icedid | 6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb

Analysis

max time kernel
151s
max time network
146s
platform
windows10_x64
resource
win10-en-20211104
submitted
11-11-2021 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
Size

344KB
MD5

93914cdc4357ac4cd42fd3f58ede5462
SHA1

6fd42c9a9b90ede234f4946f38c2df13a42e00dd
SHA256

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb
SHA512

60f55feaa8321705dacbf7bfbbb15f6a06a68296dc319503384833fee3c103e6d3490cb23e923fd2c5de7dc3cb7feac5dc87e2f82143e864706b28ba0c1f57d9

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

777666777

93.115.20.139:28978

Extracted

Family

icedid

Botnet

1217670233

lakogrefop.rest

hangetilin.top

follytresh.co

zojecurf.store

Attributes

auth_var
14
url_path
/posts/

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

redline

Botnet

Test_3

94.103.9.139:80

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

2189c5f17d25883af847061b1a1ac5c6eaa79874

Attributes

url4cnc
http://91.219.236.162/roswestnewros
http://185.163.47.176/roswestnewros
http://193.38.54.238/roswestnewros
http://74.119.192.122/roswestnewros
http://91.219.236.240/roswestnewros
https://t.me/roswestnewros

rc4.plain

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

4557a7b982bafcd677193713fa5041fa32e7e61e

Attributes

url4cnc
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

50c313b36d3f8d7fbe6f877cfa147276293d39c6

Attributes

url4cnc
http://91.219.236.162/jdex020001112
http://185.163.47.176/jdex020001112
http://193.38.54.238/jdex020001112
http://74.119.192.122/jdex020001112
http://91.219.236.240/jdex020001112
https://t.me/jdex020001112

rc4.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/816-132-0x0000000001310000-0x000000000132B000-memory.dmp	family_redline
behavioral1/memory/1220-169-0x0000000002400000-0x000000000241C000-memory.dmp	family_redline
behavioral1/memory/1220-172-0x00000000025B0000-0x00000000025CB000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\5557.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\5557.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1552 created 2320 1552 WerFault.exe 5FC8.exe
PID 3572 created 1744 3572 WerFault.exe 3FC9.exe
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	pid	process	target process
PID 1552 created 2320	1552	WerFault.exe	5FC8.exe
PID 3572 created 1744	3572	WerFault.exe	3FC9.exe

Executes dropped EXE 14 IoCs

Processes:

23C0.exe299D.exe2D09.exe35C5.exe23C0.exe3FC9.exe35C5.exe513F.exe3FC9.exe5557.exe5FC8.exe6EBD.exe72A6.exe82E3.exe

pid	process
2712	23C0.exe
816	299D.exe
3384	2D09.exe
1036	35C5.exe
3868	23C0.exe
3484	3FC9.exe
1220	35C5.exe
1608	513F.exe
1744	3FC9.exe
1848	5557.exe
2320	5FC8.exe
1736	6EBD.exe
1120	72A6.exe
708	82E3.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\82E3.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\82E3.exe	vmprotect
behavioral1/memory/708-256-0x00000000009D0000-0x000000000109C000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6EBD.exe72A6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6EBD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6EBD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72A6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72A6.exe

Deletes itself 1 IoCs

Processes:

pid process

3056
Loads dropped DLL 2 IoCs

Processes:

2D09.exeregsvr32.exe

pid process

3384 2D09.exe
296 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056

pid	process
3384	2D09.exe
296	regsvr32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6EBD.exe	themida
behavioral1/memory/1736-227-0x0000000000130000-0x0000000000131000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\72A6.exe	themida
behavioral1/memory/1120-243-0x0000000000E20000-0x0000000000E21000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

