gh0strat | a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2

Analysis

max time kernel
166s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
Size

944KB
MD5

e4f4b58d13524ae7521d07274eabc0f0
SHA1

0cb88305e8e0e8a9dea1db8025caede6f6f256bb
SHA256

a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2
SHA512

8593105fa62843dd144a900ddb1ae9f4ffda76549f240166418c10b585e5c8df9397a0c3eef7215e1784d103c6a3ab578efd1aaf63b76852d310890d7d262b4d

Score

10^/10

gh0strat xmrig miner persistence rat suricata upx

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4688-133-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat
behavioral2/memory/4664-139-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\IIS\CPUInfo.exe	xmrig
C:\Windows\IIS\CPUInfo.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\las.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\las.exe	xmrig
C:\Windows\rBcOd\awtqnk.exe	xmrig
C:\Windows\rBcOd\awtqnk.exe	xmrig
behavioral2/memory/2012-190-0x0000000000400000-0x0000000002054000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

84.exesysteinfo.exesysteinfo.exesysteinfo.exeCPUInfo.exe84.exelas.exeawtqnk.exe65.exe

pid process

4688 84.exe
4664 systeinfo.exe
4384 systeinfo.exe
2220 systeinfo.exe
408 CPUInfo.exe
4712 84.exe
2012 las.exe
1300 awtqnk.exe
1612 65.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4688	84.exe
4664	systeinfo.exe
4384	systeinfo.exe
2220	systeinfo.exe
408	CPUInfo.exe
4712	84.exe
2012	las.exe
1300	awtqnk.exe
1612	65.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1612-212-0x0000000010000000-0x000000001017D000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CPUInfo.exeawtqnk.exe84.exea4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	CPUInfo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	awtqnk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe

Drops file in System32 directory 8 IoCs

Processes:

svchost.exesysteinfo.exe84.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{66DF9D4D-5422-49A6-B399-109A13E0DCA6}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3886B73A-4DBF-46B1-8C37-DB5A25F7325F}.catalogItem	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	systeinfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	systeinfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	systeinfo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	systeinfo.exe
File created	C:\Windows\SysWOW64\systeinfo.exe	84.exe
File opened for modification	C:\Windows\SysWOW64\systeinfo.exe	84.exe

Drops file in Program Files directory 2 IoCs

Processes:

65.exe

description ioc process

File created C:\Program Files\AppPatch\mysqld.dll 65.exe
File opened for modification C:\Program Files\AppPatch\mysqld.dll 65.exe

description	ioc	process
File created	C:\Program Files\AppPatch\mysqld.dll	65.exe
File opened for modification	C:\Program Files\AppPatch\mysqld.dll	65.exe

Drops file in Windows directory 13 IoCs

Processes:

CPUInfo.exelas.exea4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeawtqnk.exe

description	ioc	process
File created	C:\Windows\IIS\iis.reg	CPUInfo.exe
File created	C:\Windows\IME\tps.exe	las.exe
File created	C:\Windows\boy.exe	las.exe
File created	C:\Windows\SB360.BAT	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
File created	C:\Windows\SB3600.BAT	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
File created	C:\Windows\end.bat	awtqnk.exe
File opened for modification	C:\Windows\end.bat	awtqnk.exe
File created	C:\Windows\IIS\CPUInfo.exe	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
File created	C:\Windows\IIS\srvany.exe	CPUInfo.exe
File created	C:\Windows\IIS\1.BAT	CPUInfo.exe
File created	C:\Windows\rBcOd\tscl.html	las.exe
File created	C:\Windows\rBcOd\awtqnk.exe	las.exe
File opened for modification	C:\Windows\SB360.BAT	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

