raccoon | 5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
12-11-2021 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
Size

168KB
MD5

471b33ec8201360ea74a9bb18b9092c4
SHA1

e749ed555b6728c14b07e967feda534d3282d46a
SHA256

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52
SHA512

1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Score

10^/10

raccoon redline smokeloader 8dec62c1db2959619dca43e02fa46ad7bd606400 superstar zaliv kub korm backdoor discovery infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

91.243.32.23:12780

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

redline

Botnet

zaliv kub korm

molerreneta.xyz:80

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/688-146-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/688-147-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1724-167-0x0000000002310000-0x000000000232C000-memory.dmp	family_redline
behavioral1/memory/1724-169-0x0000000004910000-0x000000000492B000-memory.dmp	family_redline
behavioral1/memory/1376-185-0x0000000000440000-0x00000000004EE000-memory.dmp	family_redline
behavioral1/memory/3540-204-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3540-205-0x0000000000418F12-mapping.dmp	family_redline
behavioral1/memory/3540-215-0x0000000004F70000-0x0000000005576000-memory.dmp	family_redline
behavioral1/memory/1652-247-0x00000000014A0000-0x00000000014BA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

31E9.exe31E9.exeA853.exeBFC4.exeA853.exeA853.exeDFEF.exehaaisirDFEF.exehaaisirEvanishing.exeEvanishing.exeB0DC.exeB0DC.exeEED1.exeasfasf.exeMemo.exe

pid	process
700	31E9.exe
3620	31E9.exe
916	A853.exe
716	BFC4.exe
604	A853.exe
688	A853.exe
1144	DFEF.exe
1376	haaisir
1724	DFEF.exe
2940	haaisir
2360	Evanishing.exe
3540	Evanishing.exe
2836	B0DC.exe
68	B0DC.exe
1652	EED1.exe
1420	asfasf.exe
3096	Memo.exe

Deletes itself 1 IoCs

Processes:

pid process

2960
Loads dropped DLL 1 IoCs

Processes:

BFC4.exe

pid process

716 BFC4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2960

pid	process
716	BFC4.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe31E9.exeA853.exeDFEF.exehaaisirEvanishing.exeB0DC.exe

description	pid	process	target process
PID 2480 set thread context of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 700 set thread context of 3620	700	31E9.exe	31E9.exe
PID 916 set thread context of 688	916	A853.exe	A853.exe
PID 1144 set thread context of 1724	1144	DFEF.exe	DFEF.exe
PID 1376 set thread context of 2940	1376	haaisir	haaisir
PID 2360 set thread context of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2836 set thread context of 68	2836	B0DC.exe	B0DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 3096 WerFault.exe Memo.exe

pid	pid_target	process	target process
1680	3096	WerFault.exe	Memo.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BFC4.exehaaisir5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe31E9.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFC4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	haaisir
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31E9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31E9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFC4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	haaisir
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	haaisir

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EED1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EED1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EED1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe

pid	process
3892	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
3892	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2960
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe31E9.exeBFC4.exehaaisir

pid process

3892 5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
3620 31E9.exe
716 BFC4.exe
2940 haaisir

pid	process
2960

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

A853.exeEvanishing.exeEED1.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeDebugPrivilege	688	A853.exe
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeDebugPrivilege	3540	Evanishing.exe
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeDebugPrivilege	1652	EED1.exe
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeRestorePrivilege	1680	WerFault.exe
Token: SeBackupPrivilege	1680	WerFault.exe
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeShutdownPrivilege	2960
Token: SeCreatePagefilePrivilege	2960
Token: SeDebugPrivilege	1680	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe31E9.exeA853.exeDFEF.exehaaisirA853.exeEvanishing.exe

description	pid	process	target process
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2480 wrote to memory of 3892	2480	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe	5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
PID 2960 wrote to memory of 700	2960		31E9.exe
PID 2960 wrote to memory of 700	2960		31E9.exe
PID 2960 wrote to memory of 700	2960		31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 700 wrote to memory of 3620	700	31E9.exe	31E9.exe
PID 2960 wrote to memory of 916	2960		A853.exe
PID 2960 wrote to memory of 916	2960		A853.exe
PID 2960 wrote to memory of 916	2960		A853.exe
PID 916 wrote to memory of 604	916	A853.exe	A853.exe
PID 916 wrote to memory of 604	916	A853.exe	A853.exe
PID 916 wrote to memory of 604	916	A853.exe	A853.exe
PID 2960 wrote to memory of 716	2960		BFC4.exe
PID 2960 wrote to memory of 716	2960		BFC4.exe
PID 2960 wrote to memory of 716	2960		BFC4.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 916 wrote to memory of 688	916	A853.exe	A853.exe
PID 2960 wrote to memory of 1144	2960		DFEF.exe
PID 2960 wrote to memory of 1144	2960		DFEF.exe
PID 2960 wrote to memory of 1144	2960		DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1144 wrote to memory of 1724	1144	DFEF.exe	DFEF.exe
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 1376 wrote to memory of 2940	1376	haaisir	haaisir
PID 688 wrote to memory of 2360	688	A853.exe	Evanishing.exe
PID 688 wrote to memory of 2360	688	A853.exe	Evanishing.exe
PID 688 wrote to memory of 2360	688	A853.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2360 wrote to memory of 3540	2360	Evanishing.exe	Evanishing.exe
PID 2960 wrote to memory of 2836	2960		B0DC.exe
PID 2960 wrote to memory of 2836	2960		B0DC.exe
PID 2960 wrote to memory of 2836	2960		B0DC.exe

