raccoon | 299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
15-10-2021 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
Size

292KB
MD5

daaceda09454e6699f1a24b3c12daeee
SHA1

6af1dfa0158909788ccd6a75c078dc07727a736c
SHA256

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0
SHA512

f73102b0655edd79fae416e494b0ac847339c219ed59c0b8d8d041127d25eb548a6f9c5fc52773db8d152ad7f9f287520b49de997b04d88ca134fc021fbf498e

Score

10^/10

raccoon redline smokeloader tofsee 12 43ab0e96f8a4de7ddcfd2d8f5cf651c629a89e17 7ebf9b416b72a203df65383eec899dc689d2c3d7 fbe5e97e7d069407605ee9138022aa82166657e6 megaproliv2 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey7.top/

http://wijibui0.top/

http://hefahei6.top/

http://pipevai4.top/

http://nalirou7.top/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes

url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen

rc4.plain

Extracted

Family

redline

Botnet

135.181.208.162:13904

Extracted

Family

redline

Botnet

MegaProliv2

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

43ab0e96f8a4de7ddcfd2d8f5cf651c629a89e17

Attributes

url4cnc
http://telegatt.top/mixmorty14
http://telegka.top/mixmorty14
http://telegin.top/mixmorty14
https://t.me/mixmorty14

rc4.plain

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3452-176-0x0000000000690000-0x00000000006C1000-memory.dmp	family_redline
behavioral1/memory/3452-181-0x0000000004F60000-0x0000000004F7B000-memory.dmp	family_redline
behavioral1/memory/5068-192-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/5068-193-0x000000000041B252-mapping.dmp	family_redline
behavioral1/memory/332-198-0x0000000000438F0E-mapping.dmp	family_redline
behavioral1/memory/332-194-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2528 created 2680 2528 WerFault.exe 667C.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

description	pid	process	target process
PID 2528 created 2680	2528	WerFault.exe	667C.exe

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe	Nirsoft

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

1F0D.exe1F0D.exe29AD.exe2C00.exe33D1.exe3931.exeAdvancedRun.exeAdvancedRun.exexufkispm.exe4576.exe3931.exe2C00.exe667C.exe786F.exe81C7.exe85FE.exe

pid	process
4640	1F0D.exe
540	1F0D.exe
676	29AD.exe
316	2C00.exe
1240	33D1.exe
1424	3931.exe
3956	AdvancedRun.exe
4968	AdvancedRun.exe
4932	xufkispm.exe
3452	4576.exe
5068	3931.exe
332	2C00.exe
2680	667C.exe
1308	786F.exe
2344	81C7.exe
4252	85FE.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

3056
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

2C00.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	2C00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2C00.exe = "0"	2C00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	2C00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	2C00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	2C00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2C00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	2C00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2C00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	2C00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2C00.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

2C00.exe

pid	process
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe
316	2C00.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe1F0D.exe3931.exe2C00.exexufkispm.exe

description	pid	process	target process
PID 3504 set thread context of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 4640 set thread context of 540	4640	1F0D.exe	1F0D.exe
PID 1424 set thread context of 5068	1424	3931.exe	3931.exe
PID 316 set thread context of 332	316	2C00.exe	2C00.exe
PID 4932 set thread context of 1980	4932	xufkispm.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2408 316 WerFault.exe 2C00.exe
2528 2680 WerFault.exe 667C.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2408	316	WerFault.exe	2C00.exe
2528	2680	WerFault.exe	667C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe1F0D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1F0D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe

pid	process
3160	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
3160	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe1F0D.exe

pid process

3160 299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
540 1F0D.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2C00.exeAdvancedRun.exeAdvancedRun.exeWerFault.exepowershell.exe4576.exe3931.exe2C00.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	316	2C00.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	3956	AdvancedRun.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeImpersonatePrivilege	3956	AdvancedRun.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	4968	AdvancedRun.exe
Token: SeImpersonatePrivilege	4968	AdvancedRun.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeRestorePrivilege	2408	WerFault.exe
Token: SeBackupPrivilege	2408	WerFault.exe
Token: SeBackupPrivilege	2408	WerFault.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	2408	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	3452	4576.exe
Token: SeDebugPrivilege	5068	3931.exe
Token: SeDebugPrivilege	332	2C00.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	2528	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3056
3056
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

