raccoon | a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce

Analysis

max time kernel
142s
max time network
144s
platform
windows10_x64
resource
win10v20210408
submitted
02-10-2021 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab444e67d59822e2db238c4eb8e99d04.exe
Size

193KB
MD5

ab444e67d59822e2db238c4eb8e99d04
SHA1

8acd24cb9543babc8e9c22f2aafd39e0430a4602
SHA256

a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
SHA512

fc2cd599f4ef10f0f5a1d0db8de316b07076ed8323abc2fd099a40cb97fec0a46f35d7bbb1513435738f1c6bca0fb21b6998ea7b0658124fca95262106c80e73

Score

10^/10

raccoon redline mix02.10 �u'h�y��&s҈��kcc,d�6�1�>�-�discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

�u'h�Y��&s҈��Kcc,d�6�1�>�-�

Attributes

url4cnc
�cb{K^�WXP�۸��fB:O�٩٭w<n'�>�+�d�?�]�e?$g��k�J��6�:��$Q

rc4.plain

Extracted

Family

redline

Botnet

mix02.10

185.215.113.15:6043

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3688-147-0x00000000022E0000-0x00000000022FF000-memory.dmp	family_redline
behavioral2/memory/3688-149-0x0000000002640000-0x000000000265E000-memory.dmp	family_redline

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
suricata
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

56 2644 WScript.exe
58 2644 WScript.exe
60 2644 WScript.exe
62 2644 WScript.exe
Downloads MZ/PE file

flow	pid	process
56	2644	WScript.exe
58	2644	WScript.exe
60	2644	WScript.exe
62	2644	WScript.exe

Executes dropped EXE 10 IoCs

Processes:

96807984957.exe97712561087.exe05511100778.exemonns.exeFile.exekelpie.exepoteye.exeGrazia.exe.comIntelRapid.exeGrazia.exe.com

pid	process
1172	96807984957.exe
1664	97712561087.exe
2368	05511100778.exe
3688	monns.exe
2644	File.exe
1304	kelpie.exe
3168	poteye.exe
664	Grazia.exe.com
2640	IntelRapid.exe
1564	Grazia.exe.com

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

poteye.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	poteye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	poteye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

poteye.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk poteye.exe
Loads dropped DLL 6 IoCs

Processes:

96807984957.exeFile.exe

pid process

1172 96807984957.exe
1172 96807984957.exe
1172 96807984957.exe
1172 96807984957.exe
1172 96807984957.exe
2644 File.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	poteye.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe	themida
C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe	themida
behavioral2/memory/3168-184-0x00007FF70E990000-0x00007FF70F2F6000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/2640-199-0x00007FF647B50000-0x00007FF6484B6000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kelpie.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kelpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kelpie.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

poteye.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	poteye.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

poteye.exeIntelRapid.exe

pid process

3168 poteye.exe
2640 IntelRapid.exe

flow	ioc
43	ip-api.com

pid	process
3168	poteye.exe
2640	IntelRapid.exe

Drops file in Program Files directory 3 IoCs

Processes:

File.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97712561087.exe05511100778.exeGrazia.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	97712561087.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	97712561087.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	05511100778.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	05511100778.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Grazia.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Grazia.exe.com

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3012 timeout.exe
4024 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3784 taskkill.exe
Modifies registry class 1 IoCs

Processes:

Grazia.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Grazia.exe.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3860 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

2640 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

monns.exe

pid process

3688 monns.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exemonns.exe

description pid process

Token: SeDebugPrivilege 3784 taskkill.exe
Token: SeDebugPrivilege 3688 monns.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Grazia.exe.comGrazia.exe.com

pid process

664 Grazia.exe.com
664 Grazia.exe.com
664 Grazia.exe.com
1564 Grazia.exe.com
1564 Grazia.exe.com
1564 Grazia.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Grazia.exe.comGrazia.exe.com

pid process

664 Grazia.exe.com
664 Grazia.exe.com
664 Grazia.exe.com
1564 Grazia.exe.com
1564 Grazia.exe.com
1564 Grazia.exe.com

pid	process
3012	timeout.exe
4024	timeout.exe

pid	process
3784	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Grazia.exe.com

pid	process
3860	PING.EXE

pid	process
2640	IntelRapid.exe

pid	process
3688	monns.exe

description	pid	process
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3688	monns.exe

