raccoon | 279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-10-2021 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc67122a55c4a852567494e159922558.exe
Size

179KB
MD5

cc67122a55c4a852567494e159922558
SHA1

cb686645fbabfacd5a44cd567fd2804751c83dc5
SHA256

279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a
SHA512

452355e89ffc2964d3f7fdc4dece0d71e6f71950a281a4c0655f0a0ae80bb599ce6968843dfb184568bc4b553e2a11273d3b9dfe2426fbb52fc8e2b9500cf1f8

Score

10^/10

raccoon redline smokeloader 68e2d75238f7c69859792d206401b6bde2b2515c 999888988 d2 build2 eae58d570cc74796157b14c575bd3adc01116ca0 superstar backdoor discovery evasion infostealer spyware stealer suricata themida trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

http://193.56.146.214/

https://193.56.146.214/

rc4.i32

Extracted

Family

redline

Botnet

999888988

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

68e2d75238f7c69859792d206401b6bde2b2515c

Attributes

url4cnc
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Botnet

eae58d570cc74796157b14c575bd3adc01116ca0

Attributes

url4cnc
http://telegka.top/rino115sipsip
http://telegin.top/rino115sipsip
https://t.me/rino115sipsip

rc4.plain

Extracted

Family

redline

Botnet

D2 BUILD2

212.193.30.193:33833

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1484-123-0x0000000000710000-0x000000000072A000-memory.dmp	family_redline
behavioral1/memory/1872-156-0x0000000001E70000-0x0000000001E8C000-memory.dmp	family_redline
behavioral1/memory/1872-161-0x0000000002120000-0x000000000213B000-memory.dmp	family_redline
behavioral1/memory/1836-179-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1836-180-0x0000000000418D3E-mapping.dmp	family_redline
behavioral1/memory/1836-181-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

9F4B.exeA68D.exeA891.exe9F4B.exeB9E0.exeC62D.exeCAFE.exeD230.exeD923.exeAdvancedRun.exeAdvancedRun.exeE0F1.exeD923.exe

pid	process
1832	9F4B.exe
1484	A68D.exe
396	A891.exe
1032	9F4B.exe
996	B9E0.exe
2040	C62D.exe
880	CAFE.exe
1724	D230.exe
1288	D923.exe
1372	AdvancedRun.exe
1040	AdvancedRun.exe
1704	E0F1.exe
1872	D923.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B9E0.exe	vmprotect
behavioral1/memory/996-107-0x0000000000F30000-0x0000000000F31000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B9E0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B9E0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B9E0.exe

Deletes itself 1 IoCs

Processes:

pid process

1204
Loads dropped DLL 7 IoCs

Processes:

9F4B.exeA891.exeC62D.exeAdvancedRun.exeD923.exe

pid process

1832 9F4B.exe
396 A891.exe
2040 C62D.exe
2040 C62D.exe
1372 AdvancedRun.exe
1372 AdvancedRun.exe
1288 D923.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1204

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B9E0.exe	themida
behavioral1/memory/996-107-0x0000000000F30000-0x0000000000F31000-memory.dmp	themida

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

C62D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	C62D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	C62D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	C62D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	C62D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	C62D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	C62D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	C62D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\C62D.exe = "0"	C62D.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

B9E0.exeC62D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B9E0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C62D.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C62D.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

B9E0.exe

pid process

996 B9E0.exe

pid	process
996	B9E0.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

cc67122a55c4a852567494e159922558.exe9F4B.exeD923.exeC62D.exe

description	pid	process	target process
PID 1680 set thread context of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1832 set thread context of 1032	1832	9F4B.exe	9F4B.exe
PID 1288 set thread context of 1872	1288	D923.exe	D923.exe
PID 2040 set thread context of 1836	2040	C62D.exe	aspnet_regsql.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9F4B.exeA891.exeCAFE.execc67122a55c4a852567494e159922558.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9F4B.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9F4B.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAFE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc67122a55c4a852567494e159922558.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc67122a55c4a852567494e159922558.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc67122a55c4a852567494e159922558.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9F4B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A891.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A891.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc67122a55c4a852567494e159922558.exe