3056
3056
3056
3056
3056
3056

pid	process
3056
3056

pid	process
3056
3056
3056
3056
3056
3056

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe1F0D.exe29AD.exe2C00.exeAdvancedRun.exe3931.exe

description	pid	process	target process
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3504 wrote to memory of 3160	3504	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe	299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
PID 3056 wrote to memory of 4640	3056		1F0D.exe
PID 3056 wrote to memory of 4640	3056		1F0D.exe
PID 3056 wrote to memory of 4640	3056		1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 4640 wrote to memory of 540	4640	1F0D.exe	1F0D.exe
PID 3056 wrote to memory of 676	3056		29AD.exe
PID 3056 wrote to memory of 676	3056		29AD.exe
PID 3056 wrote to memory of 676	3056		29AD.exe
PID 3056 wrote to memory of 316	3056		2C00.exe
PID 3056 wrote to memory of 316	3056		2C00.exe
PID 3056 wrote to memory of 316	3056		2C00.exe
PID 3056 wrote to memory of 1240	3056		33D1.exe
PID 3056 wrote to memory of 1240	3056		33D1.exe
PID 3056 wrote to memory of 1240	3056		33D1.exe
PID 676 wrote to memory of 1660	676	29AD.exe	cmd.exe
PID 676 wrote to memory of 1660	676	29AD.exe	cmd.exe
PID 676 wrote to memory of 1660	676	29AD.exe	cmd.exe
PID 3056 wrote to memory of 1424	3056		3931.exe
PID 3056 wrote to memory of 1424	3056		3931.exe
PID 3056 wrote to memory of 1424	3056		3931.exe
PID 676 wrote to memory of 2220	676	29AD.exe	cmd.exe
PID 676 wrote to memory of 2220	676	29AD.exe	cmd.exe
PID 676 wrote to memory of 2220	676	29AD.exe	cmd.exe
PID 316 wrote to memory of 3956	316	2C00.exe	AdvancedRun.exe
PID 316 wrote to memory of 3956	316	2C00.exe	AdvancedRun.exe
PID 316 wrote to memory of 3956	316	2C00.exe	AdvancedRun.exe
PID 676 wrote to memory of 1688	676	29AD.exe	sc.exe
PID 676 wrote to memory of 1688	676	29AD.exe	sc.exe
PID 676 wrote to memory of 1688	676	29AD.exe	sc.exe
PID 3956 wrote to memory of 4968	3956	AdvancedRun.exe	AdvancedRun.exe
PID 3956 wrote to memory of 4968	3956	AdvancedRun.exe	AdvancedRun.exe
PID 3956 wrote to memory of 4968	3956	AdvancedRun.exe	AdvancedRun.exe
PID 676 wrote to memory of 1368	676	29AD.exe	sc.exe
PID 676 wrote to memory of 1368	676	29AD.exe	sc.exe
PID 676 wrote to memory of 1368	676	29AD.exe	sc.exe
PID 676 wrote to memory of 5044	676	29AD.exe	sc.exe
PID 676 wrote to memory of 5044	676	29AD.exe	sc.exe
PID 676 wrote to memory of 5044	676	29AD.exe	sc.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 676 wrote to memory of 4420	676	29AD.exe	netsh.exe
PID 676 wrote to memory of 4420	676	29AD.exe	netsh.exe
PID 676 wrote to memory of 4420	676	29AD.exe	netsh.exe
PID 3056 wrote to memory of 3452	3056		4576.exe
PID 3056 wrote to memory of 3452	3056		4576.exe
PID 3056 wrote to memory of 3452	3056		4576.exe
PID 316 wrote to memory of 728	316	2C00.exe	powershell.exe
PID 316 wrote to memory of 728	316	2C00.exe	powershell.exe
PID 316 wrote to memory of 728	316	2C00.exe	powershell.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe
PID 1424 wrote to memory of 5068	1424	3931.exe	3931.exe

C:\Users\Admin\AppData\Local\Temp\299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
"C:\Users\Admin\AppData\Local\Temp\299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe
"C:\Users\Admin\AppData\Local\Temp\299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3160

C:\Users\Admin\AppData\Local\Temp\1F0D.exe
C:\Users\Admin\AppData\Local\Temp\1F0D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\1F0D.exe
C:\Users\Admin\AppData\Local\Temp\1F0D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:540