pid	process
664	Grazia.exe.com
664	Grazia.exe.com
664	Grazia.exe.com
1564	Grazia.exe.com
1564	Grazia.exe.com
1564	Grazia.exe.com

pid	process
664	Grazia.exe.com
664	Grazia.exe.com
664	Grazia.exe.com
1564	Grazia.exe.com
1564	Grazia.exe.com
1564	Grazia.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab444e67d59822e2db238c4eb8e99d04.execmd.execmd.execmd.execmd.exe05511100778.exe96807984957.execmd.exe97712561087.exeFile.execmd.exekelpie.execmd.execmd.exe

description	pid	process	target process
PID 664 wrote to memory of 1040	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 1040	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 1040	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 1040 wrote to memory of 1172	1040	cmd.exe	96807984957.exe
PID 1040 wrote to memory of 1172	1040	cmd.exe	96807984957.exe
PID 1040 wrote to memory of 1172	1040	cmd.exe	96807984957.exe
PID 664 wrote to memory of 1324	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 1324	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 1324	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 1324 wrote to memory of 1664	1324	cmd.exe	97712561087.exe
PID 1324 wrote to memory of 1664	1324	cmd.exe	97712561087.exe
PID 1324 wrote to memory of 1664	1324	cmd.exe	97712561087.exe
PID 664 wrote to memory of 2020	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 2020	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 2020	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 2020 wrote to memory of 2368	2020	cmd.exe	05511100778.exe
PID 2020 wrote to memory of 2368	2020	cmd.exe	05511100778.exe
PID 2020 wrote to memory of 2368	2020	cmd.exe	05511100778.exe
PID 664 wrote to memory of 2528	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 2528	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 664 wrote to memory of 2528	664	ab444e67d59822e2db238c4eb8e99d04.exe	cmd.exe
PID 2528 wrote to memory of 3784	2528	cmd.exe	taskkill.exe
PID 2528 wrote to memory of 3784	2528	cmd.exe	taskkill.exe
PID 2528 wrote to memory of 3784	2528	cmd.exe	taskkill.exe
PID 2368 wrote to memory of 3688	2368	05511100778.exe	monns.exe
PID 2368 wrote to memory of 3688	2368	05511100778.exe	monns.exe
PID 2368 wrote to memory of 3688	2368	05511100778.exe	monns.exe
PID 1172 wrote to memory of 3732	1172	96807984957.exe	cmd.exe
PID 1172 wrote to memory of 3732	1172	96807984957.exe	cmd.exe
PID 1172 wrote to memory of 3732	1172	96807984957.exe	cmd.exe
PID 3732 wrote to memory of 3012	3732	cmd.exe	timeout.exe
PID 3732 wrote to memory of 3012	3732	cmd.exe	timeout.exe
PID 3732 wrote to memory of 3012	3732	cmd.exe	timeout.exe
PID 1664 wrote to memory of 2644	1664	97712561087.exe	File.exe
PID 1664 wrote to memory of 2644	1664	97712561087.exe	File.exe
PID 1664 wrote to memory of 2644	1664	97712561087.exe	File.exe
PID 1664 wrote to memory of 3756	1664	97712561087.exe	cmd.exe
PID 1664 wrote to memory of 3756	1664	97712561087.exe	cmd.exe
PID 1664 wrote to memory of 3756	1664	97712561087.exe	cmd.exe
PID 2644 wrote to memory of 1304	2644	File.exe	kelpie.exe
PID 2644 wrote to memory of 1304	2644	File.exe	kelpie.exe
PID 2644 wrote to memory of 1304	2644	File.exe	kelpie.exe
PID 2644 wrote to memory of 3168	2644	File.exe	poteye.exe
PID 2644 wrote to memory of 3168	2644	File.exe	poteye.exe
PID 3756 wrote to memory of 4024	3756	cmd.exe	timeout.exe
PID 3756 wrote to memory of 4024	3756	cmd.exe	timeout.exe
PID 3756 wrote to memory of 4024	3756	cmd.exe	timeout.exe
PID 1304 wrote to memory of 4048	1304	kelpie.exe	dllhost.exe
PID 1304 wrote to memory of 4048	1304	kelpie.exe	dllhost.exe
PID 1304 wrote to memory of 4048	1304	kelpie.exe	dllhost.exe
PID 1304 wrote to memory of 1452	1304	kelpie.exe	cmd.exe
PID 1304 wrote to memory of 1452	1304	kelpie.exe	cmd.exe
PID 1304 wrote to memory of 1452	1304	kelpie.exe	cmd.exe
PID 1452 wrote to memory of 412	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 412	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 412	1452	cmd.exe	cmd.exe
PID 412 wrote to memory of 2100	412	cmd.exe	findstr.exe
PID 412 wrote to memory of 2100	412	cmd.exe	findstr.exe
PID 412 wrote to memory of 2100	412	cmd.exe	findstr.exe
PID 412 wrote to memory of 664	412	cmd.exe	Grazia.exe.com
PID 412 wrote to memory of 664	412	cmd.exe	Grazia.exe.com
PID 412 wrote to memory of 664	412	cmd.exe	Grazia.exe.com
PID 412 wrote to memory of 3860	412	cmd.exe	PING.EXE
PID 412 wrote to memory of 3860	412	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe
"C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
"C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe" /mix
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
"C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe" /mix
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe
"C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
6⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Rivederla.sldx
6⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^aOROvJzUjvvRrAnkxWTqxczDSakEvmxODKzodbkPMiFVEfmoYTgheyJXchWrbPbMwIgzidUWKrghPnZDSrFDk$" Prende.sldx
8⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
Grazia.exe.com B
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com B
9⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qtpkiylfnmw.vbs"
10⤵
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hjuorknudcc.vbs"
10⤵
- Blocklisted process makes network request
PID:2644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
8⤵
- Runs ping.exe
PID:3860