176 4664 WerFault.exe systeinfo.exe
4216 4664 WerFault.exe systeinfo.exe

pid	pid_target	process	target process
176	4664	WerFault.exe	systeinfo.exe
4216	4664	WerFault.exe	systeinfo.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

systeinfo.exesysteinfo.exesysteinfo.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	systeinfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	systeinfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	systeinfo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	systeinfo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systeinfo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	systeinfo.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4324 regedit.exe

pid	process
4324	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeCPUInfo.exe

pid	process
4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
408	CPUInfo.exe
408	CPUInfo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84.exe

description pid process

Token: SeIncBasePriorityPrivilege 4688 84.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4688	84.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exeCPUInfo.exelas.exeawtqnk.exe

pid	process
4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
408	CPUInfo.exe
408	CPUInfo.exe
2012	las.exe
2012	las.exe
1300	awtqnk.exe
1300	awtqnk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exesysteinfo.exe84.exeCPUInfo.execmd.exelas.execmd.execmd.exeawtqnk.execmd.execmd.exe

description	pid	process	target process
PID 4468 wrote to memory of 4688	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4468 wrote to memory of 4688	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4468 wrote to memory of 4688	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4664 wrote to memory of 4384	4664	systeinfo.exe	systeinfo.exe
PID 4664 wrote to memory of 4384	4664	systeinfo.exe	systeinfo.exe
PID 4664 wrote to memory of 4384	4664	systeinfo.exe	systeinfo.exe
PID 4664 wrote to memory of 2220	4664	systeinfo.exe	systeinfo.exe
PID 4664 wrote to memory of 2220	4664	systeinfo.exe	systeinfo.exe
PID 4664 wrote to memory of 2220	4664	systeinfo.exe	systeinfo.exe
PID 4688 wrote to memory of 208	4688	84.exe	cmd.exe
PID 4688 wrote to memory of 208	4688	84.exe	cmd.exe
PID 4688 wrote to memory of 208	4688	84.exe	cmd.exe
PID 4664 wrote to memory of 176	4664	systeinfo.exe	WerFault.exe
PID 4664 wrote to memory of 176	4664	systeinfo.exe	WerFault.exe
PID 4664 wrote to memory of 176	4664	systeinfo.exe	WerFault.exe
PID 4468 wrote to memory of 408	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	CPUInfo.exe
PID 4468 wrote to memory of 408	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	CPUInfo.exe
PID 4468 wrote to memory of 408	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	CPUInfo.exe
PID 408 wrote to memory of 2712	408	CPUInfo.exe	cmd.exe
PID 408 wrote to memory of 2712	408	CPUInfo.exe	cmd.exe
PID 408 wrote to memory of 2712	408	CPUInfo.exe	cmd.exe
PID 2712 wrote to memory of 4324	2712	cmd.exe	regedit.exe
PID 2712 wrote to memory of 4324	2712	cmd.exe	regedit.exe
PID 2712 wrote to memory of 4324	2712	cmd.exe	regedit.exe
PID 4468 wrote to memory of 4712	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4468 wrote to memory of 4712	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4468 wrote to memory of 4712	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	84.exe
PID 4468 wrote to memory of 2012	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	las.exe
PID 4468 wrote to memory of 2012	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	las.exe
PID 4468 wrote to memory of 2012	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	las.exe
PID 2012 wrote to memory of 1300	2012	las.exe	awtqnk.exe
PID 2012 wrote to memory of 1300	2012	las.exe	awtqnk.exe
PID 2012 wrote to memory of 1300	2012	las.exe	awtqnk.exe
PID 4468 wrote to memory of 3608	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 3608	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 3608	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 2016	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 2016	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 2016	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 1084	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 1084	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 4468 wrote to memory of 1084	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe
PID 3608 wrote to memory of 2312	3608	cmd.exe	netsh.exe
PID 3608 wrote to memory of 2312	3608	cmd.exe	netsh.exe
PID 3608 wrote to memory of 2312	3608	cmd.exe	netsh.exe
PID 2016 wrote to memory of 3316	2016	cmd.exe	netsh.exe
PID 2016 wrote to memory of 3316	2016	cmd.exe	netsh.exe
PID 2016 wrote to memory of 3316	2016	cmd.exe	netsh.exe
PID 2012 wrote to memory of 1568	2012	las.exe	cmd.exe
PID 2012 wrote to memory of 1568	2012	las.exe	cmd.exe
PID 2012 wrote to memory of 1568	2012	las.exe	cmd.exe
PID 1300 wrote to memory of 3188	1300	awtqnk.exe	cmd.exe
PID 1300 wrote to memory of 3188	1300	awtqnk.exe	cmd.exe
PID 1300 wrote to memory of 3188	1300	awtqnk.exe	cmd.exe
PID 1084 wrote to memory of 2996	1084	cmd.exe	netsh.exe
PID 1084 wrote to memory of 2996	1084	cmd.exe	netsh.exe
PID 1084 wrote to memory of 2996	1084	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4972	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4972	3188	cmd.exe	netsh.exe
PID 3188 wrote to memory of 4972	3188	cmd.exe	netsh.exe
PID 4468 wrote to memory of 1612	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	65.exe
PID 4468 wrote to memory of 1612	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	65.exe
PID 4468 wrote to memory of 1612	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	65.exe
PID 4468 wrote to memory of 1156	4468	a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe
"C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\84.exe
C:\Users\Admin\AppData\Local\Temp\84.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\84.exe > nul
3⤵
PID:208

