raccoon | c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10-en-20211104
submitted
04-12-2021 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
Size

247KB
MD5

79230eab7cf29f52f36113258f1fb376
SHA1

0de5cb18e7b953c82dd5af40b0c2418dd28774e9
SHA256

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15
SHA512

d3aeb3cc1480d0c1be498f7db9f0bd7203d26ae92e08814742482a67552bfd273ae295e201b36d708d14bf4cfdad636647eeccf082e0c1a01cec912337d9d7af

Score

10^/10

raccoon redline remcos smokeloader b620be4c85b4051a92040003edbc322be4eb082d j3j3-us backdoor discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

J3J3-US

kent0mushinec0n3t.casacam.net:32095

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Pin.exe
copy_folder
J3J3-US
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
J3J3-US
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TFIQE4
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
J3J3-US
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar

http://185.225.19.18/capibar

http://91.219.237.227/capibar

https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-144-0x00000000011C0000-0x0000000001335000-memory.dmp	family_redline
behavioral1/memory/1416-174-0x0000000000060000-0x00000000001C8000-memory.dmp	family_redline
behavioral1/memory/484-197-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 2544 created 1552 2544 WerFault.exe 2567.exe
PID 3548 created 3396 3548 WerFault.exe 7D7B.exe
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

1827.exe1827.exe2567.exe7D7B.exe85B9.exe8CFE.exe7D7B.exe9943.exeAA6B.exePin.exe

pid process

1788 1827.exe
868 1827.exe
1552 2567.exe
716 7D7B.exe
1748 85B9.exe
3464 8CFE.exe
3396 7D7B.exe
1416 9943.exe
484 AA6B.exe
1060 Pin.exe
Deletes itself 1 IoCs

Processes:

pid process

3056
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2544 created 1552	2544	WerFault.exe	2567.exe
PID 3548 created 3396	3548	WerFault.exe	7D7B.exe

pid	process
1788	1827.exe
868	1827.exe
1552	2567.exe
716	7D7B.exe
1748	85B9.exe
3464	8CFE.exe
3396	7D7B.exe
1416	9943.exe
484	AA6B.exe
1060	Pin.exe

pid	process
3056

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8CFE.exePin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\	8CFE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\J3J3-US = "\"C:\\Users\\Admin\\AppData\\Roaming\\J3J3-US\\Pin.exe\""	8CFE.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Pin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\J3J3-US = "\"C:\\Users\\Admin\\AppData\\Roaming\\J3J3-US\\Pin.exe\""	Pin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9943.exe

pid process

1416 9943.exe

pid	process
1416	9943.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe1827.exe7D7B.exePin.exe

description	pid	process	target process
PID 3068 set thread context of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 1788 set thread context of 868	1788	1827.exe	1827.exe
PID 716 set thread context of 3396	716	7D7B.exe	7D7B.exe
PID 1060 set thread context of 1580	1060	Pin.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2544	1552	WerFault.exe	2567.exe
3204	3464	WerFault.exe	8CFE.exe
2072	3464	WerFault.exe	8CFE.exe
1360	3464	WerFault.exe	8CFE.exe
3756	3464	WerFault.exe	8CFE.exe
2572	3464	WerFault.exe	8CFE.exe
3068	3464	WerFault.exe	8CFE.exe
3308	3464	WerFault.exe	8CFE.exe
2212	1060	WerFault.exe	Pin.exe
3948	1060	WerFault.exe	Pin.exe
1120	1060	WerFault.exe	Pin.exe
948	1060	WerFault.exe	Pin.exe
2928	1060	WerFault.exe	Pin.exe
1324	1060	WerFault.exe	Pin.exe
2692	1060	WerFault.exe	Pin.exe
708	1060	WerFault.exe	Pin.exe
3980	1060	WerFault.exe	Pin.exe
3308	1060	WerFault.exe	Pin.exe
3868	1060	WerFault.exe	Pin.exe
3776	1060	WerFault.exe	Pin.exe
1788	1060	WerFault.exe	Pin.exe
2496	1060	WerFault.exe	Pin.exe
3548	3396	WerFault.exe	7D7B.exe
1388	1060	WerFault.exe	Pin.exe
3016	1060	WerFault.exe	Pin.exe
1748	1060	WerFault.exe	Pin.exe
4040	1060	WerFault.exe	Pin.exe
1196	1060	WerFault.exe	Pin.exe
484	1060	WerFault.exe	Pin.exe
3196	1060	WerFault.exe	Pin.exe
3132	1060	WerFault.exe	Pin.exe
1428	1060	WerFault.exe	Pin.exe
3404	1060	WerFault.exe	Pin.exe
1952	1060	WerFault.exe	Pin.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1827.exec292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1827.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1827.exe

