

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27
SHA512

64ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af

Score

10^/10

raccoon redline smokeloader mix 1592021 agilenet backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

Mix 1592021

93.115.20.139:28978

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/480-191-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/480-192-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/480-204-0x0000000005650000-0x0000000005C68000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2736 created 3100	2736	WerFault.exe	7801.exe
PID 4660 created 4960	4660	WerFault.exe	EA18.exe
PID 3436 created 2572	3436	WerFault.exe	35E.exe
PID 4456 created 1296	4456	WerFault.exe	A55.exe
PID 1456 created 4148	1456	WerFault.exe	2001.exe
PID 4360 created 2940	4360	WerFault.exe	D38C.exe
PID 2936 created 3728	2936	WerFault.exe	D959.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

64C6.exe64C6.exe6E2D.exe7801.exe6E2D.exe838C.exeE024.exeEA18.exeFB7E.exe35E.exeA55.exe17C3.exe2001.exeStub.exeLogicNPSoftware.exeD38C.exeD959.exe

pid	process
3036	64C6.exe
3288	64C6.exe
664	6E2D.exe
3100	7801.exe
480	6E2D.exe
1512	838C.exe
4052	E024.exe
4960	EA18.exe
904	FB7E.exe
2572	35E.exe
1296	A55.exe
3808	17C3.exe
4148	2001.exe
4748	Stub.exe
1884	LogicNPSoftware.exe
2940	D38C.exe
3728	D959.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17C3.exe838C.exeE024.exeFB7E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	17C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	17C3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	838C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	838C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FB7E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FB7E.exe

Loads dropped DLL 2 IoCs

Processes:

Stub.exeLogicNPSoftware.exe

pid process

4748 Stub.exe
1884 LogicNPSoftware.exe

pid	process
4748	Stub.exe
1884	LogicNPSoftware.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Stub.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\Stub.exe	agile_net
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe	agile_net
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\838C.exe	themida
C:\Users\Admin\AppData\Local\Temp\838C.exe	themida
behavioral2/memory/1512-210-0x0000000000E30000-0x0000000000E31000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\E024.exe	themida
C:\Users\Admin\AppData\Local\Temp\E024.exe	themida
C:\Users\Admin\AppData\Local\Temp\FB7E.exe	themida
C:\Users\Admin\AppData\Local\Temp\FB7E.exe	themida
C:\Users\Admin\AppData\Local\Temp\17C3.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

E024.exeFB7E.exe17C3.exe838C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E024.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FB7E.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17C3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	838C.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

838C.exeE024.exeFB7E.exe17C3.exe

pid process

1512 838C.exe
4052 E024.exe
904 FB7E.exe
3808 17C3.exe

pid	process
1512	838C.exe
4052	E024.exe
904	FB7E.exe
3808	17C3.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe6E2D.exe

description	pid	process	target process
PID 4868 set thread context of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 3036 set thread context of 3288	3036	64C6.exe	64C6.exe
PID 664 set thread context of 480	664	6E2D.exe	6E2D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1652	3100	WerFault.exe	7801.exe
4652	4960	WerFault.exe	EA18.exe
4396	2572	WerFault.exe	35E.exe
3440	1296	WerFault.exe	A55.exe
2004	4148	WerFault.exe	2001.exe
1044	2940	WerFault.exe	D38C.exe
4032	3728	WerFault.exe	D959.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64C6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64C6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeFB7E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FB7E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FB7E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2468 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2012 timeout.exe

pid	process
2468	schtasks.exe

pid	process
2012	timeout.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe

Modifies registry class 4 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

LogicNPSoftware.exe

pid process

1884 LogicNPSoftware.exe

pid	process
1884	LogicNPSoftware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe

pid	process
4860	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
4860	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3240
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe

pid process

4860 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
3288 64C6.exe

pid	process
3240

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe6E2D.exe838C.exeE024.exe

description	pid	process
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeRestorePrivilege	1652	WerFault.exe
Token: SeBackupPrivilege	1652	WerFault.exe
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeDebugPrivilege	480	6E2D.exe
Token: SeDebugPrivilege	1512	838C.exe
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeDebugPrivilege	4052	E024.exe
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe6E2D.exeWerFault.exeWerFault.exeFB7E.execmd.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 4868 wrote to memory of 4860	4868	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe	585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
PID 3240 wrote to memory of 3036	3240		64C6.exe
PID 3240 wrote to memory of 3036	3240		64C6.exe
PID 3240 wrote to memory of 3036	3240		64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3036 wrote to memory of 3288	3036	64C6.exe	64C6.exe
PID 3240 wrote to memory of 664	3240		6E2D.exe
PID 3240 wrote to memory of 664	3240		6E2D.exe
PID 3240 wrote to memory of 664	3240		6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 3240 wrote to memory of 3100	3240		7801.exe
PID 3240 wrote to memory of 3100	3240		7801.exe
PID 3240 wrote to memory of 3100	3240		7801.exe
PID 2736 wrote to memory of 3100	2736	WerFault.exe	7801.exe
PID 2736 wrote to memory of 3100	2736	WerFault.exe	7801.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 664 wrote to memory of 480	664	6E2D.exe	6E2D.exe
PID 3240 wrote to memory of 1512	3240		838C.exe
PID 3240 wrote to memory of 1512	3240		838C.exe
PID 3240 wrote to memory of 1512	3240		838C.exe
PID 3240 wrote to memory of 4052	3240		E024.exe
PID 3240 wrote to memory of 4052	3240		E024.exe
PID 3240 wrote to memory of 4052	3240		E024.exe
PID 3240 wrote to memory of 4960	3240		EA18.exe
PID 3240 wrote to memory of 4960	3240		EA18.exe
PID 3240 wrote to memory of 4960	3240		EA18.exe
PID 4660 wrote to memory of 4960	4660	WerFault.exe	EA18.exe
PID 4660 wrote to memory of 4960	4660	WerFault.exe	EA18.exe
PID 3240 wrote to memory of 904	3240		FB7E.exe
PID 3240 wrote to memory of 904	3240		FB7E.exe
PID 3240 wrote to memory of 904	3240		FB7E.exe
PID 3240 wrote to memory of 2572	3240		35E.exe
PID 3240 wrote to memory of 2572	3240		35E.exe
PID 3240 wrote to memory of 2572	3240		35E.exe
PID 904 wrote to memory of 1168	904	FB7E.exe	cmd.exe
PID 904 wrote to memory of 1168	904	FB7E.exe	cmd.exe
PID 904 wrote to memory of 1168	904	FB7E.exe	cmd.exe
PID 1168 wrote to memory of 2012	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 2012	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 2012	1168	cmd.exe	timeout.exe
PID 3436 wrote to memory of 2572	3436	WerFault.exe	35E.exe
PID 3436 wrote to memory of 2572	3436	WerFault.exe	35E.exe
PID 3240 wrote to memory of 1296	3240		A55.exe
PID 3240 wrote to memory of 1296	3240		A55.exe
PID 3240 wrote to memory of 1296	3240		A55.exe
PID 4456 wrote to memory of 1296	4456	WerFault.exe	A55.exe
PID 4456 wrote to memory of 1296	4456	WerFault.exe	A55.exe
PID 3240 wrote to memory of 3808	3240		17C3.exe
PID 3240 wrote to memory of 3808	3240		17C3.exe
PID 3240 wrote to memory of 3808	3240		17C3.exe

C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
"C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
"C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4860

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\64C6.exe
C:\Users\Admin\AppData\Local\Temp\64C6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\64C6.exe
C:\Users\Admin\AppData\Local\Temp\64C6.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3288

C:\Users\Admin\AppData\Local\Temp\6E2D.exe
C:\Users\Admin\AppData\Local\Temp\6E2D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\6E2D.exe
C:\Users\Admin\AppData\Local\Temp\6E2D.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Users\Admin\AppData\Local\Temp\7801.exe
C:\Users\Admin\AppData\Local\Temp\7801.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 300
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3100 -ip 3100
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\838C.exe
C:\Users\Admin\AppData\Local\Temp\838C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E024.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\EA18.exe
C:\Users\Admin\AppData\Local\Temp\EA18.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 312
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\FB7E.exe
C:\Users\Admin\AppData\Local\Temp\FB7E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\dfmIGuhjephxB & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FB7E.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2012