C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
"C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3168

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:2640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe" /mix
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe
"C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe" /mix
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Roaming\sliders\monns.exe
monns.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ab444e67d59822e2db238c4eb8e99d04.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ab444e67d59822e2db238c4eb8e99d04.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c70150d4634ccf7bb7733ebdb4072f0f

SHA1
3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c

SHA256
d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

SHA512
1fb77b0d40e8571cc68663bb05466fcf183a096ca0a32e11ab8ad3ca0ad2d8209c78de05e8390eb01869fad625e82996a045945ad6dcb3ad7049913a7b319adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c70150d4634ccf7bb7733ebdb4072f0f

SHA1
3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c

SHA256
d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

SHA512
1fb77b0d40e8571cc68663bb05466fcf183a096ca0a32e11ab8ad3ca0ad2d8209c78de05e8390eb01869fad625e82996a045945ad6dcb3ad7049913a7b319adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B
MD5
13dadc1bbc7fd49cf05d59507ec6c7f3

SHA1
4eb11c17cd38f22596556f6a0b8c651eee854a02

SHA256
9d9f8008c09e3796b8b27d130868d6f3f82da6ade4ebe997f855899f84bca55e

SHA512
05511c513749718ae6dc8417a285e572d64270a8e47aecaf7ec2276205300a98c863511fc328d2922429edaa15f08cc2f0b1ed68959980e6d29988f27659f531

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hai.sldx
MD5
13dadc1bbc7fd49cf05d59507ec6c7f3

SHA1
4eb11c17cd38f22596556f6a0b8c651eee854a02

SHA256
9d9f8008c09e3796b8b27d130868d6f3f82da6ade4ebe997f855899f84bca55e

SHA512
05511c513749718ae6dc8417a285e572d64270a8e47aecaf7ec2276205300a98c863511fc328d2922429edaa15f08cc2f0b1ed68959980e6d29988f27659f531

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prende.sldx
MD5
f1b7b2303aacc91dec698dd99e89dafb

SHA1
4ed4b23ca6c5716b868252b06529901f5402671e

SHA256
c4299f690a3f25f3635727de6686055378481e9b2cf306fe568ed3c117f7e654

SHA512
dc129ea101f4a202d90cfb68a1a4ae8253e97acb5b803514d691d903fa95c2e077b1c717c408ef7a4c5ee4ffe8af86179904a391d531a71a3dd969c54aab096e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rivederla.sldx
MD5
ab53f0c081651dc7e3f8b06f614243dd