C:\Users\Admin\AppData\Local\Temp\5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
"C:\Users\Admin\AppData\Local\Temp\5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe
"C:\Users\Admin\AppData\Local\Temp\5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3892

C:\Users\Admin\AppData\Local\Temp\31E9.exe
C:\Users\Admin\AppData\Local\Temp\31E9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\31E9.exe
C:\Users\Admin\AppData\Local\Temp\31E9.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3620

C:\Users\Admin\AppData\Local\Temp\A853.exe
C:\Users\Admin\AppData\Local\Temp\A853.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\A853.exe
C:\Users\Admin\AppData\Local\Temp\A853.exe
2⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\AppData\Local\Temp\A853.exe
C:\Users\Admin\AppData\Local\Temp\A853.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
"C:\Users\Admin\AppData\Local\Temp\Evanishing.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\AppData\Local\Temp\BFC4.exe
C:\Users\Admin\AppData\Local\Temp\BFC4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:716

C:\Users\Admin\AppData\Local\Temp\DFEF.exe
C:\Users\Admin\AppData\Local\Temp\DFEF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\DFEF.exe
C:\Users\Admin\AppData\Local\Temp\DFEF.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Roaming\haaisir
C:\Users\Admin\AppData\Roaming\haaisir
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\haaisir
C:\Users\Admin\AppData\Roaming\haaisir
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Users\Admin\AppData\Local\Temp\B0DC.exe
C:\Users\Admin\AppData\Local\Temp\B0DC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2836

C:\Users\Admin\AppData\Local\Temp\B0DC.exe
C:\Users\Admin\AppData\Local\Temp\B0DC.exe
2⤵
- Executes dropped EXE
PID:68

C:\Users\Admin\AppData\Local\Temp\EED1.exe
C:\Users\Admin\AppData\Local\Temp\EED1.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Roaming\asfasf.exe
"C:\Users\Admin\AppData\Roaming\asfasf.exe"
2⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\AppData\Roaming\Memo.exe
"C:\Users\Admin\AppData\Roaming\Memo.exe"
2⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 316
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A853.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Evanishing.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\31E9.exe
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31E9.exe
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31E9.exe
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A853.exe
MD5
e922d31d9e42823f27cb8512b3afe7ac

SHA1
c3acff8045e6ab4668894f9b0a42c274a654b2d8

SHA256
18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872

SHA512
e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A853.exe
MD5
e922d31d9e42823f27cb8512b3afe7ac

SHA1
c3acff8045e6ab4668894f9b0a42c274a654b2d8

SHA256
18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872

SHA512
e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A853.exe
MD5
e922d31d9e42823f27cb8512b3afe7ac

SHA1
c3acff8045e6ab4668894f9b0a42c274a654b2d8

SHA256
18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872

SHA512
e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A853.exe
MD5
e922d31d9e42823f27cb8512b3afe7ac

SHA1
c3acff8045e6ab4668894f9b0a42c274a654b2d8

SHA256
18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872

SHA512
e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0DC.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0DC.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0DC.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFC4.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFC4.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFEF.exe
MD5
cf9ca3fd4e0bd4d2ae6b397ee76f45bd

SHA1
8d38cd2be3d15844711b8b52e8a0f66360f2f9e8

SHA256
dcb1b47d6f410d484798e8c6eed93eff7926f5daf6980c690b5d2e8aa177b882

SHA512
d6ca29f6d767278c55b022668cb9def9a2d68c08b8cca0a5ea35b8522e9e3f0195a6e397f9af41fbb8bf01d6e6eaa75e041a974be8a1e722aa4d36c91414c805

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFEF.exe
MD5
cf9ca3fd4e0bd4d2ae6b397ee76f45bd

SHA1
8d38cd2be3d15844711b8b52e8a0f66360f2f9e8

SHA256
dcb1b47d6f410d484798e8c6eed93eff7926f5daf6980c690b5d2e8aa177b882

SHA512
d6ca29f6d767278c55b022668cb9def9a2d68c08b8cca0a5ea35b8522e9e3f0195a6e397f9af41fbb8bf01d6e6eaa75e041a974be8a1e722aa4d36c91414c805