Modifies registry class 1 IoCs

Processes:

8CFE.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings 8CFE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	8CFE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe

pid	process
2904	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
2904	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Pin.exe

pid process

3056
1060 Pin.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe1827.exe

pid process

2904 c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
868 1827.exe

pid	process
3056
1060	Pin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe9943.exeAA6B.exe85B9.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeRestorePrivilege	2544	WerFault.exe
Token: SeBackupPrivilege	2544	WerFault.exe
Token: SeDebugPrivilege	2544	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	3204	WerFault.exe
Token: SeDebugPrivilege	2072	WerFault.exe
Token: SeDebugPrivilege	1360	WerFault.exe
Token: SeDebugPrivilege	3756	WerFault.exe
Token: SeDebugPrivilege	2572	WerFault.exe
Token: SeDebugPrivilege	3068	WerFault.exe
Token: SeDebugPrivilege	3308	WerFault.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	1416	9943.exe
Token: SeDebugPrivilege	484	AA6B.exe
Token: SeDebugPrivilege	1748	85B9.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	2212	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Pin.exe

pid process

1060 Pin.exe

pid	process
1060	Pin.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe1827.exe7D7B.exe8CFE.exeWScript.execmd.exePin.exe

description	pid	process	target process
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3068 wrote to memory of 2904	3068	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe	c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
PID 3056 wrote to memory of 1788	3056		1827.exe
PID 3056 wrote to memory of 1788	3056		1827.exe
PID 3056 wrote to memory of 1788	3056		1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 1788 wrote to memory of 868	1788	1827.exe	1827.exe
PID 3056 wrote to memory of 1552	3056		2567.exe
PID 3056 wrote to memory of 1552	3056		2567.exe
PID 3056 wrote to memory of 1552	3056		2567.exe
PID 3056 wrote to memory of 716	3056		7D7B.exe
PID 3056 wrote to memory of 716	3056		7D7B.exe
PID 3056 wrote to memory of 716	3056		7D7B.exe
PID 3056 wrote to memory of 1748	3056		85B9.exe
PID 3056 wrote to memory of 1748	3056		85B9.exe
PID 3056 wrote to memory of 1748	3056		85B9.exe
PID 3056 wrote to memory of 3464	3056		8CFE.exe
PID 3056 wrote to memory of 3464	3056		8CFE.exe
PID 3056 wrote to memory of 3464	3056		8CFE.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 716 wrote to memory of 3396	716	7D7B.exe	7D7B.exe
PID 3056 wrote to memory of 1416	3056		9943.exe
PID 3056 wrote to memory of 1416	3056		9943.exe
PID 3056 wrote to memory of 1416	3056		9943.exe
PID 3056 wrote to memory of 484	3056		AA6B.exe
PID 3056 wrote to memory of 484	3056		AA6B.exe
PID 3056 wrote to memory of 484	3056		AA6B.exe
PID 3464 wrote to memory of 2004	3464	8CFE.exe	WScript.exe
PID 3464 wrote to memory of 2004	3464	8CFE.exe	WScript.exe
PID 3464 wrote to memory of 2004	3464	8CFE.exe	WScript.exe
PID 2004 wrote to memory of 1508	2004	WScript.exe	cmd.exe
PID 2004 wrote to memory of 1508	2004	WScript.exe	cmd.exe
PID 2004 wrote to memory of 1508	2004	WScript.exe	cmd.exe
PID 1508 wrote to memory of 1060	1508	cmd.exe	Pin.exe
PID 1508 wrote to memory of 1060	1508	cmd.exe	Pin.exe
PID 1508 wrote to memory of 1060	1508	cmd.exe	Pin.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe
PID 1060 wrote to memory of 1580	1060	Pin.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
"C:\Users\Admin\AppData\Local\Temp\c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe
  "C:\Users\Admin\AppData\Local\Temp\c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2904

