formbook | 3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0

Analysis

max time kernel
301s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-06-2022 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe
Size

1.2MB
MD5

bd13211d0cc71fb85df707023739a779
SHA1

af9a0b01f412c41a6412b0f73f80569b6049bd01
SHA256

3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0
SHA512

44ad3c21462b7578b410bdd85dd05d0b5feafbbc94b76a5c6dbe04c0a2d174673f64cecb5df1d693274aff281f780d61206aa6bdd007e07f6a467367620da3da

Score

10^/10

formbook modiloader xloader n7ak uj3c loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Formbook Payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1740-249-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1740-270-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/1456-278-0x0000000000A20000-0x0000000000A4E000-memory.dmp	formbook
behavioral2/memory/1456-281-0x0000000000A20000-0x0000000000A4E000-memory.dmp	formbook
behavioral2/memory/4268-327-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4268-347-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/4268-356-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/5112-358-0x0000000000BB0000-0x0000000000BDE000-memory.dmp	formbook
behavioral2/memory/1212-401-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1212-422-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/1188-428-0x0000000000430000-0x000000000045E000-memory.dmp	formbook
behavioral2/memory/1188-430-0x0000000000430000-0x000000000045E000-memory.dmp	formbook

ModiLoader Second Stage 56 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-140-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-141-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-142-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-143-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-145-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-146-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-147-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-144-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-148-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-150-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-149-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-151-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-152-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-154-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-153-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-155-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-156-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-157-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-159-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-158-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-161-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-160-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-162-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-164-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-163-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-165-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-170-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-171-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-169-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-172-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-173-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-180-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-181-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-183-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-182-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-184-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-185-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-186-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/4732-187-0x0000000003CE0000-0x0000000003D32000-memory.dmp	modiloader_stage2
behavioral2/memory/620-221-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-222-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-224-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-223-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-226-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-227-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-228-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-225-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-229-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-230-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-231-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-232-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-234-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-233-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-235-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-236-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2
behavioral2/memory/620-237-0x0000000003980000-0x00000000039D4000-memory.dmp	modiloader_stage2

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4732-167-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/4204-168-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/4204-193-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/5100-197-0x0000000000370000-0x000000000039B000-memory.dmp	xloader
behavioral2/memory/5100-200-0x0000000000370000-0x000000000039B000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PHXDZ4FPZD = "C:\\Program Files (x86)\\Lmzzdo\\chkdskwzfhrp.exe"	netsh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	netsh.exe

Executes dropped EXE 4 IoCs

Processes:

ite4a.exechkdskwzfhrp.exe4hkd1nm.exelh9l_rkp.exe

pid process

620 ite4a.exe
3596 chkdskwzfhrp.exe
4540 4hkd1nm.exe
1884 lh9l_rkp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
620	ite4a.exe
3596	chkdskwzfhrp.exe
4540	4hkd1nm.exe
1884	lh9l_rkp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exeite4a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nyzzgfzrql = "C:\\Users\\Public\\Libraries\\lqrzfgzzyN.url"	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqljxmfgkm = "C:\\Users\\Public\\Libraries\\mkgfmxjlqE.url"	ite4a.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

logagent.exenetsh.exelogagent.exenetsh.exelogagent.exelogagent.exe

description	pid	process	target process
PID 4204 set thread context of 2928	4204	logagent.exe	Explorer.EXE
PID 5100 set thread context of 2928	5100	netsh.exe	Explorer.EXE
PID 1740 set thread context of 2928	1740	logagent.exe	Explorer.EXE
PID 1456 set thread context of 2928	1456	netsh.exe	Explorer.EXE
PID 4268 set thread context of 2928	4268	logagent.exe	Explorer.EXE
PID 4268 set thread context of 2928	4268	logagent.exe	Explorer.EXE
PID 1212 set thread context of 2928	1212	logagent.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEnetsh.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Lmzzdo	Explorer.EXE
File created	C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe	netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

logagent.exenetsh.exelogagent.exenetsh.exe

pid	process
4204	logagent.exe
4204	logagent.exe
4204	logagent.exe
4204	logagent.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
1740	logagent.exe
1740	logagent.exe
1740	logagent.exe
1740	logagent.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe
5100	netsh.exe
5100	netsh.exe
1456	netsh.exe
1456	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2928 Explorer.EXE