72A6.exe6EBD.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	72A6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6EBD.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6EBD.exe72A6.exe

pid process

1736 6EBD.exe
1120 72A6.exe

pid	process
1736	6EBD.exe
1120	72A6.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe23C0.exe35C5.exe3FC9.exe

description	pid	process	target process
PID 3064 set thread context of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 2712 set thread context of 3868	2712	23C0.exe	23C0.exe
PID 1036 set thread context of 1220	1036	35C5.exe	35C5.exe
PID 3484 set thread context of 1744	3484	3FC9.exe	3FC9.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1552 2320 WerFault.exe 5FC8.exe
3572 1744 WerFault.exe 3FC9.exe

pid	pid_target	process	target process
1552	2320	WerFault.exe	5FC8.exe
3572	1744	WerFault.exe	3FC9.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe2D09.exe23C0.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2D09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23C0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23C0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23C0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2D09.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2D09.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe

pid	process
2204	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
2204	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe2D09.exe23C0.exe

pid process

2204 6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
3384 2D09.exe
3868 23C0.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

299D.exe5557.exeWerFault.exe72A6.exe6EBD.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	816	299D.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	1848	5557.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeRestorePrivilege	1552	WerFault.exe
Token: SeBackupPrivilege	1552	WerFault.exe
Token: SeDebugPrivilege	1552	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	1120	72A6.exe
Token: SeDebugPrivilege	1736	6EBD.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	3572	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe23C0.exe35C5.exe3FC9.exe

description	pid	process	target process
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3064 wrote to memory of 2204	3064	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe	6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
PID 3056 wrote to memory of 2712	3056		23C0.exe
PID 3056 wrote to memory of 2712	3056		23C0.exe
PID 3056 wrote to memory of 2712	3056		23C0.exe
PID 3056 wrote to memory of 816	3056		299D.exe
PID 3056 wrote to memory of 816	3056		299D.exe
PID 3056 wrote to memory of 3384	3056		2D09.exe
PID 3056 wrote to memory of 3384	3056		2D09.exe
PID 3056 wrote to memory of 3384	3056		2D09.exe
PID 3056 wrote to memory of 1036	3056		35C5.exe
PID 3056 wrote to memory of 1036	3056		35C5.exe
PID 3056 wrote to memory of 1036	3056		35C5.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 2712 wrote to memory of 3868	2712	23C0.exe	23C0.exe
PID 3056 wrote to memory of 296	3056		regsvr32.exe
PID 3056 wrote to memory of 296	3056		regsvr32.exe
PID 3056 wrote to memory of 3484	3056		3FC9.exe
PID 3056 wrote to memory of 3484	3056		3FC9.exe
PID 3056 wrote to memory of 3484	3056		3FC9.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 1036 wrote to memory of 1220	1036	35C5.exe	35C5.exe
PID 3056 wrote to memory of 1608	3056		513F.exe
PID 3056 wrote to memory of 1608	3056		513F.exe
PID 3056 wrote to memory of 1608	3056		513F.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3484 wrote to memory of 1744	3484	3FC9.exe	3FC9.exe
PID 3056 wrote to memory of 1848	3056		5557.exe
PID 3056 wrote to memory of 1848	3056		5557.exe
PID 3056 wrote to memory of 1848	3056		5557.exe
PID 3056 wrote to memory of 2320	3056		5FC8.exe
PID 3056 wrote to memory of 2320	3056		5FC8.exe
PID 3056 wrote to memory of 2320	3056		5FC8.exe
PID 3056 wrote to memory of 1736	3056		6EBD.exe
PID 3056 wrote to memory of 1736	3056		6EBD.exe
PID 3056 wrote to memory of 1736	3056		6EBD.exe
PID 3056 wrote to memory of 1120	3056		72A6.exe
PID 3056 wrote to memory of 1120	3056		72A6.exe
PID 3056 wrote to memory of 1120	3056		72A6.exe
PID 3056 wrote to memory of 708	3056		82E3.exe
PID 3056 wrote to memory of 708	3056		82E3.exe

C:\Users\Admin\AppData\Local\Temp\6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
"C:\Users\Admin\AppData\Local\Temp\6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe
"C:\Users\Admin\AppData\Local\Temp\6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2204