C:\Users\Admin\AppData\Local\Temp\1827.exe
C:\Users\Admin\AppData\Local\Temp\1827.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\1827.exe
  C:\Users\Admin\AppData\Local\Temp\1827.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:868

C:\Users\Admin\AppData\Local\Temp\2567.exe
C:\Users\Admin\AppData\Local\Temp\2567.exe
1⤵
- Executes dropped EXE
PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 476
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

C:\Users\Admin\AppData\Local\Temp\7D7B.exe
C:\Users\Admin\AppData\Local\Temp\7D7B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\7D7B.exe
  C:\Users\Admin\AppData\Local\Temp\7D7B.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 872
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    PID:3548

C:\Users\Admin\AppData\Local\Temp\85B9.exe
C:\Users\Admin\AppData\Local\Temp\85B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\8CFE.exe
C:\Users\Admin\AppData\Local\Temp\8CFE.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 628
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 980
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1060
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1100
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 960
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 976
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1104
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 704
        5⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 728
        5⤵
        Program crash
        
        PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 648
        5⤵
        Program crash
        
        PID:1120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 704
        5⤵
        Program crash
        
        PID:948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 820
        5⤵
        Program crash
        
        PID:2928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 740
        5⤵
        Program crash
        
        PID:1324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 884
        5⤵
        Program crash
        
        PID:2692
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 928
        5⤵
        Program crash
        
        PID:708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1004
        5⤵
        Program crash
        
        PID:3980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1032
        5⤵
        Program crash
        
        PID:3308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1084
        5⤵
        Program crash
        
        PID:3868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1168
        5⤵
        Program crash
        
        PID:3776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1204
        5⤵
        Program crash
        
        PID:1788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1008
        5⤵
        Program crash
        
        PID:2496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1120
        5⤵
        Program crash
        
        PID:1388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1372
        5⤵
        Program crash
        
        PID:3016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1416
        5⤵
        Program crash
        
        PID:1748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1356
        5⤵
        Program crash
        
        PID:4040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 812
        5⤵
        Program crash
        
        PID:1196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1392
        5⤵
        Program crash
        
        PID:484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1500
        5⤵
        Program crash
        
        PID:3196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1036
        5⤵
        Program crash
        
        PID:3132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1308
        5⤵
        Program crash
        
        PID:1428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1412
        5⤵
        Program crash
        
        PID:3404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1320
        5⤵
        Program crash
        
        PID:1952

C:\Users\Admin\AppData\Local\Temp\9943.exe
C:\Users\Admin\AppData\Local\Temp\9943.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Admin\AppData\Local\Temp\AA6B.exe
C:\Users\Admin\AppData\Local\Temp\AA6B.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1827.exe

MD5
79230eab7cf29f52f36113258f1fb376

SHA1
0de5cb18e7b953c82dd5af40b0c2418dd28774e9

SHA256
c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15

SHA512
d3aeb3cc1480d0c1be498f7db9f0bd7203d26ae92e08814742482a67552bfd273ae295e201b36d708d14bf4cfdad636647eeccf082e0c1a01cec912337d9d7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

MD5
79230eab7cf29f52f36113258f1fb376

SHA1
0de5cb18e7b953c82dd5af40b0c2418dd28774e9

SHA256
c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15

SHA512
d3aeb3cc1480d0c1be498f7db9f0bd7203d26ae92e08814742482a67552bfd273ae295e201b36d708d14bf4cfdad636647eeccf082e0c1a01cec912337d9d7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827.exe