C:\Users\Admin\AppData\Local\Temp\29AD.exe
C:\Users\Admin\AppData\Local\Temp\29AD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zlowlhdt\
2⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xufkispm.exe" C:\Windows\SysWOW64\zlowlhdt\
2⤵
PID:2220

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zlowlhdt binPath= "C:\Windows\SysWOW64\zlowlhdt\xufkispm.exe /d\"C:\Users\Admin\AppData\Local\Temp\29AD.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1688

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zlowlhdt "wifi internet conection"
2⤵
PID:1368

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zlowlhdt
2⤵
PID:5044

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\2C00.exe
C:\Users\Admin\AppData\Local\Temp\2C00.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe" /SpecialRun 4101d8 3956
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2C00.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\AppData\Local\Temp\2C00.exe
"C:\Users\Admin\AppData\Local\Temp\2C00.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 2236
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Local\Temp\33D1.exe
C:\Users\Admin\AppData\Local\Temp\33D1.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\3931.exe
C:\Users\Admin\AppData\Local\Temp\3931.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\3931.exe
C:\Users\Admin\AppData\Local\Temp\3931.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\zlowlhdt\xufkispm.exe
C:\Windows\SysWOW64\zlowlhdt\xufkispm.exe /d"C:\Users\Admin\AppData\Local\Temp\29AD.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\4576.exe
C:\Users\Admin\AppData\Local\Temp\4576.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Users\Admin\AppData\Local\Temp\667C.exe
C:\Users\Admin\AppData\Local\Temp\667C.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 952
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\786F.exe
C:\Users\Admin\AppData\Local\Temp\786F.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\81C7.exe
C:\Users\Admin\AppData\Local\Temp\81C7.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Temp\85FE.exe
C:\Users\Admin\AppData\Local\Temp\85FE.exe
1⤵
- Executes dropped EXE
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3931.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0D.exe
MD5
daaceda09454e6699f1a24b3c12daeee

SHA1
6af1dfa0158909788ccd6a75c078dc07727a736c

SHA256
299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0

SHA512
f73102b0655edd79fae416e494b0ac847339c219ed59c0b8d8d041127d25eb548a6f9c5fc52773db8d152ad7f9f287520b49de997b04d88ca134fc021fbf498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0D.exe
MD5
daaceda09454e6699f1a24b3c12daeee

SHA1
6af1dfa0158909788ccd6a75c078dc07727a736c

SHA256
299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0

SHA512
f73102b0655edd79fae416e494b0ac847339c219ed59c0b8d8d041127d25eb548a6f9c5fc52773db8d152ad7f9f287520b49de997b04d88ca134fc021fbf498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0D.exe
MD5
daaceda09454e6699f1a24b3c12daeee

SHA1
6af1dfa0158909788ccd6a75c078dc07727a736c

SHA256
299e05dba7415219f7b47eb4e17df2f65a2a0e06c54d66a489b41f03334012b0

SHA512
f73102b0655edd79fae416e494b0ac847339c219ed59c0b8d8d041127d25eb548a6f9c5fc52773db8d152ad7f9f287520b49de997b04d88ca134fc021fbf498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\29AD.exe
MD5
90763f4caa16787e592f0c398e7b5c28

SHA1
341a8947d47981b6e9f70a73d2b9adc91e1e6faa

SHA256
11525cc8879e069640733d3123697bc34dd9caef08405fcd37bdc37429897968

SHA512
8d914892290c22ee323b75e78400155cf9573e4ae3084397c9e25282250cd81c51771bb7aa1d52a207a370da73d67b30ca4d87c61876c60376e31df40bfbf476

Download Submit
C:\Users\Admin\AppData\Local\Temp\29AD.exe
MD5
90763f4caa16787e592f0c398e7b5c28

SHA1
341a8947d47981b6e9f70a73d2b9adc91e1e6faa

SHA256
11525cc8879e069640733d3123697bc34dd9caef08405fcd37bdc37429897968

SHA512
8d914892290c22ee323b75e78400155cf9573e4ae3084397c9e25282250cd81c51771bb7aa1d52a207a370da73d67b30ca4d87c61876c60376e31df40bfbf476

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C00.exe
MD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13

SHA1
545718169d24dd7f1a188e6ceb5097246837b5a0

SHA256
83e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c

SHA512
60ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C00.exe
MD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13