C:\Users\Admin\AppData\Local\Temp\23C0.exe
C:\Users\Admin\AppData\Local\Temp\23C0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\23C0.exe
C:\Users\Admin\AppData\Local\Temp\23C0.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3868

C:\Users\Admin\AppData\Local\Temp\299D.exe
C:\Users\Admin\AppData\Local\Temp\299D.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Users\Admin\AppData\Local\Temp\2D09.exe
C:\Users\Admin\AppData\Local\Temp\2D09.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3384

C:\Users\Admin\AppData\Local\Temp\35C5.exe
C:\Users\Admin\AppData\Local\Temp\35C5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\35C5.exe
C:\Users\Admin\AppData\Local\Temp\35C5.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39CD.dll
1⤵
- Loads dropped DLL
PID:296

C:\Users\Admin\AppData\Local\Temp\3FC9.exe
C:\Users\Admin\AppData\Local\Temp\3FC9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\3FC9.exe
C:\Users\Admin\AppData\Local\Temp\3FC9.exe
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 904
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Users\Admin\AppData\Local\Temp\513F.exe
C:\Users\Admin\AppData\Local\Temp\513F.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\5557.exe
C:\Users\Admin\AppData\Local\Temp\5557.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Local\Temp\5FC8.exe
C:\Users\Admin\AppData\Local\Temp\5FC8.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 928
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\6EBD.exe
C:\Users\Admin\AppData\Local\Temp\6EBD.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\72A6.exe
C:\Users\Admin\AppData\Local\Temp\72A6.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Local\Temp\82E3.exe
C:\Users\Admin\AppData\Local\Temp\82E3.exe
1⤵
- Executes dropped EXE
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23C0.exe
MD5
93914cdc4357ac4cd42fd3f58ede5462

SHA1
6fd42c9a9b90ede234f4946f38c2df13a42e00dd

SHA256
6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb

SHA512
60f55feaa8321705dacbf7bfbbb15f6a06a68296dc319503384833fee3c103e6d3490cb23e923fd2c5de7dc3cb7feac5dc87e2f82143e864706b28ba0c1f57d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C0.exe
MD5
93914cdc4357ac4cd42fd3f58ede5462

SHA1
6fd42c9a9b90ede234f4946f38c2df13a42e00dd

SHA256
6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb

SHA512
60f55feaa8321705dacbf7bfbbb15f6a06a68296dc319503384833fee3c103e6d3490cb23e923fd2c5de7dc3cb7feac5dc87e2f82143e864706b28ba0c1f57d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C0.exe
MD5
93914cdc4357ac4cd42fd3f58ede5462

SHA1
6fd42c9a9b90ede234f4946f38c2df13a42e00dd

SHA256
6db2d0288154b1a1e08c9a7e29e9e6e773eacc4a5bf8507f82093fa68d2385bb

SHA512
60f55feaa8321705dacbf7bfbbb15f6a06a68296dc319503384833fee3c103e6d3490cb23e923fd2c5de7dc3cb7feac5dc87e2f82143e864706b28ba0c1f57d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\299D.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\299D.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D09.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D09.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C5.exe
MD5
fc1495a398b700f64e03437b41d0accf

SHA1
23b0383b4430b7f769b8a4e9458b0b48da424771

SHA256
2bde1af6dc15f77aab6baa152542eabce4ea0d5b86e0d67b73e375dabcdffb33

SHA512
486ae78b72f8675fbba12ef6c0a42d9c1a19642df67f1701af4bba9e8770e842aad27544aab173e233e0b39d28d3303d7e376d1cd5b1384e4b0496b5533148c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C5.exe
MD5
fc1495a398b700f64e03437b41d0accf