SHA1
deba5728d0a03342d36a67a4aea7397a55fca2fa

SHA256
19c5ff96f3c60e406faf60193addd84954557fdc65274d4e107023d2d2bd72a2

SHA512
82fc950783fd7736679200fdfb483a8229760dc541515e82483a93cec81743da2cf921344892fedb850894aa79efe698ec566f9dd27eb4d54a482d679cf76ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\JMDDHB~1.ZIP
MD5
4c85b17ee95b178e3965f03918215864

SHA1
4586efd0aa1a140c2b55d6505f38b608e5ad2593

SHA256
a6afe8737af6d7334e89eacc20e5f721acd89ab9871e4131fb6a3c10832fffc0

SHA512
f90b5e46f0b9699a38ecc6c3ad2f11125a01b2340ac950fd4f58838cc15cb504c6a2f8569a7d72df27928290456f05c02f5365ce80aa95e039e788c131bb179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\TLCPXU~1.ZIP
MD5
7a569f5b352255a1fa4b0b2cacc5b621

SHA1
4aea7044ea8a489874987d138bb438f7be5c1a5e

SHA256
ab30224e14df2e505a6861e75c0458fca0a8598cd58ea1b838ad1adadfac88b7

SHA512
df2a282037941ca4de159548fdf82ba075caf14e89c2f7245e8a9cfd5fe18a8214407e444a270882e564654ac9dbd44d15e3d49617ed981992fcd75fedff20a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\_Files\_INFOR~1.TXT
MD5
36f8bfe1f02ff155094a9a72ccccb5de

SHA1
5890e8bba68f4cf14871b11ea70f2d2210c119c9

SHA256
b924bda98bf2c4fa4ca61a77015ac6f2fa296b907938b5435bd278cc46277ec0

SHA512
2a39ac87c0cac664714cd13ce146081b0dc313ff1715f1f84a1d7030dd11c0045c9f649d4c94034b893105a9273218d434840578e97da73bb056fa7a71f80c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\_Files\_SCREE~1.JPE
MD5
cac07341e2ce6adb46c6706825d6a532

SHA1
19aacdb107547191298648dae1f5f156a07d4893

SHA256
4b613a430eb97f8638844cf7c40bd5c97b5a1b07b67d4ac53fff1388942a3e73

SHA512
f7417571d7414fdd639a17e4dda8b170f3b6c5052cdb27ddd6928b5fc38c9cd50eb02040b238b590178affa9c56e415814976cc81652760d7ce48c7a640f8574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\files_\SCREEN~1.JPG
MD5
cac07341e2ce6adb46c6706825d6a532

SHA1
19aacdb107547191298648dae1f5f156a07d4893

SHA256
4b613a430eb97f8638844cf7c40bd5c97b5a1b07b67d4ac53fff1388942a3e73

SHA512
f7417571d7414fdd639a17e4dda8b170f3b6c5052cdb27ddd6928b5fc38c9cd50eb02040b238b590178affa9c56e415814976cc81652760d7ce48c7a640f8574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\files_\SYSTEM~1.TXT
MD5
36f8bfe1f02ff155094a9a72ccccb5de

SHA1
5890e8bba68f4cf14871b11ea70f2d2210c119c9

SHA256
b924bda98bf2c4fa4ca61a77015ac6f2fa296b907938b5435bd278cc46277ec0

SHA512
2a39ac87c0cac664714cd13ce146081b0dc313ff1715f1f84a1d7030dd11c0045c9f649d4c94034b893105a9273218d434840578e97da73bb056fa7a71f80c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjuorknudcc.vbs
MD5
d82e668d10b4502a911074b80aed9a18

SHA1
7ab8b0872428d08c3cd6a677b10cb2b68ade1f8a

SHA256
e27c2839a3073a324c7cfa64ec99a62475918715a0642c84213a475ebfeed351

SHA512
8442b2e69c8440dbf98cb27159c1ccd56ecf72fb1240dfae5abfc82518d5aca7ed402d70aec62b84286f473dce693b782ccc3fec9744fec590f4bbd7cb193e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe
MD5
0714921b3968a977be00e12d70c6c5a9

SHA1
acc84ae5775e26a8b8c885ced2cdc9868ac58aea

SHA256
9a9c345460f7741e3ddffdc093d1c70338232d82142605c86326a48492c66e5a

SHA512
e205a3e883d6108ec7a0b65f4aaa4bfa55c3e023eff1047f3bd1ffe6740a73385c9cb58fb17b6524ff8fc161a6e7982718ca9f251f1ab847077af0e2455be9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
MD5
1f31a1eb55a532e737ec5cacfcc373a9