pid	process
556	cc67122a55c4a852567494e159922558.exe
556	cc67122a55c4a852567494e159922558.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

cc67122a55c4a852567494e159922558.exe9F4B.exeA891.exeCAFE.exe

pid process

556 cc67122a55c4a852567494e159922558.exe
1032 9F4B.exe
396 A891.exe
880 CAFE.exe

pid	process
1204

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

A68D.exeC62D.exeB9E0.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeD923.exeaspnet_regsql.exe

description	pid	process
Token: SeDebugPrivilege	1484	A68D.exe
Token: SeDebugPrivilege	2040	C62D.exe
Token: SeDebugPrivilege	996	B9E0.exe
Token: SeDebugPrivilege	1372	AdvancedRun.exe
Token: SeImpersonatePrivilege	1372	AdvancedRun.exe
Token: SeDebugPrivilege	1040	AdvancedRun.exe
Token: SeImpersonatePrivilege	1040	AdvancedRun.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1872	D923.exe
Token: SeDebugPrivilege	1836	aspnet_regsql.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1204
1204
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1204
1204

pid	process
1204
1204

pid	process
1204
1204

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc67122a55c4a852567494e159922558.exe9F4B.exeC62D.exeAdvancedRun.exeD923.exe

description	pid	process	target process
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1680 wrote to memory of 556	1680	cc67122a55c4a852567494e159922558.exe	cc67122a55c4a852567494e159922558.exe
PID 1204 wrote to memory of 1832	1204		9F4B.exe
PID 1204 wrote to memory of 1832	1204		9F4B.exe
PID 1204 wrote to memory of 1832	1204		9F4B.exe
PID 1204 wrote to memory of 1832	1204		9F4B.exe
PID 1204 wrote to memory of 1484	1204		A68D.exe
PID 1204 wrote to memory of 1484	1204		A68D.exe
PID 1204 wrote to memory of 1484	1204		A68D.exe
PID 1204 wrote to memory of 1484	1204		A68D.exe
PID 1204 wrote to memory of 396	1204		A891.exe
PID 1204 wrote to memory of 396	1204		A891.exe
PID 1204 wrote to memory of 396	1204		A891.exe
PID 1204 wrote to memory of 396	1204		A891.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1832 wrote to memory of 1032	1832	9F4B.exe	9F4B.exe
PID 1204 wrote to memory of 996	1204		B9E0.exe
PID 1204 wrote to memory of 996	1204		B9E0.exe
PID 1204 wrote to memory of 996	1204		B9E0.exe
PID 1204 wrote to memory of 996	1204		B9E0.exe
PID 1204 wrote to memory of 2040	1204		C62D.exe
PID 1204 wrote to memory of 2040	1204		C62D.exe
PID 1204 wrote to memory of 2040	1204		C62D.exe
PID 1204 wrote to memory of 2040	1204		C62D.exe
PID 1204 wrote to memory of 880	1204		CAFE.exe
PID 1204 wrote to memory of 880	1204		CAFE.exe
PID 1204 wrote to memory of 880	1204		CAFE.exe
PID 1204 wrote to memory of 880	1204		CAFE.exe
PID 1204 wrote to memory of 1724	1204		D230.exe
PID 1204 wrote to memory of 1724	1204		D230.exe
PID 1204 wrote to memory of 1724	1204		D230.exe
PID 1204 wrote to memory of 1724	1204		D230.exe
PID 1204 wrote to memory of 1288	1204		D923.exe
PID 1204 wrote to memory of 1288	1204		D923.exe
PID 1204 wrote to memory of 1288	1204		D923.exe
PID 1204 wrote to memory of 1288	1204		D923.exe
PID 2040 wrote to memory of 1372	2040	C62D.exe	AdvancedRun.exe
PID 2040 wrote to memory of 1372	2040	C62D.exe	AdvancedRun.exe
PID 2040 wrote to memory of 1372	2040	C62D.exe	AdvancedRun.exe
PID 2040 wrote to memory of 1372	2040	C62D.exe	AdvancedRun.exe
PID 1372 wrote to memory of 1040	1372	AdvancedRun.exe	AdvancedRun.exe
PID 1372 wrote to memory of 1040	1372	AdvancedRun.exe	AdvancedRun.exe
PID 1372 wrote to memory of 1040	1372	AdvancedRun.exe	AdvancedRun.exe
PID 1372 wrote to memory of 1040	1372	AdvancedRun.exe	AdvancedRun.exe
PID 1204 wrote to memory of 1704	1204		E0F1.exe
PID 1204 wrote to memory of 1704	1204		E0F1.exe
PID 1204 wrote to memory of 1704	1204		E0F1.exe
PID 1204 wrote to memory of 1704	1204		E0F1.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe
PID 1288 wrote to memory of 1872	1288	D923.exe	D923.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