SHA1
545718169d24dd7f1a188e6ceb5097246837b5a0

SHA256
83e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c

SHA512
60ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C00.exe
MD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13

SHA1
545718169d24dd7f1a188e6ceb5097246837b5a0

SHA256
83e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c

SHA512
60ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\33D1.exe
MD5
b580d9723dadf243bb7a12f9da4bf0f8

SHA1
0ede899718106b4dab1570eabec79802d31ac593

SHA256
dc727099d3858b71798e4bc041531575d66e846e6fec21b8812185e34bb18b4e

SHA512
0278150e532b0c8d6b65fd48398027ff633f4b1e1bd7d28823c7f24ff05655f5ec86183cb37faf5d20497ba18615fc14a651696eb5ed26c05487440a75febd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\33D1.exe
MD5
b580d9723dadf243bb7a12f9da4bf0f8

SHA1
0ede899718106b4dab1570eabec79802d31ac593

SHA256
dc727099d3858b71798e4bc041531575d66e846e6fec21b8812185e34bb18b4e

SHA512
0278150e532b0c8d6b65fd48398027ff633f4b1e1bd7d28823c7f24ff05655f5ec86183cb37faf5d20497ba18615fc14a651696eb5ed26c05487440a75febd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3931.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\3931.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\3931.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\4576.exe
MD5
e25557ed33bbd8fe028a730e029ed278

SHA1
a65927ba3be994bf6195d39da52305921ef090f5

SHA256
952663f4e7afda1350b0cb7047601a9da3bfd9ae77bdf469a03f9b08f3039371

SHA512
de90a30bc02e09737c3c1bec5739d3a0274463a164e2963965a453335b46dfe0979823efb7c2f24458ffa2f1f972626dd918d559757d70643791068772982026

Download Submit
C:\Users\Admin\AppData\Local\Temp\4576.exe
MD5
e25557ed33bbd8fe028a730e029ed278

SHA1
a65927ba3be994bf6195d39da52305921ef090f5

SHA256
952663f4e7afda1350b0cb7047601a9da3bfd9ae77bdf469a03f9b08f3039371

SHA512
de90a30bc02e09737c3c1bec5739d3a0274463a164e2963965a453335b46dfe0979823efb7c2f24458ffa2f1f972626dd918d559757d70643791068772982026

Download Submit
C:\Users\Admin\AppData\Local\Temp\667C.exe
MD5
fc7e8b01fd172277c1c9c41e424b6365

SHA1
74b96323cb619d8ad243ec6b63ac52c3f18b2cec

SHA256
e4665b06462cdd2d5fd1a839432dcf7f37b6bc77d60636f909a92fa55c371111

SHA512
0b981631f7d9eef1304e82db1e424303ecfc83e18a43be8d8298072f099d1fd860357c25df6d63364d100f2030308eb2d69ecd8313e05e9067b9f5500ac8ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\667C.exe
MD5
fc7e8b01fd172277c1c9c41e424b6365

SHA1
74b96323cb619d8ad243ec6b63ac52c3f18b2cec

SHA256
e4665b06462cdd2d5fd1a839432dcf7f37b6bc77d60636f909a92fa55c371111

SHA512
0b981631f7d9eef1304e82db1e424303ecfc83e18a43be8d8298072f099d1fd860357c25df6d63364d100f2030308eb2d69ecd8313e05e9067b9f5500ac8ba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\786F.exe
MD5
8fbb3cf89668f6abe21991a4007096b4

SHA1
15c84e26b3ca571236961068fe051b96247499d2

SHA256
d4a83fcae0bcdcf43c4016e6891ced32829f012d34274f4a1fa616d6b52dc2af

SHA512
de53f5d210bc6f3ed259b49646743ab8407ad88c979e753dbec72e47fd4246ce7fd8d1ae49439e75d0f98a8438cd325a2bb2d10c080d16862a379d4dee97d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\786F.exe
MD5
8fbb3cf89668f6abe21991a4007096b4

SHA1
15c84e26b3ca571236961068fe051b96247499d2

SHA256
d4a83fcae0bcdcf43c4016e6891ced32829f012d34274f4a1fa616d6b52dc2af

SHA512
de53f5d210bc6f3ed259b49646743ab8407ad88c979e753dbec72e47fd4246ce7fd8d1ae49439e75d0f98a8438cd325a2bb2d10c080d16862a379d4dee97d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\81C7.exe
MD5
39c020f11f4252a0e98d7491332f838e