SHA1
8bac46ed886b331c32c097899f03835fd1b7cca2

SHA256
74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

SHA512
8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
MD5
1f31a1eb55a532e737ec5cacfcc373a9

SHA1
8bac46ed886b331c32c097899f03835fd1b7cca2

SHA256
74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

SHA512
8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtpkiylfnmw.vbs
MD5
400af9d5195befc63b590cc2c7186b4c

SHA1
167cd191fed9f3ac735c3549e000a62d776e4e77

SHA256
27593eb654670d69d59c2e8d476b40a96eb82b05069bd3c0682f31a703936479

SHA512
044d121928cc7ae2a1829e6336a42a7f149ea45cb00c5437776a03df1fceef75728fe3ad67752e6a4265f7783c5f869a9fdd29c647ceacc48a731e8f46cc3bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe
MD5
5d9cad4c941eb45397dbcd597559a253

SHA1
a4549b4c2afe2cecaa1ed65ed319af9dbc09e571

SHA256
97e446bfcdbbb95194cc7ad82d37caa9ffb358c2e3cf17d181959c4fe1edcfe9

SHA512
212b6d2512837bbbbd49e1fa7bef4eee27fe573f052768e5002b2b623db8c25300df5c93012ce3f599dd3eb7296ed82aae4e9b80792a5a548f5a60bf72967253

Download Submit
C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
MD5
0f64ddd766bc02d60538e1c0fe754b40

SHA1
602601fb918e937f3d0cde16a9bd0259401c8dd8

SHA256
63d9d211e1fae3e169ecd91e81e7ce5f10c43c35a2194340cbd85341dc323c4f

SHA512
9e2b0e7cc6a867eb84783f0a4424ff5fdb276e87c598436c7afe23111421414a0c4f775dba4c48885f93ebd2ea84a77194b526e0972f048b5243d2496a2653de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
MD5
0f64ddd766bc02d60538e1c0fe754b40

SHA1
602601fb918e937f3d0cde16a9bd0259401c8dd8

SHA256
63d9d211e1fae3e169ecd91e81e7ce5f10c43c35a2194340cbd85341dc323c4f

SHA512
9e2b0e7cc6a867eb84783f0a4424ff5fdb276e87c598436c7afe23111421414a0c4f775dba4c48885f93ebd2ea84a77194b526e0972f048b5243d2496a2653de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
MD5
5a0ea4aab5f283b5c7d234322e04c6ce

SHA1
33509a78863b9bd7385054aa5bc92b8ce4f1ab5f

SHA256
2d090e48369efcdbebf9df5aed96857cd442509bb5f59e171f2b1b3cf1a56361

SHA512
8f150303c90231188c72dacb873fc5b71c42f0730f75bfe61a388457329bae8985c86b83e5088e2a6813fcda0a383fb1e96cec49b8510d1700412c585438aaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
MD5
5a0ea4aab5f283b5c7d234322e04c6ce

SHA1
33509a78863b9bd7385054aa5bc92b8ce4f1ab5f

SHA256
2d090e48369efcdbebf9df5aed96857cd442509bb5f59e171f2b1b3cf1a56361

SHA512
8f150303c90231188c72dacb873fc5b71c42f0730f75bfe61a388457329bae8985c86b83e5088e2a6813fcda0a383fb1e96cec49b8510d1700412c585438aaec

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
1f31a1eb55a532e737ec5cacfcc373a9

SHA1
8bac46ed886b331c32c097899f03835fd1b7cca2

SHA256
74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

SHA512
8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
1f31a1eb55a532e737ec5cacfcc373a9

SHA1
8bac46ed886b331c32c097899f03835fd1b7cca2

SHA256
74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

SHA512
8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

Download Submit
C:\Users\Admin\AppData\Roaming\sliders\monns.exe
MD5
296c65cf3f705fcbf5fa32e68b235254

SHA1
5fb360cf5969c11f973e0a92032b3db654db27dd

SHA256
9b8f03568ef32309cb28cf14f59480810da80fb9545edb107dddfb7a48f9a3bc

SHA512
6b94bfb141c4d01cb8baa62dc6c8a6031fd14388cb3d07889de4a5305678645916fa4229c28d5a282b544b2bd225a91b29b34240ded8735f960133d6decdd395