C:\Users\Admin\AppData\Local\Temp\35E.exe
C:\Users\Admin\AppData\Local\Temp\35E.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 280
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2572 -ip 2572
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\A55.exe
C:\Users\Admin\AppData\Local\Temp\A55.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 280
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1296 -ip 1296
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\17C3.exe
C:\Users\Admin\AppData\Local\Temp\17C3.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3808

C:\Users\Admin\AppData\Local\Temp\Stub.exe
"C:\Users\Admin\AppData\Local\Temp\Stub.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4748

C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe
"C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:1884

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "regid.1991-06.com.microsoft ver2.31" /tr "'C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe"'/f
4⤵
- Creates scheduled task(s)
PID:2468

C:\Users\Admin\AppData\Local\Temp\2001.exe
C:\Users\Admin\AppData\Local\Temp\2001.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 300
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1456

C:\Users\Admin\AppData\Local\Temp\D38C.exe
C:\Users\Admin\AppData\Local\Temp\D38C.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 276
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2940 -ip 2940
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4360

C:\Users\Admin\AppData\Local\Temp\D959.exe
C:\Users\Admin\AppData\Local\Temp\D959.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 280
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3728 -ip 3728
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe
MD5
96eebd46f272afb94c847ca8c6c218e2

SHA1
0d9b606861e245dfd13e419d3a240c806dad07ca

SHA256
8936a73f7dcaf1569506a7cae1c69eca5bd93602d20992d53a64592e9a0537f7

SHA512
a51362a1d9ddc32abbc74f09b8182212f56999f43e21355a84a6ccfda6c0d5578da19eb6c1a1fbf8970e88e79d439c4cad966d2de3403ed81b1aa38632c3c700

Download Submit
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe
MD5
96eebd46f272afb94c847ca8c6c218e2

SHA1
0d9b606861e245dfd13e419d3a240c806dad07ca

SHA256
8936a73f7dcaf1569506a7cae1c69eca5bd93602d20992d53a64592e9a0537f7

SHA512
a51362a1d9ddc32abbc74f09b8182212f56999f43e21355a84a6ccfda6c0d5578da19eb6c1a1fbf8970e88e79d439c4cad966d2de3403ed81b1aa38632c3c700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6E2D.exe.log
MD5
e07da89fc7e325db9d25e845e27027a8

SHA1
4b6a03bcdb46f325984cbbb6302ff79f33637e19

SHA256
94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf

SHA512
1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\17C3.exe
MD5
ba0dd19b99693a9e154792c572c4bb89

SHA1
917bbc04a7dbd9371c0fdf98305b6fa0451b20b1

SHA256
0ea94abed4864fc286c8c12a65872de9c44526b0ccf013d061b50dc393c33476

SHA512
f892821e6068fc3aad212d8e90542f6bfae5efdc8ee7520a2502d2b5ac80d0ad41109b87a416ffdfb085c6769764ee99299a34454ad6e98f435d626e76025c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2001.exe
MD5
7a0654c0902e8985ac639b70a9bb8189

SHA1
0829dbbdd0561f64c5e74a9bfe5c2c2f55a505ac

SHA256
5b0e27255c5bf04142214edeffde81aa02834c565bf3a59f4909c2e6414b4226

SHA512
b67fd356296012920a5c6e543a3dc7586fcd14ca8331dc03d266a441458aae59b7466540b6c59d6bca6f6bfa62cff99f518d76959741f8fe0b34145615c004db

Download Submit
C:\Users\Admin\AppData\Local\Temp\2001.exe
MD5
7a0654c0902e8985ac639b70a9bb8189

SHA1
0829dbbdd0561f64c5e74a9bfe5c2c2f55a505ac

SHA256
5b0e27255c5bf04142214edeffde81aa02834c565bf3a59f4909c2e6414b4226

SHA512
b67fd356296012920a5c6e543a3dc7586fcd14ca8331dc03d266a441458aae59b7466540b6c59d6bca6f6bfa62cff99f518d76959741f8fe0b34145615c004db