SHA1
23b0383b4430b7f769b8a4e9458b0b48da424771

SHA256
2bde1af6dc15f77aab6baa152542eabce4ea0d5b86e0d67b73e375dabcdffb33

SHA512
486ae78b72f8675fbba12ef6c0a42d9c1a19642df67f1701af4bba9e8770e842aad27544aab173e233e0b39d28d3303d7e376d1cd5b1384e4b0496b5533148c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C5.exe
MD5
fc1495a398b700f64e03437b41d0accf

SHA1
23b0383b4430b7f769b8a4e9458b0b48da424771

SHA256
2bde1af6dc15f77aab6baa152542eabce4ea0d5b86e0d67b73e375dabcdffb33

SHA512
486ae78b72f8675fbba12ef6c0a42d9c1a19642df67f1701af4bba9e8770e842aad27544aab173e233e0b39d28d3303d7e376d1cd5b1384e4b0496b5533148c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\39CD.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC9.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC9.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FC9.exe
MD5
bde1dbafbe609f7da66db66356d8f9e3

SHA1
a82f4a80f7f0849ecc021855fcbfbf3220982d06

SHA256
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86

SHA512
fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\513F.exe
MD5
57fba5338be01bebfcf7f40adf5252d5

SHA1
0221fdb15ff3bd10da01ee8b10b2675ebf414dc9

SHA256
fbce68aed0ad10f718aa052df50bbc6008cb8767098b9acf2bef040282f6b937

SHA512
86c4f29390f74579e1af97966a515cd3da303baeb4efd788c4aacb6e837ca55e6f391231d827065a3cb034dfeff76af183e41759f3780209867f71d17db3565b

Download Submit
C:\Users\Admin\AppData\Local\Temp\513F.exe
MD5
57fba5338be01bebfcf7f40adf5252d5

SHA1
0221fdb15ff3bd10da01ee8b10b2675ebf414dc9

SHA256
fbce68aed0ad10f718aa052df50bbc6008cb8767098b9acf2bef040282f6b937

SHA512
86c4f29390f74579e1af97966a515cd3da303baeb4efd788c4aacb6e837ca55e6f391231d827065a3cb034dfeff76af183e41759f3780209867f71d17db3565b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5557.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\5557.exe
MD5
17b57e346f1b5eecc8a37dd405eb5b76

SHA1
f120c1acd341ceff5e35c8891c007406ff8986bc

SHA256
2da5e33b3e0a7bf86bbd2e28d6214b10c835d98ebebd0eb1e0f35c195613dc94

SHA512
79c39cad1ca5aad3d568a0e1665ffeea02e546dacbde42132e26944d99caf87dc6f9e5b0db98c9077911d3cb210607a43e12d0b242aec77b2a3755bb588b9208

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FC8.exe
MD5
d38f72f91b415e8ee3f88052b82233b3

SHA1
51dfe99bd3b0c341e697028e9feeb3385f2f3d7d

SHA256
d65b11b26599c30b502424c096e78eaaf7556a7623451993e941a9d31e019b19

SHA512
c4048cc3f5edde0b6a3ad7b39f35625c1eb25a4d46130df7b002161bbc571ebdec65f1b7b8b1477fcb899fb71d66503d6051802241d6b646813405055d27a8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FC8.exe
MD5
d38f72f91b415e8ee3f88052b82233b3

SHA1
51dfe99bd3b0c341e697028e9feeb3385f2f3d7d

SHA256
d65b11b26599c30b502424c096e78eaaf7556a7623451993e941a9d31e019b19

SHA512
c4048cc3f5edde0b6a3ad7b39f35625c1eb25a4d46130df7b002161bbc571ebdec65f1b7b8b1477fcb899fb71d66503d6051802241d6b646813405055d27a8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EBD.exe
MD5
111aab07ae0688808d82d2e5c443e380

SHA1
3481527a64a6654c6a8ee0019defd927c002c9e0

SHA256
0bb050f16b1b30fbafeba5a3ecaf9985f7c0043391d5eb26c1f90e6c05f8a5b3

SHA512
433b170d90a5965e45a9eaac69a346951baabb5082fb20991513a442d7c55ab1c469938c537261d8f5dc1afa956a34f3c43e12d740218a9117937a2cca7c836d