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFEF.exe
MD5
cf9ca3fd4e0bd4d2ae6b397ee76f45bd

SHA1
8d38cd2be3d15844711b8b52e8a0f66360f2f9e8

SHA256
dcb1b47d6f410d484798e8c6eed93eff7926f5daf6980c690b5d2e8aa177b882

SHA512
d6ca29f6d767278c55b022668cb9def9a2d68c08b8cca0a5ea35b8522e9e3f0195a6e397f9af41fbb8bf01d6e6eaa75e041a974be8a1e722aa4d36c91414c805

Download Submit
C:\Users\Admin\AppData\Local\Temp\EED1.exe
MD5
eff97931b2bd6469d430815b81429f8e

SHA1
7432c71e90d587025588f2c003deeaf456934084

SHA256
1f74714cf4d280da5fc9d5adccf5c782ec0a9d3a0cb9a6b83edf50725ef64701

SHA512
0a5a8b615d6412a6e3caebfc1acfffb62792bbded6e9f6b0f089e4468745c2cc0232cba17ea6da6f88e9bbed7b64c73ca964a126640ed764d1e8526f408f5349

Download Submit
C:\Users\Admin\AppData\Local\Temp\EED1.exe
MD5
eff97931b2bd6469d430815b81429f8e

SHA1
7432c71e90d587025588f2c003deeaf456934084

SHA256
1f74714cf4d280da5fc9d5adccf5c782ec0a9d3a0cb9a6b83edf50725ef64701

SHA512
0a5a8b615d6412a6e3caebfc1acfffb62792bbded6e9f6b0f089e4468745c2cc0232cba17ea6da6f88e9bbed7b64c73ca964a126640ed764d1e8526f408f5349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
MD5
c1a0b9015537157439f3da34b2443fd0

SHA1
fccb7d31fc724ce0c84e89acd9fed75cefcac08a

SHA256
e6e7a94cb41a672102bf178d6a967044c5380bb70cbcd1d91a6fc46d9608be25

SHA512
53a8b6a72382202fa5429c698019b2be10af22a540a5b30bfde1e4567beb046094e15e5dc2473f1f88bff8c98abf551df071233603244f2644ea530a2a5f5109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
MD5
c1a0b9015537157439f3da34b2443fd0

SHA1
fccb7d31fc724ce0c84e89acd9fed75cefcac08a

SHA256
e6e7a94cb41a672102bf178d6a967044c5380bb70cbcd1d91a6fc46d9608be25

SHA512
53a8b6a72382202fa5429c698019b2be10af22a540a5b30bfde1e4567beb046094e15e5dc2473f1f88bff8c98abf551df071233603244f2644ea530a2a5f5109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evanishing.exe
MD5
c1a0b9015537157439f3da34b2443fd0

SHA1
fccb7d31fc724ce0c84e89acd9fed75cefcac08a

SHA256
e6e7a94cb41a672102bf178d6a967044c5380bb70cbcd1d91a6fc46d9608be25

SHA512
53a8b6a72382202fa5429c698019b2be10af22a540a5b30bfde1e4567beb046094e15e5dc2473f1f88bff8c98abf551df071233603244f2644ea530a2a5f5109

Download Submit
C:\Users\Admin\AppData\Roaming\Memo.exe
MD5
5988b5e6bc658eadcdd1318c0c3c0d91

SHA1
b554f12f68b63c0277b88f34453110822e169446

SHA256
b8a97e6bc7f8fd4a3c3f1cdc4183cbae2a48262b8e352e5169c2b647696ab1b8

SHA512
95555775ab0db4e9f787ccea9bcad66c3d43627516ea2bd524a0cc85666c6bb56b976c6c4630b6c16bc1e9cedda65de22b8db52f8d81ed7de7fabd1fe5ac05f8

Download Submit
C:\Users\Admin\AppData\Roaming\Memo.exe
MD5
5988b5e6bc658eadcdd1318c0c3c0d91

SHA1
b554f12f68b63c0277b88f34453110822e169446

SHA256
b8a97e6bc7f8fd4a3c3f1cdc4183cbae2a48262b8e352e5169c2b647696ab1b8

SHA512
95555775ab0db4e9f787ccea9bcad66c3d43627516ea2bd524a0cc85666c6bb56b976c6c4630b6c16bc1e9cedda65de22b8db52f8d81ed7de7fabd1fe5ac05f8

Download Submit
C:\Users\Admin\AppData\Roaming\asfasf.exe
MD5
9a9120e7087d20b64a15693c53c4a9a4

SHA1
190ace4b886f2d5de5526234b40e7186952d771d

SHA256
b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

SHA512
2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

Download Submit
C:\Users\Admin\AppData\Roaming\asfasf.exe
MD5
9a9120e7087d20b64a15693c53c4a9a4