SHA1
c8bcad6b6375fa22f8ac013e85ce961dc95e8e20

SHA256
93714ca1f1549a92737504e006336785ecdc50d4ba51951929b2168c9db51b68

SHA512
393b3002db394b3db61741a02234baee19cb6934cb61edff571f2ea6440d88878d3a1c43fa2faa0c3abc8fb8853019fdf18cd9669c362ce719758287f907550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81C7.exe
MD5
39c020f11f4252a0e98d7491332f838e

SHA1
c8bcad6b6375fa22f8ac013e85ce961dc95e8e20

SHA256
93714ca1f1549a92737504e006336785ecdc50d4ba51951929b2168c9db51b68

SHA512
393b3002db394b3db61741a02234baee19cb6934cb61edff571f2ea6440d88878d3a1c43fa2faa0c3abc8fb8853019fdf18cd9669c362ce719758287f907550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\85FE.exe
MD5
3f5ea089ae77da105c6615f8dd6fae06

SHA1
5ee265ae04b7d03549dca1f7ff1cd662a8d8abfe

SHA256
715c5ede2c76bfcb690fa7686ef07bf19564df85e2f0b194082983d4b2b37d31

SHA512
4ed373e6de2624a5a9dc2f45daa9cf5249e3ec3be207fe5b07ffef4bf2f63e8401f2b86cd67427dac07e7ed3e5c7138dc7b18dfe7086aa23954565824d2b0198

Download Submit
C:\Users\Admin\AppData\Local\Temp\85FE.exe
MD5
3f5ea089ae77da105c6615f8dd6fae06

SHA1
5ee265ae04b7d03549dca1f7ff1cd662a8d8abfe

SHA256
715c5ede2c76bfcb690fa7686ef07bf19564df85e2f0b194082983d4b2b37d31

SHA512
4ed373e6de2624a5a9dc2f45daa9cf5249e3ec3be207fe5b07ffef4bf2f63e8401f2b86cd67427dac07e7ed3e5c7138dc7b18dfe7086aa23954565824d2b0198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca2b0f81-32cb-4c3d-a40c-30c627582a15\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xufkispm.exe
MD5
1aec4107d86cd0c5cccd8435a55a5e19

SHA1
484e25f8eae0c5d943aa7571abb386de216a75d8

SHA256
5d38e8902c25dce5340fe6b6f7a0a2762e90765967d59fb31545ec23d8b6399d

SHA512
94cb1c58361fcc70227ceab7661ef4527d7f1773d701077f3022d07e4e5b4ccb4e6f8c915933dd87e47d2178fa0c6907efec1187b78054bc5db0cf7029a78d82

Download Submit
C:\Windows\SysWOW64\zlowlhdt\xufkispm.exe
MD5
1aec4107d86cd0c5cccd8435a55a5e19

SHA1
484e25f8eae0c5d943aa7571abb386de216a75d8

SHA256
5d38e8902c25dce5340fe6b6f7a0a2762e90765967d59fb31545ec23d8b6399d

SHA512
94cb1c58361fcc70227ceab7661ef4527d7f1773d701077f3022d07e4e5b4ccb4e6f8c915933dd87e47d2178fa0c6907efec1187b78054bc5db0cf7029a78d82

Download Submit
memory/316-145-0x0000000002D10000-0x0000000002DAE000-memory.dmp

Filesize
632KB

Download
memory/316-141-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/316-132-0x0000000000000000-mapping.dmp

Download
memory/316-147-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/316-146-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/316-135-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/332-213-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/332-221-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/332-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/332-198-0x0000000000438F0E-mapping.dmp

Download
memory/540-125-0x0000000000402E86-mapping.dmp

Download
memory/676-143-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/676-142-0x00000000016C0000-0x000000000176E000-memory.dmp

Filesize
696KB

Download
memory/676-127-0x0000000000000000-mapping.dmp

Download
memory/728-277-0x0000000004153000-0x0000000004154000-memory.dmp

Filesize
4KB

Download
memory/728-230-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/728-228-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/728-207-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/728-190-0x0000000000000000-mapping.dmp