C:\Windows\IIS\CPUInfo.exe
"C:\Windows\IIS\CPUInfo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\IIS\1.BAT" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s iis.reg
4⤵
- Runs .reg file with regedit
PID:4324

C:\Users\Admin\AppData\Local\Temp\84.exe
C:\Users\Admin\AppData\Local\Temp\84.exe
2⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\las.exe
C:\Users\Admin\AppData\Local\Temp\las.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\rBcOd\awtqnk.exe
C:\Windows\rBcOd\awtqnk.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
PID:4972

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
PID:3324

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
PID:1172

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
PID:4360

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
PID:4788

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
PID:2424

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
PID:220

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
4⤵
PID:1476

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
PID:4068

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
PID:4224

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
PID:4544

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
PID:3068

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
PID:428

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
PID:1400

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
PID:1644

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
PID:1184

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
PID:1672

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
4⤵
PID:5068

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
PID:728

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
PID:3004

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
PID:3328

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
PID:3560

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
PID:3984

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
PID:1512

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
PID:1044

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
PID:3216

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
PID:3936

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\las.exe"
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\SB360.BAT" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=░▓╚½▓▀┬╘20170621
3⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\SB360.BAT" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=░▓╚½▓▀┬╘20170621
3⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\SB3600.BAT" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=qianye
3⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\65.exe
C:\Users\Admin\AppData\Local\Temp\65.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\a4a6f36b13b24e595d97d22205acadad91bda33e1ad608fb914a59b4b9c13ef2.exe"
2⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2052

C:\Windows\SysWOW64\systeinfo.exe
C:\Windows\SysWOW64\systeinfo.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\systeinfo.exe
C:\Windows\SysWOW64\systeinfo.exe Win7
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4384

C:\Windows\SysWOW64\systeinfo.exe
C:\Windows\SysWOW64\systeinfo.exe Win7
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1064
2⤵
- Program crash
PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1064
2⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 4664
1⤵
PID:4940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65.exe
Filesize
9KB

MD5
53259b9b3f5be124adec635b0b39019d

SHA1
6cf7e65329ac6da629c06810b7d1151aab3de8c3

SHA256
9eab2dabb750bec290bfeb7fc544ec6e00e50a0553402233508e12898b7e3180

SHA512
2a8ce2cc3e23da9b97e2f7878ab3307841cbb0229032d9b2212987aa7882fc89cc6b44ed03ac1fb5d2fb3282940de4c7c23ea50bab35eb616488283c5fa8dfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\65.exe
Filesize
9KB

MD5
53259b9b3f5be124adec635b0b39019d

SHA1
6cf7e65329ac6da629c06810b7d1151aab3de8c3

SHA256
9eab2dabb750bec290bfeb7fc544ec6e00e50a0553402233508e12898b7e3180

SHA512
2a8ce2cc3e23da9b97e2f7878ab3307841cbb0229032d9b2212987aa7882fc89cc6b44ed03ac1fb5d2fb3282940de4c7c23ea50bab35eb616488283c5fa8dfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\84.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\84.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\84.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\las.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\las.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\IIS\1.BAT
Filesize
32B