C62D.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C62D.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C62D.exe

C:\Users\Admin\AppData\Local\Temp\cc67122a55c4a852567494e159922558.exe
"C:\Users\Admin\AppData\Local\Temp\cc67122a55c4a852567494e159922558.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\cc67122a55c4a852567494e159922558.exe
"C:\Users\Admin\AppData\Local\Temp\cc67122a55c4a852567494e159922558.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:556

C:\Users\Admin\AppData\Local\Temp\9F4B.exe
C:\Users\Admin\AppData\Local\Temp\9F4B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\9F4B.exe
C:\Users\Admin\AppData\Local\Temp\9F4B.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1032

C:\Users\Admin\AppData\Local\Temp\A68D.exe
C:\Users\Admin\AppData\Local\Temp\A68D.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\A891.exe
C:\Users\Admin\AppData\Local\Temp\A891.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:396

C:\Users\Admin\AppData\Local\Temp\B9E0.exe
C:\Users\Admin\AppData\Local\Temp\B9E0.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\C62D.exe
C:\Users\Admin\AppData\Local\Temp\C62D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040

C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe" /SpecialRun 4101d8 1372
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\C62D.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\C62D.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
2⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
2⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
2⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
2⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\CAFE.exe
C:\Users\Admin\AppData\Local\Temp\CAFE.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:880

C:\Users\Admin\AppData\Local\Temp\D230.exe
C:\Users\Admin\AppData\Local\Temp\D230.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\D923.exe
C:\Users\Admin\AppData\Local\Temp\D923.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\D923.exe
C:\Users\Admin\AppData\Local\Temp\D923.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Admin\AppData\Local\Temp\E0F1.exe
C:\Users\Admin\AppData\Local\Temp\E0F1.exe
1⤵
- Executes dropped EXE
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9F4B.exe
MD5
cc67122a55c4a852567494e159922558

SHA1
cb686645fbabfacd5a44cd567fd2804751c83dc5

SHA256
279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a

SHA512
452355e89ffc2964d3f7fdc4dece0d71e6f71950a281a4c0655f0a0ae80bb599ce6968843dfb184568bc4b553e2a11273d3b9dfe2426fbb52fc8e2b9500cf1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4B.exe
MD5
cc67122a55c4a852567494e159922558

SHA1
cb686645fbabfacd5a44cd567fd2804751c83dc5

SHA256
279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a

SHA512
452355e89ffc2964d3f7fdc4dece0d71e6f71950a281a4c0655f0a0ae80bb599ce6968843dfb184568bc4b553e2a11273d3b9dfe2426fbb52fc8e2b9500cf1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4B.exe
MD5
cc67122a55c4a852567494e159922558