pid	process
2928	Explorer.EXE

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

logagent.exenetsh.exelogagent.exenetsh.exelogagent.exelogagent.exe

pid	process
4204	logagent.exe
4204	logagent.exe
4204	logagent.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
5100	netsh.exe
1740	logagent.exe
1740	logagent.exe
1740	logagent.exe
1456	netsh.exe
1456	netsh.exe
4268	logagent.exe
4268	logagent.exe
4268	logagent.exe
4268	logagent.exe
1212	logagent.exe
1212	logagent.exe
1212	logagent.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

logagent.exenetsh.exeExplorer.EXElogagent.exenetsh.exelogagent.exeWWAHost.exelogagent.execscript.exe

description	pid	process
Token: SeDebugPrivilege	4204	logagent.exe
Token: SeDebugPrivilege	5100	netsh.exe
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeDebugPrivilege	1740	logagent.exe
Token: SeDebugPrivilege	1456	netsh.exe
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeDebugPrivilege	4268	logagent.exe
Token: SeDebugPrivilege	5112	WWAHost.exe
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeShutdownPrivilege	2928	Explorer.EXE
Token: SeCreatePagefilePrivilege	2928	Explorer.EXE
Token: SeDebugPrivilege	1212	logagent.exe
Token: SeDebugPrivilege	1188	cscript.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exeExplorer.EXEnetsh.exeite4a.exenetsh.exe4hkd1nm.exelh9l_rkp.exe

description	pid	process	target process
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 4732 wrote to memory of 4204	4732	3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe	logagent.exe
PID 2928 wrote to memory of 5100	2928	Explorer.EXE	netsh.exe
PID 2928 wrote to memory of 5100	2928	Explorer.EXE	netsh.exe
PID 2928 wrote to memory of 5100	2928	Explorer.EXE	netsh.exe
PID 5100 wrote to memory of 2168	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 2168	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 2168	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 5044	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 5044	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 5044	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 3396	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 3396	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 3396	5100	netsh.exe	cmd.exe
PID 5100 wrote to memory of 1748	5100	netsh.exe	Firefox.exe
PID 5100 wrote to memory of 1748	5100	netsh.exe	Firefox.exe
PID 5100 wrote to memory of 1748	5100	netsh.exe	Firefox.exe
PID 5100 wrote to memory of 620	5100	netsh.exe	ite4a.exe
PID 5100 wrote to memory of 620	5100	netsh.exe	ite4a.exe
PID 5100 wrote to memory of 620	5100	netsh.exe	ite4a.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 620 wrote to memory of 1740	620	ite4a.exe	logagent.exe
PID 2928 wrote to memory of 1456	2928	Explorer.EXE	netsh.exe
PID 2928 wrote to memory of 1456	2928	Explorer.EXE	netsh.exe
PID 2928 wrote to memory of 1456	2928	Explorer.EXE	netsh.exe
PID 1456 wrote to memory of 4928	1456	netsh.exe	cmd.exe
PID 1456 wrote to memory of 4928	1456	netsh.exe	cmd.exe
PID 1456 wrote to memory of 4928	1456	netsh.exe	cmd.exe
PID 2928 wrote to memory of 3596	2928	Explorer.EXE	chkdskwzfhrp.exe
PID 2928 wrote to memory of 3596	2928	Explorer.EXE	chkdskwzfhrp.exe
PID 2928 wrote to memory of 3596	2928	Explorer.EXE	chkdskwzfhrp.exe
PID 5100 wrote to memory of 4540	5100	netsh.exe	4hkd1nm.exe
PID 5100 wrote to memory of 4540	5100	netsh.exe	4hkd1nm.exe
PID 5100 wrote to memory of 4540	5100	netsh.exe	4hkd1nm.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 4540 wrote to memory of 4268	4540	4hkd1nm.exe	logagent.exe
PID 2928 wrote to memory of 5112	2928	Explorer.EXE	WWAHost.exe
PID 2928 wrote to memory of 5112	2928	Explorer.EXE	WWAHost.exe
PID 2928 wrote to memory of 5112	2928	Explorer.EXE	WWAHost.exe
PID 5100 wrote to memory of 1884	5100	netsh.exe	lh9l_rkp.exe
PID 5100 wrote to memory of 1884	5100	netsh.exe	lh9l_rkp.exe
PID 5100 wrote to memory of 1884	5100	netsh.exe	lh9l_rkp.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 1884 wrote to memory of 1212	1884	lh9l_rkp.exe	logagent.exe
PID 2928 wrote to memory of 1188	2928	Explorer.EXE	cscript.exe
PID 2928 wrote to memory of 1188	2928	Explorer.EXE	cscript.exe
PID 2928 wrote to memory of 1188	2928	Explorer.EXE	cscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe
"C:\Users\Admin\AppData\Local\Temp\3e497c13b9cc59ad2610a98d6ea189dd0600db5c9f799ed7eefbeba4fb4f2cf0.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3396