SHA1
190ace4b886f2d5de5526234b40e7186952d771d

SHA256
b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

SHA512
2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

Download Submit
C:\Users\Admin\AppData\Roaming\haaisir
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
C:\Users\Admin\AppData\Roaming\haaisir
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
C:\Users\Admin\AppData\Roaming\haaisir
MD5
471b33ec8201360ea74a9bb18b9092c4

SHA1
e749ed555b6728c14b07e967feda534d3282d46a

SHA256
5bfa05d8712936528207fda795373b4f9bfe42f23be739a7ca81eac1d15e7f52

SHA512
1b5556d3b0323d3b9eae69f09b75b639d56c8236885295eac77bced90aa0149590408578dc9520394b72c6e3a0afbe8a10522384e5f8c176af42a95265e005e2

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/68-230-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/68-238-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/68-236-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/68-235-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/68-231-0x0000000000402998-mapping.dmp

Download
memory/68-239-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/68-237-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/688-152-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/688-157-0x0000000004F10000-0x0000000005516000-memory.dmp

Filesize
6.0MB

Download
memory/688-156-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/688-155-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/688-154-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/688-153-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/688-147-0x0000000000418EEA-mapping.dmp

Download
memory/688-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/688-193-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/688-192-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/688-191-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/688-188-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/700-126-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/700-127-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/700-120-0x0000000000000000-mapping.dmp

Download
memory/716-138-0x0000000000000000-mapping.dmp

Download
memory/716-144-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/716-143-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/716-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/916-136-0x0000000002580000-0x00000000025F6000-memory.dmp

Filesize
472KB

Download
memory/916-135-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/916-134-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/916-132-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/916-129-0x0000000000000000-mapping.dmp

Download
memory/916-137-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1144-174-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/1144-175-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/1144-159-0x0000000000000000-mapping.dmp

Download
memory/1376-186-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1376-185-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1420-257-0x000000001B5C0000-0x000000001B5C2000-memory.dmp

Filesize
8KB

Download
memory/1420-252-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1420-249-0x0000000000000000-mapping.dmp

Download
memory/1652-246-0x000000001B950000-0x000000001B951000-memory.dmp

Filesize
4KB

Download
memory/1652-240-0x0000000000000000-mapping.dmp

Download
memory/1652-243-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1652-248-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1652-245-0x0000000001490000-0x0000000001492000-memory.dmp

Filesize
8KB

Download
memory/1652-247-0x00000000014A0000-0x00000000014BA000-memory.dmp

Filesize
104KB

Download
memory/1724-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-178-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1724-181-0x0000000004AA4000-0x0000000004AA6000-memory.dmp

Filesize
8KB

Download
memory/1724-180-0x0000000004AA3000-0x0000000004AA4000-memory.dmp

Filesize
4KB

Download
memory/1724-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-179-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/1724-169-0x0000000004910000-0x000000000492B000-memory.dmp

Filesize
108KB

Download
memory/1724-165-0x000000000040CD2F-mapping.dmp

Download
memory/1724-167-0x0000000002310000-0x000000000232C000-memory.dmp

Filesize
112KB

Download
memory/2360-195-0x0000000000000000-mapping.dmp

Download
memory/2360-203-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2360-198-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2480-116-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/2480-115-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/2836-234-0x0000000004910000-0x0000000004980000-memory.dmp

Filesize
448KB

Download
memory/2836-233-0x00000000048A0000-0x0000000004903000-memory.dmp

Filesize
396KB

Download
memory/2836-224-0x0000000000000000-mapping.dmp

Download
memory/2836-227-0x0000000002CE6000-0x0000000002D5E000-memory.dmp

Filesize
480KB

Download
memory/2836-229-0x0000000000400000-0x0000000002BB3000-memory.dmp

Filesize
39.7MB

Download
memory/2836-228-0x00000000047D0000-0x0000000004853000-memory.dmp

Filesize
524KB

Download
memory/2940-183-0x0000000000402DC6-mapping.dmp

Download
memory/2960-194-0x0000000005020000-0x0000000005036000-memory.dmp

Filesize
88KB

Download
memory/2960-158-0x0000000003570000-0x0000000003586000-memory.dmp

Filesize
88KB

Download
memory/2960-128-0x0000000001520000-0x0000000001536000-memory.dmp

Filesize
88KB

Download
memory/2960-119-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/3096-254-0x0000000000000000-mapping.dmp

Download
memory/3540-223-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/3540-215-0x0000000004F70000-0x0000000005576000-memory.dmp

Filesize
6.0MB

Download
memory/3540-205-0x0000000000418F12-mapping.dmp

Download
memory/3540-204-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3620-124-0x0000000000402DC6-mapping.dmp

Download
memory/3892-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3892-118-0x0000000000402DC6-mapping.dmp

Download