Download
memory/728-219-0x0000000004152000-0x0000000004153000-memory.dmp

Filesize
4KB

Download
memory/728-218-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/728-229-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/728-239-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/728-231-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/728-233-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/728-262-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/728-209-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/728-204-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/728-206-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1240-140-0x00000000006D8000-0x0000000000727000-memory.dmp

Filesize
316KB

Download
memory/1240-170-0x00000000021F0000-0x000000000227E000-memory.dmp

Filesize
568KB

Download
memory/1240-172-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1240-137-0x0000000000000000-mapping.dmp

Download
memory/1308-314-0x0000000000000000-mapping.dmp

Download
memory/1368-161-0x0000000000000000-mapping.dmp

Download
memory/1424-148-0x0000000000000000-mapping.dmp

Download
memory/1424-152-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1424-160-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1424-157-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1424-167-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1660-144-0x0000000000000000-mapping.dmp

Download
memory/1688-156-0x0000000000000000-mapping.dmp

Download
memory/1980-227-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1980-225-0x0000000000119A6B-mapping.dmp

Download
memory/1980-224-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1980-226-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2220-150-0x0000000000000000-mapping.dmp

Download
memory/2344-363-0x0000000000000000-mapping.dmp

Download
memory/2344-402-0x0000000003320000-0x00000000033AE000-memory.dmp

Filesize
568KB

Download
memory/2344-404-0x0000000000400000-0x00000000016FA000-memory.dmp

Filesize
19.0MB

Download
memory/2680-241-0x0000000000FD0000-0x00000000015B1000-memory.dmp

Filesize
5.9MB

Download
memory/2680-236-0x0000000000000000-mapping.dmp

Download
memory/3056-119-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/3056-166-0x0000000002870000-0x0000000002886000-memory.dmp

Filesize
88KB

Download
memory/3160-118-0x0000000000402E86-mapping.dmp

Download
memory/3160-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3452-171-0x0000000000000000-mapping.dmp

Download
memory/3452-205-0x0000000005154000-0x0000000005155000-memory.dmp

Filesize
4KB

Download
memory/3452-191-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3452-189-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3452-188-0x0000000005153000-0x0000000005154000-memory.dmp

Filesize
4KB

Download
memory/3452-187-0x0000000005152000-0x0000000005153000-memory.dmp

Filesize
4KB

Download
memory/3452-186-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3452-185-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3452-176-0x0000000000690000-0x00000000006C1000-memory.dmp

Filesize
196KB

Download
memory/3452-181-0x0000000004F60000-0x0000000004F7B000-memory.dmp

Filesize
108KB

Download
memory/3452-245-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/3452-183-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3452-184-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3452-243-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/3504-115-0x0000000001909000-0x000000000191A000-memory.dmp

Filesize
68KB

Download
memory/3504-116-0x0000000001760000-0x00000000018AA000-memory.dmp

Filesize
1.3MB

Download
memory/3956-154-0x0000000000000000-mapping.dmp

Download
memory/4252-464-0x0000000005E92000-0x0000000005E93000-memory.dmp

Filesize
4KB

Download
memory/4252-467-0x0000000005E94000-0x0000000005E96000-memory.dmp

Filesize
8KB

Download
memory/4252-466-0x0000000005E93000-0x0000000005E94000-memory.dmp

Filesize
4KB

Download
memory/4252-462-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/4252-457-0x0000000001720000-0x0000000001750000-memory.dmp

Filesize
192KB

Download
memory/4252-460-0x0000000000400000-0x00000000016CF000-memory.dmp

Filesize
18.8MB

Download
memory/4252-369-0x0000000000000000-mapping.dmp

Download
memory/4420-168-0x0000000000000000-mapping.dmp

Download
memory/4640-120-0x0000000000000000-mapping.dmp

Download
memory/4640-131-0x00000000016D0000-0x00000000016D9000-memory.dmp

Filesize
36KB

Download
memory/4932-232-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/4932-222-0x00000000017A0000-0x00000000017B3000-memory.dmp

Filesize
76KB

Download
memory/4968-162-0x0000000000000000-mapping.dmp

Download
memory/5044-165-0x0000000000000000-mapping.dmp

Download
memory/5068-193-0x000000000041B252-mapping.dmp

Download
memory/5068-192-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5068-216-0x0000000004D80000-0x0000000005386000-memory.dmp

Filesize
6.0MB

Download