MD5
2450c0476e1be691164e992f796c1c13

SHA1
3fe9da9ae94dab5fe732023e24c509d7471605cf

SHA256
653596cb1f474fc012624a04f6504f2f01fb4aacf1f121e653b20cf262b28164

SHA512
f23ac0f0a11b6861f0927d01d5e42261f552a975140c9c061f1da338f013475164089b9777b083d6718f0fab268a63469d5875ed7f7c9c329b22de2ebb268997

Download Submit
C:\Windows\IIS\CPUInfo.exe
Filesize
13.7MB

MD5
25db93b9c70a81bd8ab39dada7ea9691

SHA1
b3d3eccc28c99631e85db8214f750b853773b8c3

SHA256
f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be

SHA512
6d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b

Download Submit
C:\Windows\IIS\CPUInfo.exe
Filesize
13.7MB

MD5
25db93b9c70a81bd8ab39dada7ea9691

SHA1
b3d3eccc28c99631e85db8214f750b853773b8c3

SHA256
f29842a6956eabe0989657309fe3ccc27e30f297a45fa8dd6ac04f74c4e1d8be

SHA512
6d7ac5943e214ee1120f4a7a0f5c95a9e624e9b04afd7411c52ddc73fab75f048ed74ece1f58d6ab24ef440c64df037a8d09638995a6911df1d1a0c66ceb4d6b

Download Submit
C:\Windows\IIS\iis.reg
Filesize
1KB

MD5
77226e89c32d86ac341cdce4884b03a1

SHA1
bc78bef2aaa2a4699a85d78c9a76304a812885ab

SHA256
1fee5453d046a348fe795039210519ff94846bab0980e583b32255726d035607

SHA512
e9e380b22b3cfff23c778ad106071c8420f8aca6634ce1e5ea9973ec42a66f188bb6dd5b3404d3baccf84a738464bcfe9318441c516dd60453fed02ae398b286

Download Submit
C:\Windows\SB360.BAT
Filesize
1KB

MD5
f02639a78f77c2ed3cc63f8fe7c682c6

SHA1
d9869ab965a112d5a04a4e4bc388990f7a9ad008

SHA256
d75ed958202259cb627ab2b3b31d4e02c7246018eff2df0e6f0d62f397a9224b

SHA512
9a7d473f30275745bac6ec60e6780d0b2f9d895f009713613e8d024e25224243f6d244ffbb1c2fa42d2d9b3593e451a45c48e33bfdcff3ca1b33c324a0ec8c58

Download Submit
C:\Windows\SB3600.BAT
Filesize
1KB

MD5
c3e7708b9cc0a4477c87056814839075

SHA1
4f2aefbf6e4336e35bb0ddc26e6c4fe743622fbb

SHA256
dd0609f6b28782689eca7df267a5065a2fa1953b4f458dc9f10305bdb339aa81

SHA512
7d68f1401eacf83a80443aeeb5fca7c982ee92b6d2165fdc77ebb5cfc6fe506f8458181fb0e48f1294fdcb61b9bd612c184b98fdb3b21e22e78ed28514543742

Download Submit
C:\Windows\SysWOW64\systeinfo.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Windows\SysWOW64\systeinfo.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Windows\SysWOW64\systeinfo.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Windows\SysWOW64\systeinfo.exe
Filesize
180KB

MD5
5ee6b001a1cc627f56b239fb33a9bb14

SHA1
5d960e316da7321802ee43d5138c15bb651eedbf

SHA256
d214e4ca9d19d90b15ccccc03b54eef032f38abc9c7e3e85a14b39c5f3673e66

SHA512
03a95c30b9e52484a6759ca8ab32cc6f04c1b140fb027e560f47f6949110ad417cdccd103fefd227801d0b6cc43042c78351c8b9221c100cff78d4d8486b7d1a