Download Submit
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
C:\Users\Admin\AppData\Local\Temp\35E.exe
MD5
491f64dd179f6482a6b8e2f86a04c737

SHA1
7aaca750d55378f3276e64149bf6bf4038221c1c

SHA256
826ccfdce68cfec814790d31bec89a79bed5b2b4e46867bb8b38690d1a79840b

SHA512
3d30215abf5c7813f4251d190873a2506a89ec97e7ec3261fb5f4440505155d1cd2e5f0b08d6ce397185319697667c35615f6512e17db0975a9683d75a4f6b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35E.exe
MD5
491f64dd179f6482a6b8e2f86a04c737

SHA1
7aaca750d55378f3276e64149bf6bf4038221c1c

SHA256
826ccfdce68cfec814790d31bec89a79bed5b2b4e46867bb8b38690d1a79840b

SHA512
3d30215abf5c7813f4251d190873a2506a89ec97e7ec3261fb5f4440505155d1cd2e5f0b08d6ce397185319697667c35615f6512e17db0975a9683d75a4f6b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C6.exe
MD5
47501bca2d855a6792f7cd363796356c

SHA1
43f3eb90cb3edceba86c682958af8c825a587cfd

SHA256
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27

SHA512
64ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C6.exe
MD5
47501bca2d855a6792f7cd363796356c

SHA1
43f3eb90cb3edceba86c682958af8c825a587cfd

SHA256
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27

SHA512
64ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C6.exe
MD5
47501bca2d855a6792f7cd363796356c

SHA1
43f3eb90cb3edceba86c682958af8c825a587cfd

SHA256
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27

SHA512
64ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E2D.exe
MD5
9d9b13b42035d341d721ac396370e0d2

SHA1
9f753604cd2c0c39a6c564ed617e79b491dc63f3

SHA256
dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008

SHA512
11f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E2D.exe
MD5
9d9b13b42035d341d721ac396370e0d2

SHA1
9f753604cd2c0c39a6c564ed617e79b491dc63f3

SHA256
dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008

SHA512
11f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E2D.exe
MD5
9d9b13b42035d341d721ac396370e0d2

SHA1
9f753604cd2c0c39a6c564ed617e79b491dc63f3

SHA256
dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008

SHA512
11f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7801.exe
MD5
19ca8392cd7994d20b14e493d2aff92e

SHA1
82777bc3b9608507edb6a3f428ad06dc27274542

SHA256
06e6f384d569d1484e4e36abbf54b3a09df7a13d85fc33d5e18d13b91b649c4d

SHA512
3a1af3c9cf3c1adb443f612145d73c916de75a64455dce7053f3d9c191b681f16df6942aaa68a47f33c20b35ddb0d2559afdb9d9afc4049cd79a335a72ac9a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7801.exe
MD5
19ca8392cd7994d20b14e493d2aff92e

SHA1
82777bc3b9608507edb6a3f428ad06dc27274542

SHA256
06e6f384d569d1484e4e36abbf54b3a09df7a13d85fc33d5e18d13b91b649c4d

SHA512
3a1af3c9cf3c1adb443f612145d73c916de75a64455dce7053f3d9c191b681f16df6942aaa68a47f33c20b35ddb0d2559afdb9d9afc4049cd79a335a72ac9a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\838C.exe
MD5
604ba9fde3cb322f5284ac9d29f8a3a2

SHA1
6f274e9e373c2926bf4f1248dfc6b8c4a5a7fa7a

SHA256
3b7c8c80c90efc1550b8f8a495c8f4712261a99578d60147b8f335ee11c0c3ac

SHA512
3dacffe6371090877021b5a83ef72b3b13dd09e991c717ba3848d099f46d1ea00583816bc2a4db22fa4d185c5395dfb145ba812108987c9ee69720f02c01c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\838C.exe
MD5
604ba9fde3cb322f5284ac9d29f8a3a2

SHA1
6f274e9e373c2926bf4f1248dfc6b8c4a5a7fa7a

SHA256
3b7c8c80c90efc1550b8f8a495c8f4712261a99578d60147b8f335ee11c0c3ac

SHA512
3dacffe6371090877021b5a83ef72b3b13dd09e991c717ba3848d099f46d1ea00583816bc2a4db22fa4d185c5395dfb145ba812108987c9ee69720f02c01c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\A55.exe
MD5
219a348a0d4396f037d0d79d32ab682d