SHA1
cb686645fbabfacd5a44cd567fd2804751c83dc5

SHA256
279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a

SHA512
452355e89ffc2964d3f7fdc4dece0d71e6f71950a281a4c0655f0a0ae80bb599ce6968843dfb184568bc4b553e2a11273d3b9dfe2426fbb52fc8e2b9500cf1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A68D.exe
MD5
42758e2569239a774becdb12698b124c

SHA1
4ab353c4177a69fc9a6f3844852762809591dd2f

SHA256
e3380dfdd6297ac134bb22c7c1603782f198a5b2164855bf66a95bae47ab472d

SHA512
959a6d4e39bc949f8c92c4213a7dd424eff46aaccbce6553d42863f4341b934ceb14997f67fdc2013d064a09c6134b9a113438347b7dedf65e3a7e2ada5def18

Download Submit
C:\Users\Admin\AppData\Local\Temp\A68D.exe
MD5
42758e2569239a774becdb12698b124c

SHA1
4ab353c4177a69fc9a6f3844852762809591dd2f

SHA256
e3380dfdd6297ac134bb22c7c1603782f198a5b2164855bf66a95bae47ab472d

SHA512
959a6d4e39bc949f8c92c4213a7dd424eff46aaccbce6553d42863f4341b934ceb14997f67fdc2013d064a09c6134b9a113438347b7dedf65e3a7e2ada5def18

Download Submit
C:\Users\Admin\AppData\Local\Temp\A891.exe
MD5
73252acb344040ddc5d9ce78a5d3a4c2

SHA1
3a16c3698ccf7940adfb2b2a9cc8c20b1ba1d015

SHA256
b8ac77c37de98099dcdc5924418d445f4b11ecf326edd41a2d49ed6efd2a07eb

SHA512
1541e3d7bd163a4c348c6e5c7098c6f3add62b1121296ca28934a69ad308c2e51ca6b841359010da96e71fa42fd6e09f7591448433dc3b01104007808427c3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9E0.exe
MD5
c867133282ff9b4135a5fd45d653f4c5

SHA1
19a61dc2119be735ae0f9f4431fb5519abaf891f

SHA256
f28941680bc616b67aa6f8c03e4ae9ac23280918784ba3595e550e8acdb567ea

SHA512
1026ab9147e771405819e3de1016e622a5de0f1ac719347d493ba673273a2f40f2bcf73e7dc6594d2f59ac0989936b14db167596b61364ece62c97d7498f1ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C62D.exe
MD5
0bd9ddde07455acc3e62f1dbbbdeea64

SHA1
5ce810c7bbbff3360d3e4b6c63a7ddc83b91aeb1

SHA256
a28665934ac932f780cd3c0d84cf0f94de8cf9abfb6864c0a842764be504858e

SHA512
c8328b2b712aeb1630161d01cf1d4d84b23b895d350839e8a091f71b254f6775d70101e9ff7c4f6a10b12c856b6a59d9138fd7249d1322d6c9ced92cf55adf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C62D.exe
MD5
0bd9ddde07455acc3e62f1dbbbdeea64

SHA1
5ce810c7bbbff3360d3e4b6c63a7ddc83b91aeb1

SHA256
a28665934ac932f780cd3c0d84cf0f94de8cf9abfb6864c0a842764be504858e

SHA512
c8328b2b712aeb1630161d01cf1d4d84b23b895d350839e8a091f71b254f6775d70101e9ff7c4f6a10b12c856b6a59d9138fd7249d1322d6c9ced92cf55adf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAFE.exe
MD5
85dfff49cadc568cee03beba836e1c04

SHA1
75e3f7d23b9fe3241255fd19ae5e5900df20646b

SHA256
c9b672a24c3222bbf1ea9a9ec6c888af63a4249744acb4060550275ccd1aa536

SHA512
aca32a9f599e95fba70a87e1232fe6b6855d9c7ece4782c9248bdab1d2d4051f0a466f69844165157cc3562b9c8a8d5ad5edba26beee937fb51d647c2726d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D230.exe
MD5
52f3e62962acea73f7da19d953fd5cc2