Download Submit
C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\rBcOd\awtqnk.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\rBcOd\awtqnk.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
memory/176-155-0x0000000000000000-mapping.dmp

Download
memory/208-156-0x0000000000000000-mapping.dmp

Download
memory/220-224-0x0000000000000000-mapping.dmp

Download
memory/408-158-0x0000000000000000-mapping.dmp

Download
memory/428-210-0x0000000000000000-mapping.dmp

Download
memory/728-197-0x0000000000000000-mapping.dmp

Download
memory/1044-216-0x0000000000000000-mapping.dmp

Download
memory/1084-179-0x0000000000000000-mapping.dmp

Download
memory/1156-193-0x0000000000000000-mapping.dmp

Download
memory/1172-204-0x0000000000000000-mapping.dmp

Download
memory/1184-222-0x0000000000000000-mapping.dmp

Download
memory/1300-174-0x0000000000000000-mapping.dmp

Download
memory/1384-227-0x0000000000000000-mapping.dmp

Download
memory/1400-217-0x0000000000000000-mapping.dmp

Download
memory/1476-194-0x0000000000000000-mapping.dmp

Download
memory/1512-211-0x0000000000000000-mapping.dmp

Download
memory/1568-184-0x0000000000000000-mapping.dmp

Download
memory/1612-212-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/1612-189-0x0000000000000000-mapping.dmp

Download
memory/1644-219-0x0000000000000000-mapping.dmp

Download
memory/1672-226-0x0000000000000000-mapping.dmp

Download
memory/1704-225-0x0000000000000000-mapping.dmp

Download
memory/1824-209-0x0000000000000000-mapping.dmp

Download
memory/2012-171-0x0000000000000000-mapping.dmp

Download
memory/2012-190-0x0000000000400000-0x0000000002054000-memory.dmp

Filesize
28.3MB

Download
memory/2016-178-0x0000000000000000-mapping.dmp

Download
memory/2220-145-0x0000000000000000-mapping.dmp

Download
memory/2312-181-0x0000000000000000-mapping.dmp

Download
memory/2424-221-0x0000000000000000-mapping.dmp

Download
memory/2712-161-0x0000000000000000-mapping.dmp

Download
memory/2996-186-0x0000000000000000-mapping.dmp

Download
memory/3004-199-0x0000000000000000-mapping.dmp

Download
memory/3068-206-0x0000000000000000-mapping.dmp

Download
memory/3084-228-0x0000000000000000-mapping.dmp

Download
memory/3188-185-0x0000000000000000-mapping.dmp

Download
memory/3216-218-0x0000000000000000-mapping.dmp

Download
memory/3316-183-0x0000000000000000-mapping.dmp

Download
memory/3324-201-0x0000000000000000-mapping.dmp

Download
memory/3328-203-0x0000000000000000-mapping.dmp

Download
memory/3560-205-0x0000000000000000-mapping.dmp

Download
memory/3608-177-0x0000000000000000-mapping.dmp

Download
memory/3936-220-0x0000000000000000-mapping.dmp

Download
memory/3984-208-0x0000000000000000-mapping.dmp

Download
memory/4068-198-0x0000000000000000-mapping.dmp

Download
memory/4224-200-0x0000000000000000-mapping.dmp

Download
memory/4324-163-0x0000000000000000-mapping.dmp

Download
memory/4360-207-0x0000000000000000-mapping.dmp

Download
memory/4384-143-0x0000000000000000-mapping.dmp

Download
memory/4468-157-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4544-202-0x0000000000000000-mapping.dmp

Download
memory/4580-223-0x0000000000000000-mapping.dmp

Download
memory/4664-139-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4688-133-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4688-130-0x0000000000000000-mapping.dmp

Download
memory/4712-165-0x0000000000000000-mapping.dmp

Download
memory/4788-215-0x0000000000000000-mapping.dmp

Download
memory/4972-188-0x0000000000000000-mapping.dmp

Download
memory/5068-195-0x0000000000000000-mapping.dmp

Download