MD5
79230eab7cf29f52f36113258f1fb376

SHA1
0de5cb18e7b953c82dd5af40b0c2418dd28774e9

SHA256
c292df0e4cbc0a1f35a3c08cf1fd0dbee10a220d1e64c9243b3006dc2516ec15

SHA512
d3aeb3cc1480d0c1be498f7db9f0bd7203d26ae92e08814742482a67552bfd273ae295e201b36d708d14bf4cfdad636647eeccf082e0c1a01cec912337d9d7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\2567.exe

MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\2567.exe

MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7B.exe

MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7B.exe

MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7B.exe

MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\85B9.exe

MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\85B9.exe

MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CFE.exe

MD5
6f78f5cf377470fc449263eaf2231dac

SHA1
067211e73b880a6a7c9c01ac2c309ea49579ad1f

SHA256
2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

SHA512
cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CFE.exe

MD5
6f78f5cf377470fc449263eaf2231dac

SHA1
067211e73b880a6a7c9c01ac2c309ea49579ad1f

SHA256
2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

SHA512
cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9943.exe

MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\9943.exe

MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA6B.exe

MD5
40f480638f2e8462929a662217a64c5b

SHA1
e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e

SHA256
4602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60

SHA512
da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA6B.exe

MD5
40f480638f2e8462929a662217a64c5b

SHA1
e72a9399e1ba8d61f26ba9a6e300e92d8bcd656e

SHA256
4602413ecd189f0a449f0ae14ba743d35a1b179bb6d2dc227dec2dd048611f60

SHA512
da9a5d796821f9fc648e2a8b0ccda133f1f276b2c55cc06b5cf158da805b1c6147348fc2e5f8177a96c78d9b178bb1321fd693dcf615f10584d2ae90a689c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
4dfb330bb0127158bf08c5cb987ec765

SHA1
7357c3ba13c1c3c8676a89cb07d23bc098884c0c

SHA256
54a5f2b8e939ae1f0a15629a8e458e0fce4df5dc8500680701d96e4cd20bb440

SHA512
bf314caa427233632b092441ada2d9ce42b98305716d5c8f6e8cc8604dbca657822588e066b65620cf8553fea3306949ac6651ee24cf0b7dc8ede811be1fc2a2

Download Submit
C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe

MD5
6f78f5cf377470fc449263eaf2231dac

SHA1
067211e73b880a6a7c9c01ac2c309ea49579ad1f

SHA256
2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

SHA512
cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

Download Submit
C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe

MD5
6f78f5cf377470fc449263eaf2231dac

SHA1
067211e73b880a6a7c9c01ac2c309ea49579ad1f

SHA256
2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

SHA512
cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

Download Submit
memory/484-198-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/484-197-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/484-203-0x00000000712A0000-0x0000000071320000-memory.dmp

Filesize
512KB

Download
memory/484-210-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/484-212-0x0000000002350000-0x0000000002393000-memory.dmp

Filesize
268KB

Download
memory/484-201-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/484-199-0x0000000074840000-0x0000000074A02000-memory.dmp

Filesize
1.8MB

Download
memory/484-200-0x0000000076470000-0x0000000076561000-memory.dmp

Filesize
964KB

Download
memory/484-213-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/484-219-0x000000006F560000-0x000000006F5AB000-memory.dmp

Filesize
300KB

Download
memory/484-211-0x00000000742B0000-0x0000000074834000-memory.dmp

Filesize
5.5MB

Download
memory/484-214-0x0000000075060000-0x00000000763A8000-memory.dmp

Filesize
19.3MB

Download
memory/484-194-0x0000000000000000-mapping.dmp

Download
memory/716-138-0x0000000000000000-mapping.dmp

Download
memory/716-169-0x0000000000530000-0x00000000005DE000-memory.dmp

Filesize
696KB

Download
memory/716-165-0x00000000007E1000-0x0000000000847000-memory.dmp

Filesize
408KB

Download
memory/868-128-0x0000000000402F47-mapping.dmp

Download
memory/1060-236-0x0000000000000000-mapping.dmp

Download
memory/1060-251-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1416-175-0x0000000002510000-0x0000000002557000-memory.dmp