SHA1
85ae10e3105c20f8ce9bf135d6d483faeba2eced

SHA256
3b3ed014278f3a386d0f1918032ec6017597d3a8cfe934f8c86dc79ee58fa747

SHA512
7ad201822be5f5afec50493c68a628972c8ac26dfbf5e3e6722c90edd8090a6d46331d0d1427830833e69436f667743b2a4f1a966ca13feee474e39b0c93825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D923.exe
MD5
d6b2ce6502e744ce813ebe0c81601b87

SHA1
3bcea569bdf15f8066167f283b2ec1519378d3fa

SHA256
ae5820d934c3fd799c7b50e62beec5e71c20e25a140b28a48720914ad1f5c591

SHA512
c8887f26f2578ea8dd50e26f473fa0d6d818282d8df0d18092dee9a7f5156bd3de90b0eb62079b33d997a521ab9ea91c632593cb48808a4551f7e51bb2814f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\D923.exe
MD5
d6b2ce6502e744ce813ebe0c81601b87

SHA1
3bcea569bdf15f8066167f283b2ec1519378d3fa

SHA256
ae5820d934c3fd799c7b50e62beec5e71c20e25a140b28a48720914ad1f5c591

SHA512
c8887f26f2578ea8dd50e26f473fa0d6d818282d8df0d18092dee9a7f5156bd3de90b0eb62079b33d997a521ab9ea91c632593cb48808a4551f7e51bb2814f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\D923.exe
MD5
d6b2ce6502e744ce813ebe0c81601b87

SHA1
3bcea569bdf15f8066167f283b2ec1519378d3fa

SHA256
ae5820d934c3fd799c7b50e62beec5e71c20e25a140b28a48720914ad1f5c591

SHA512
c8887f26f2578ea8dd50e26f473fa0d6d818282d8df0d18092dee9a7f5156bd3de90b0eb62079b33d997a521ab9ea91c632593cb48808a4551f7e51bb2814f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0F1.exe
MD5
9f5e1cb2ca03c12a46669715d8a41d75

SHA1
de77873de3fd394a0434de854fe5b074ac0b5b70

SHA256
52dcd73cd4d1205e9bd8909d3961a30a3c9ad81ead28572d0557f835b3f913cb

SHA512
7264358f1fbf20c1e92115ecccea23c0a18b62f9db0afc16ca2f110310ed1b11c4f2ecf691248bbac505b2f2407224b0718ae67dfb1812ab3972bff82ac39ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e78eabd0de4f5fe47883952460372a67

SHA1
f609cdd939d80131806c8e52eab1de0d2b10c9af

SHA256
f4055995f9e64889877ff6b7ec7e2d3a2cf87957087a7115c4ca58c1c73c4f4d

SHA512
0d4a95fda8c4f243a642c133fc55de9b1709df7f719554140fe5333581523b56724c73a53c61ac5dd375778baae6954314b76d80823d9d1e7c81dc337921e308

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9F4B.exe
MD5
cc67122a55c4a852567494e159922558

SHA1
cb686645fbabfacd5a44cd567fd2804751c83dc5

SHA256
279e35fe6b36106e0423f55262f0a995413a37055f72eb360cf2c12a423a690a

SHA512
452355e89ffc2964d3f7fdc4dece0d71e6f71950a281a4c0655f0a0ae80bb599ce6968843dfb184568bc4b553e2a11273d3b9dfe2426fbb52fc8e2b9500cf1f8

Download Submit
\Users\Admin\AppData\Local\Temp\D923.exe
MD5
d6b2ce6502e744ce813ebe0c81601b87

SHA1
3bcea569bdf15f8066167f283b2ec1519378d3fa

SHA256
ae5820d934c3fd799c7b50e62beec5e71c20e25a140b28a48720914ad1f5c591

SHA512
c8887f26f2578ea8dd50e26f473fa0d6d818282d8df0d18092dee9a7f5156bd3de90b0eb62079b33d997a521ab9ea91c632593cb48808a4551f7e51bb2814f02