Download Submit
C:\Users\Admin\AppData\Local\Temp\72A6.exe
MD5
111aab07ae0688808d82d2e5c443e380

SHA1
3481527a64a6654c6a8ee0019defd927c002c9e0

SHA256
0bb050f16b1b30fbafeba5a3ecaf9985f7c0043391d5eb26c1f90e6c05f8a5b3

SHA512
433b170d90a5965e45a9eaac69a346951baabb5082fb20991513a442d7c55ab1c469938c537261d8f5dc1afa956a34f3c43e12d740218a9117937a2cca7c836d

Download Submit
C:\Users\Admin\AppData\Local\Temp\82E3.exe
MD5
57e55c2ba8f873895163f5972afe2ad1

SHA1
359bd89bcb3b8c5b1598ce9adc26d7c4d9df7cad

SHA256
3716c5a488794753afce8bdc6bb0d6faf03537babcf9be83a172b98915ab80f4

SHA512
1e454a7f3b5c0a49d31ce758754a0254470a52b0d0df1722ed0d36c0c6d230dd8b65f85169e0ba75fa6860d4a82d5570724960344cf12234a8a9346f9f0b8207

Download Submit
C:\Users\Admin\AppData\Local\Temp\82E3.exe
MD5
57e55c2ba8f873895163f5972afe2ad1

SHA1
359bd89bcb3b8c5b1598ce9adc26d7c4d9df7cad

SHA256
3716c5a488794753afce8bdc6bb0d6faf03537babcf9be83a172b98915ab80f4

SHA512
1e454a7f3b5c0a49d31ce758754a0254470a52b0d0df1722ed0d36c0c6d230dd8b65f85169e0ba75fa6860d4a82d5570724960344cf12234a8a9346f9f0b8207

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\39CD.dll
MD5
3766ceff9fad0d5ccd13b060ca5269bb

SHA1
8fc8b51db082bc0a34c6088322a070578fb4fb21

SHA256
d0ca2f465d8e620742682dbcc955e7a52e20d71333483d31379d776e1ef0be58

SHA512
e132814c710195b9993331e9108b08aefe1e0a68572128509329e6747c3c948ebb8d52903b113ebb82a5868d66a0f282c116e05a61fd5c57c09447a8f235a105

Download Submit
memory/296-151-0x0000000000000000-mapping.dmp

Download
memory/296-155-0x0000000000FA0000-0x0000000000FD7000-memory.dmp

Filesize
220KB

Download
memory/708-252-0x0000000000000000-mapping.dmp

Download
memory/708-256-0x00000000009D0000-0x000000000109C000-memory.dmp

Filesize
6.8MB

Download
memory/816-204-0x000000001F100000-0x000000001F101000-memory.dmp

Filesize
4KB

Download
memory/816-135-0x000000001D960000-0x000000001D961000-memory.dmp

Filesize
4KB

Download
memory/816-129-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/816-132-0x0000000001310000-0x000000000132B000-memory.dmp

Filesize
108KB

Download
memory/816-126-0x0000000000000000-mapping.dmp

Download
memory/816-131-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/816-133-0x000000001DA70000-0x000000001DA71000-memory.dmp

Filesize
4KB

Download
memory/816-139-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/816-134-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/816-205-0x000000001F800000-0x000000001F801000-memory.dmp

Filesize
4KB

Download
memory/816-170-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/816-168-0x000000001EBD0000-0x000000001EBD1000-memory.dmp

Filesize
4KB

Download
memory/1036-162-0x0000000002B60000-0x0000000002CAA000-memory.dmp

Filesize
1.3MB

Download
memory/1036-159-0x0000000002E06000-0x0000000002E29000-memory.dmp

Filesize
140KB

Download
memory/1036-144-0x0000000000000000-mapping.dmp

Download
memory/1120-243-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1120-245-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/1120-226-0x0000000000000000-mapping.dmp