SHA1
3e5495c0efac34ac23f0f5071514ae9003baa41b

SHA256
2337ae8c73dbda47e647eec68d0061f084c34bf862badc08a260dbd424e8e798

SHA512
718f85de934fd0a676cf235ad0375328cfe379f99c6e9c15fda291cf6707c341f903b47ae2876b4fdb2d8c817da5f441902a7dc7831167a44167aeab2fd477e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A55.exe
MD5
219a348a0d4396f037d0d79d32ab682d

SHA1
3e5495c0efac34ac23f0f5071514ae9003baa41b

SHA256
2337ae8c73dbda47e647eec68d0061f084c34bf862badc08a260dbd424e8e798

SHA512
718f85de934fd0a676cf235ad0375328cfe379f99c6e9c15fda291cf6707c341f903b47ae2876b4fdb2d8c817da5f441902a7dc7831167a44167aeab2fd477e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D38C.exe
MD5
9396835aa81bb10645d3fbc364edf5ef

SHA1
0b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5

SHA256
6360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a

SHA512
71dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D38C.exe
MD5
9396835aa81bb10645d3fbc364edf5ef

SHA1
0b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5

SHA256
6360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a

SHA512
71dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5EC2B01498B61F9B01D
MD5
0f1f14b0ae305bea9c8182ac49d6518e

SHA1
60b072ed77f3f2b83e07a3164c370efa0a6991ff

SHA256
43fb6990ef7dce9b8e9faec01e43443a07d953e3739c6f7880f3d764c4c7da0c

SHA512
1dd957bddace586d2989f259e44838d342e4c93ffbff21c56e0aa178d12732bb63100416c5e0ec867dc0e9d06d4a8d259d1ac2c22473f8cf730bc92f56733ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D959.exe
MD5
9396835aa81bb10645d3fbc364edf5ef

SHA1
0b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5

SHA256
6360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a

SHA512
71dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D959.exe
MD5
9396835aa81bb10645d3fbc364edf5ef

SHA1
0b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5

SHA256
6360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a

SHA512
71dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E024.exe
MD5
d1538b6133b25af809af8ff176796e36

SHA1
90b55c262d3367bc057769e31f41c2232a8e6af3

SHA256
8b596ea3b94f0a71ca113f0dc956d86e7de7130feaf538df2588357a91acc05f

SHA512
0ded0836a96fff9dbbf473ce09b71a711214eab98d7cb2da105f57dbc9d3ff92317286ab28bac5ce947c0835cc71116360b6fdaa79800808a612f637884b0bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E024.exe
MD5
d1538b6133b25af809af8ff176796e36

SHA1
90b55c262d3367bc057769e31f41c2232a8e6af3

SHA256
8b596ea3b94f0a71ca113f0dc956d86e7de7130feaf538df2588357a91acc05f

SHA512
0ded0836a96fff9dbbf473ce09b71a711214eab98d7cb2da105f57dbc9d3ff92317286ab28bac5ce947c0835cc71116360b6fdaa79800808a612f637884b0bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA18.exe
MD5
dd283112e52bc6b6c5c37d7501291498

SHA1
ef4065201f0848a8f735203797da74a3917362c0

SHA256
eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3

SHA512
f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\EA18.exe
MD5
dd283112e52bc6b6c5c37d7501291498

SHA1
ef4065201f0848a8f735203797da74a3917362c0

SHA256
eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3

SHA512
f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB7E.exe
MD5
5286f944c769d5dc97b4d0d4ae83c56d

SHA1
836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d

SHA256
717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d

SHA512
95854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB7E.exe
MD5
5286f944c769d5dc97b4d0d4ae83c56d

SHA1
836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d

SHA256
717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d

SHA512
95854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub.exe
MD5
c3f71954f3dfc7247052ebab10456c45