Download Submit
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\a39a9246-24d8-4357-80bb-ac5ec8845c28\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/396-81-0x0000000000400000-0x0000000002EFA000-memory.dmp

Filesize
43.0MB

Download
memory/396-79-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/396-78-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/396-65-0x0000000000000000-mapping.dmp

Download
memory/556-55-0x0000000000402DF8-mapping.dmp

Download
memory/556-56-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/556-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/880-129-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/880-130-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/880-119-0x0000000000000000-mapping.dmp

Download
memory/880-128-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/996-99-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/996-98-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/996-107-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/996-102-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/996-90-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/996-88-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/996-101-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/996-86-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/996-87-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/996-109-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/996-92-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/996-96-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/996-89-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/996-85-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/996-95-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/996-83-0x0000000000000000-mapping.dmp

Download
memory/996-93-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1032-70-0x0000000000402DF8-mapping.dmp

Download
memory/1040-143-0x0000000000000000-mapping.dmp

Download
memory/1204-120-0x0000000003D80000-0x0000000003D96000-memory.dmp

Filesize
88KB

Download
memory/1204-165-0x0000000004390000-0x00000000043A6000-memory.dmp

Filesize
88KB

Download
memory/1204-110-0x0000000003B80000-0x0000000003B96000-memory.dmp

Filesize
88KB

Download
memory/1204-59-0x0000000001D90000-0x0000000001DA6000-memory.dmp

Filesize
88KB

Download
memory/1288-157-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/1288-158-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1288-132-0x0000000000000000-mapping.dmp

Download
memory/1300-185-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1300-178-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1300-167-0x0000000000000000-mapping.dmp

Download
memory/1300-175-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1372-137-0x0000000000000000-mapping.dmp

Download
memory/1404-166-0x0000000000000000-mapping.dmp

Download
memory/1404-184-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1404-174-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1404-177-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1484-122-0x0000000000560000-0x000000000057F000-memory.dmp

Filesize
124KB

Download
memory/1484-123-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/1484-77-0x0000000000530000-0x0000000000533000-memory.dmp

Filesize
12KB

Download
memory/1484-62-0x0000000000000000-mapping.dmp

Download
memory/1484-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1484-76-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1680-58-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1680-57-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1704-176-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1704-146-0x0000000000000000-mapping.dmp

Download
memory/1704-172-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1704-173-0x0000000000330000-0x00000000003BE000-memory.dmp

Filesize
568KB

Download
memory/1724-148-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1724-125-0x0000000000000000-mapping.dmp

Download
memory/1724-150-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1724-149-0x0000000000340000-0x00000000003CE000-memory.dmp

Filesize
568KB

Download
memory/1832-60-0x0000000000000000-mapping.dmp

Download
memory/1836-181-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-180-0x0000000000418D3E-mapping.dmp

Download
memory/1836-179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-183-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1872-156-0x0000000001E70000-0x0000000001E8C000-memory.dmp

Filesize
112KB

Download
memory/1872-161-0x0000000002120000-0x000000000213B000-memory.dmp

Filesize
108KB

Download
memory/1872-154-0x000000000040CD2F-mapping.dmp

Download
memory/1872-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-164-0x0000000004624000-0x0000000004626000-memory.dmp

Filesize
8KB

Download
memory/1872-163-0x0000000004623000-0x0000000004624000-memory.dmp

Filesize
4KB

Download
memory/1872-162-0x0000000004622000-0x0000000004623000-memory.dmp

Filesize
4KB

Download
memory/1872-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-160-0x0000000004621000-0x0000000004622000-memory.dmp

Filesize
4KB

Download
memory/2040-111-0x0000000000000000-mapping.dmp

Download
memory/2040-117-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2040-116-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2040-114-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2040-131-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download