Filesize
284KB

Download
memory/1416-174-0x0000000000060000-0x00000000001C8000-memory.dmp

Filesize
1.4MB

Download
memory/1416-187-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1416-181-0x00000000712A0000-0x0000000071320000-memory.dmp

Filesize
512KB

Download
memory/1416-179-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1416-178-0x0000000076470000-0x0000000076561000-memory.dmp

Filesize
964KB

Download
memory/1416-177-0x0000000074840000-0x0000000074A02000-memory.dmp

Filesize
1.8MB

Download
memory/1416-176-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1416-189-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1416-186-0x00000000742B0000-0x0000000074834000-memory.dmp

Filesize
5.5MB

Download
memory/1416-188-0x0000000075060000-0x00000000763A8000-memory.dmp

Filesize
19.3MB

Download
memory/1416-170-0x0000000000000000-mapping.dmp

Download
memory/1416-191-0x000000006F560000-0x000000006F5AB000-memory.dmp

Filesize
300KB

Download
memory/1508-234-0x0000000000000000-mapping.dmp

Download
memory/1552-135-0x0000000002B70000-0x0000000002C1E000-memory.dmp

Filesize
696KB

Download
memory/1552-136-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/1552-134-0x0000000002B70000-0x0000000002C1E000-memory.dmp

Filesize
696KB

Download
memory/1552-131-0x0000000000000000-mapping.dmp

Download
memory/1580-253-0x000000000044D470-mapping.dmp

Download
memory/1580-256-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1580-261-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1580-260-0x0000000002D30000-0x0000000002DDE000-memory.dmp

Filesize
696KB

Download
memory/1580-259-0x0000000003313000-0x0000000003357000-memory.dmp

Filesize
272KB

Download
memory/1748-147-0x0000000076470000-0x0000000076561000-memory.dmp

Filesize
964KB

Download
memory/1748-215-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/1748-162-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1748-153-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1748-192-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1748-163-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1748-152-0x00000000029E0000-0x0000000002A23000-memory.dmp

Filesize
268KB

Download
memory/1748-151-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1748-150-0x00000000712A0000-0x0000000071320000-memory.dmp

Filesize
512KB

Download
memory/1748-148-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1748-158-0x0000000075060000-0x00000000763A8000-memory.dmp

Filesize
19.3MB

Download
memory/1748-146-0x0000000074840000-0x0000000074A02000-memory.dmp

Filesize
1.8MB

Download
memory/1748-145-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1748-144-0x00000000011C0000-0x0000000001335000-memory.dmp

Filesize
1.5MB

Download
memory/1748-141-0x0000000000000000-mapping.dmp

Download
memory/1748-164-0x000000006F560000-0x000000006F5AB000-memory.dmp

Filesize
300KB

Download
memory/1748-157-0x00000000742B0000-0x0000000074834000-memory.dmp

Filesize
5.5MB

Download
memory/1748-221-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1748-154-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1748-155-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1748-156-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1748-220-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1748-216-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/1748-218-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1788-130-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/1788-123-0x0000000000000000-mapping.dmp

Download
memory/2004-228-0x0000000000000000-mapping.dmp

Download
memory/2904-120-0x0000000000402F47-mapping.dmp

Download
memory/2904-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3056-122-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/3056-137-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/3068-118-0x0000000000649000-0x0000000000652000-memory.dmp

Filesize
36KB

Download
memory/3068-121-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3396-166-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/3396-167-0x0000000000456A80-mapping.dmp

Download
memory/3396-232-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/3396-226-0x0000000004E90000-0x0000000004F1F000-memory.dmp

Filesize
572KB

Download
memory/3396-223-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/3396-222-0x00000000034FC000-0x000000000354B000-memory.dmp

Filesize
316KB

Download
memory/3396-173-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/3464-207-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3464-206-0x0000000000750000-0x00000000007C5000-memory.dmp

Filesize
468KB

Download
memory/3464-159-0x0000000000000000-mapping.dmp

Download
memory/3464-193-0x0000000000591000-0x00000000005D6000-memory.dmp

Filesize
276KB

Download