Download Submit
C:\Users\Admin\AppData\Roaming\sliders\monns.exe
MD5
296c65cf3f705fcbf5fa32e68b235254

SHA1
5fb360cf5969c11f973e0a92032b3db654db27dd

SHA256
9b8f03568ef32309cb28cf14f59480810da80fb9545edb107dddfb7a48f9a3bc

SHA512
6b94bfb141c4d01cb8baa62dc6c8a6031fd14388cb3d07889de4a5305678645916fa4229c28d5a282b544b2bd225a91b29b34240ded8735f960133d6decdd395

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsk3A9F.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/412-186-0x0000000000000000-mapping.dmp

Download
memory/664-190-0x0000000000000000-mapping.dmp

Download
memory/664-114-0x0000000000830000-0x000000000085F000-memory.dmp

Filesize
188KB

Download
memory/664-115-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1040-116-0x0000000000000000-mapping.dmp

Download
memory/1172-117-0x0000000000000000-mapping.dmp

Download
memory/1172-124-0x0000000000AF0000-0x0000000000B7E000-memory.dmp

Filesize
568KB

Download
memory/1172-125-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/1180-201-0x0000000000000000-mapping.dmp

Download
memory/1304-170-0x0000000000000000-mapping.dmp

Download
memory/1324-120-0x0000000000000000-mapping.dmp

Download
memory/1452-183-0x0000000000000000-mapping.dmp

Download
memory/1564-197-0x0000000000000000-mapping.dmp

Download
memory/1664-132-0x0000000000B20000-0x0000000000B66000-memory.dmp

Filesize
280KB

Download
memory/1664-133-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1664-121-0x0000000000000000-mapping.dmp

Download
memory/2020-126-0x0000000000000000-mapping.dmp

Download
memory/2100-187-0x0000000000000000-mapping.dmp

Download
memory/2368-127-0x0000000000000000-mapping.dmp

Download
memory/2368-134-0x0000000000B30000-0x0000000000BFF000-memory.dmp

Filesize
828KB

Download
memory/2368-135-0x0000000000400000-0x00000000008CD000-memory.dmp

Filesize
4.8MB

Download
memory/2528-129-0x0000000000000000-mapping.dmp

Download
memory/2640-199-0x00007FF647B50000-0x00007FF6484B6000-memory.dmp

Filesize
9.4MB

Download
memory/2640-194-0x0000000000000000-mapping.dmp

Download
memory/2644-203-0x0000000000000000-mapping.dmp

Download
memory/2644-165-0x0000000000000000-mapping.dmp

Download
memory/3012-144-0x0000000000000000-mapping.dmp

Download
memory/3168-178-0x0000000000000000-mapping.dmp

Download
memory/3168-184-0x00007FF70E990000-0x00007FF70F2F6000-memory.dmp

Filesize
9.4MB

Download
memory/3688-159-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/3688-152-0x0000000002812000-0x0000000002813000-memory.dmp

Filesize
4KB

Download
memory/3688-147-0x00000000022E0000-0x00000000022FF000-memory.dmp

Filesize
124KB

Download
memory/3688-161-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3688-148-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3688-160-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3688-163-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3688-149-0x0000000002640000-0x000000000265E000-memory.dmp

Filesize
120KB

Download
memory/3688-164-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3688-158-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3688-140-0x0000000000000000-mapping.dmp

Download
memory/3688-145-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3688-157-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3688-156-0x0000000002814000-0x0000000002816000-memory.dmp

Filesize
8KB

Download
memory/3688-155-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3688-154-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3688-150-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3688-146-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3688-151-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3688-162-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3688-153-0x0000000002813000-0x0000000002814000-memory.dmp

Filesize
4KB

Download
memory/3732-143-0x0000000000000000-mapping.dmp

Download
memory/3756-167-0x0000000000000000-mapping.dmp

Download
memory/3784-130-0x0000000000000000-mapping.dmp

Download
memory/3860-193-0x0000000000000000-mapping.dmp

Download
memory/4024-179-0x0000000000000000-mapping.dmp

Download
memory/4048-182-0x0000000000000000-mapping.dmp

Download