SHA1
1e90f3196660b58459f9a3f883fc02e4c5904cc4

SHA256
479684aadb70fa5e6232553bc398ae988e999920a649d7fa7d89c77b13ca4109

SHA512
7dbedb399f25539cf684060021295d3f79db5d6cb0146b28d86ae4a86f62d274471d3150b51b532381af8871e55ba3a70469871d4ddd8684d7625ec321fb136c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub.exe
MD5
c3f71954f3dfc7247052ebab10456c45

SHA1
1e90f3196660b58459f9a3f883fc02e4c5904cc4

SHA256
479684aadb70fa5e6232553bc398ae988e999920a649d7fa7d89c77b13ca4109

SHA512
7dbedb399f25539cf684060021295d3f79db5d6cb0146b28d86ae4a86f62d274471d3150b51b532381af8871e55ba3a70469871d4ddd8684d7625ec321fb136c

Download Submit
memory/480-205-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/480-224-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/480-204-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/480-197-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/480-198-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/480-202-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/480-201-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/480-203-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/480-192-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/480-221-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/480-222-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/480-199-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/480-227-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/480-228-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/480-191-0x0000000000000000-mapping.dmp

Download
memory/480-200-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/664-180-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/664-182-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/664-185-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/664-184-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/664-183-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/664-177-0x0000000000000000-mapping.dmp

Download
memory/904-256-0x0000000000000000-mapping.dmp

Download
memory/1168-271-0x0000000000000000-mapping.dmp

Download
memory/1296-274-0x0000000000000000-mapping.dmp

Download
memory/1296-278-0x0000000000620000-0x0000000000633000-memory.dmp

Filesize
76KB

Download
memory/1512-210-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1512-206-0x0000000000000000-mapping.dmp

Download
memory/1512-217-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/1884-314-0x0000000000000000-mapping.dmp

Download
memory/1884-321-0x000000001B9A0000-0x000000001B9A2000-memory.dmp

Filesize
8KB

Download
memory/2012-272-0x0000000000000000-mapping.dmp

Download
memory/2468-324-0x0000000000000000-mapping.dmp

Download
memory/2572-273-0x0000000002130000-0x00000000021C0000-memory.dmp

Filesize
576KB

Download
memory/2572-268-0x0000000000000000-mapping.dmp

Download
memory/2940-331-0x0000000000000000-mapping.dmp

Download
memory/2940-335-0x0000000002130000-0x00000000021C0000-memory.dmp

Filesize
576KB

Download
memory/3036-171-0x0000000000000000-mapping.dmp

Download
memory/3100-186-0x0000000000000000-mapping.dmp

Download
memory/3100-189-0x0000000003ED0000-0x0000000003F5F000-memory.dmp

Filesize
572KB

Download
memory/3240-190-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3240-149-0x000000000BFA0000-0x000000000BFB6000-memory.dmp

Filesize
88KB

Download
memory/3240-163-0x0000000007630000-0x00000000076B0000-memory.dmp

Filesize
512KB

Download
memory/3240-155-0x00000000044E0000-0x0000000004560000-memory.dmp

Filesize
512KB

Download
memory/3288-174-0x0000000000000000-mapping.dmp

Download
memory/3728-334-0x0000000000000000-mapping.dmp

Download
memory/3808-297-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/3808-305-0x0000000005DA3000-0x0000000005DA5000-memory.dmp

Filesize
8KB

Download
memory/3808-279-0x0000000000000000-mapping.dmp

Download
memory/4052-237-0x0000000000000000-mapping.dmp

Download
memory/4052-250-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4148-298-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/4148-294-0x0000000000000000-mapping.dmp

Download
memory/4388-152-0x00000273BD8E0000-0x00000273BD8E4000-memory.dmp

Filesize
16KB

Download
memory/4388-151-0x00000273BB2E0000-0x00000273BB2F0000-memory.dmp

Filesize
64KB

Download
memory/4388-150-0x00000273BB260000-0x00000273BB270000-memory.dmp

Filesize
64KB

Download
memory/4748-311-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

Filesize
8KB

Download
memory/4748-306-0x0000000000000000-mapping.dmp

Download
memory/4860-146-0x0000000000000000-mapping.dmp

Download
memory/4860-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4868-148-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/4960-252-0x0000000000000000-mapping.dmp

Download
memory/4960-255-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download