Download
memory/1120-251-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1220-178-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1220-180-0x0000000002813000-0x0000000002814000-memory.dmp

Filesize
4KB

Download
memory/1220-166-0x000000000040CD2F-mapping.dmp

Download
memory/1220-172-0x00000000025B0000-0x00000000025CB000-memory.dmp

Filesize
108KB

Download
memory/1220-173-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1220-174-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1220-175-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1220-176-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1220-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-179-0x0000000002812000-0x0000000002813000-memory.dmp

Filesize
4KB

Download
memory/1220-171-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1220-169-0x0000000002400000-0x000000000241C000-memory.dmp

Filesize
112KB

Download
memory/1220-182-0x0000000002814000-0x0000000002816000-memory.dmp

Filesize
8KB

Download
memory/1220-183-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1608-184-0x0000000000000000-mapping.dmp

Download
memory/1608-216-0x0000000002D96000-0x0000000002DE6000-memory.dmp

Filesize
320KB

Download
memory/1608-217-0x0000000002C90000-0x0000000002DDA000-memory.dmp

Filesize
1.3MB

Download
memory/1608-218-0x0000000000400000-0x0000000002B8C000-memory.dmp

Filesize
39.5MB

Download
memory/1736-227-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1736-242-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/1736-219-0x0000000000000000-mapping.dmp

Download
memory/1736-225-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/1744-192-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1744-209-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1744-188-0x0000000000402998-mapping.dmp

Download
memory/1744-215-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1744-214-0x00000000006F0000-0x000000000077E000-memory.dmp

Filesize
568KB

Download
memory/1744-213-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/1744-187-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1848-260-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/1848-221-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/1848-193-0x0000000000000000-mapping.dmp

Download
memory/1848-232-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/1848-235-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/1848-203-0x0000000004C80000-0x0000000005286000-memory.dmp

Filesize
6.0MB

Download
memory/1848-238-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/1848-257-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/1848-196-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1848-255-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/2204-120-0x0000000000402DC6-mapping.dmp

Download
memory/2204-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2320-210-0x0000000001FC0000-0x000000000200F000-memory.dmp

Filesize
316KB

Download
memory/2320-211-0x0000000002010000-0x000000000209F000-memory.dmp

Filesize
572KB

Download
memory/2320-206-0x0000000000000000-mapping.dmp

Download
memory/2320-212-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2712-154-0x0000000002B50000-0x0000000002C9A000-memory.dmp

Filesize
1.3MB

Download
memory/2712-123-0x0000000000000000-mapping.dmp

Download
memory/2712-147-0x0000000002DD6000-0x0000000002DE7000-memory.dmp

Filesize
68KB

Download
memory/3056-122-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/3056-181-0x00000000028F0000-0x0000000002906000-memory.dmp

Filesize
88KB

Download
memory/3056-160-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3064-118-0x0000000002BF6000-0x0000000002C07000-memory.dmp

Filesize
68KB

Download
memory/3064-121-0x0000000002B50000-0x0000000002BFE000-memory.dmp

Filesize
696KB

Download
memory/3384-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-142-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/3384-141-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/3384-136-0x0000000000000000-mapping.dmp

Download
memory/3484-156-0x0000000000000000-mapping.dmp

Download
memory/3484-161-0x0000000000650000-0x00000000006C7000-memory.dmp

Filesize
476KB

Download
memory/3484-163-0x0000000002220000-0x00000000022A3000-memory.dmp

Filesize
524KB

Download
memory/3484-164-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3484-190-0x00000000006D0000-0x0000000000733000-memory.dmp

Filesize
396KB

Download
memory/3484-191-0x00000000022B0000-0x0000000002320000-memory.dmp

Filesize
448KB

Download
memory/3868-149-0x0000000000402DC6-mapping.dmp

Download