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\ite4a.exe
"C:\Users\Admin\AppData\Local\Temp\ite4a.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Local\Temp\4hkd1nm.exe
"C:\Users\Admin\AppData\Local\Temp\4hkd1nm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\lh9l_rkp.exe
"C:\Users\Admin\AppData\Local\Temp\lh9l_rkp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:4928

C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe
"C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe"
2⤵
- Executes dropped EXE
PID:3596

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5036

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5064

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2868

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3556

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Program Files (x86)\Lmzzdo\chkdskwzfhrp.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
05acc35d417bf3a08bcd07006ce6e3ef

SHA1
c5299ec3e159ef9ad46385d42d5785478361fd71

SHA256
42e50af3886c9b7ca500d0fad4e929c97b42ef36f8d44b219e8a9ceac3602f97

SHA512
3d7ecf8a1b2184a1fa67a6a21bb924ff3e085fcbd859dfd06bf633bf9d0f27c1c2b98b89aea01a9bc492f5231aa7ec7bd27ecbc7ce40737f0704b807151189c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
446B

MD5
a12ec4f67395d3f24bba92b7c1923c12

SHA1
86795f66daaeaecb3c8fb7e8643f79f5e1d84dc4

SHA256
d7d642ec297db9c3496d08244a93e0ea4b3a856fd815a6df88ca7372f0b036ea

SHA512
535efe511e26d499c273ecfcb55ee44987e561fbeb60cd2cf3418d5ff1d41e93f355595cf6090176dd507670dcff58223fd16ef1ddfbb66347bf56c717feefb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hkd1nm.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hkd1nm.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ite4a.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
C:\Users\Admin\AppData\Local\Temp\ite4a.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
C:\Users\Admin\AppData\Local\Temp\lh9l_rkp.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
C:\Users\Admin\AppData\Local\Temp\lh9l_rkp.exe
Filesize
929KB

MD5
04872b3e742c4d2c1eb2602d6fd80f39

SHA1
7cafc184b3c334dbef530642a3ed7242f1a3f85a

SHA256
702dbed7fdd9d13a29ca6282c907d6544dc08898635e1354cd01f43542f5ccf4

SHA512
f2cece3eefe2d871e78645f2efcf26d8d6141b760b0b2fc6c0d4511290be451c9fed715d87ff7ceb409581276645ad505a831fda50b3de3496026c66ece64778

Download Submit
memory/620-225-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-223-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-206-0x0000000000000000-mapping.dmp

Download
memory/620-221-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-222-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-224-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-226-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-227-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-228-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-229-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-230-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-231-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-232-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-234-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-233-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-237-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-236-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/620-235-0x0000000003980000-0x00000000039D4000-memory.dmp

Filesize
336KB

Download
memory/1188-430-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/1188-429-0x0000000002550000-0x000000000289A000-memory.dmp

Filesize
3.3MB

Download
memory/1188-427-0x0000000000040000-0x0000000000067000-memory.dmp

Filesize
156KB

Download
memory/1188-428-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/1188-426-0x0000000000000000-mapping.dmp

Download
memory/1212-423-0x0000000003040000-0x000000000338A000-memory.dmp

Filesize
3.3MB

Download
memory/1212-401-0x0000000000000000-mapping.dmp

Download
memory/1212-424-0x0000000002DF0000-0x0000000002E04000-memory.dmp

Filesize
80KB

Download
memory/1212-422-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/1456-277-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/1456-281-0x0000000000A20000-0x0000000000A4E000-memory.dmp

Filesize
184KB

Download
memory/1456-279-0x0000000001400000-0x0000000001493000-memory.dmp

Filesize
588KB

Download
memory/1456-278-0x0000000000A20000-0x0000000000A4E000-memory.dmp

Filesize
184KB

Download
memory/1456-276-0x0000000000B30000-0x0000000000B4E000-memory.dmp

Filesize
120KB

Download
memory/1456-274-0x0000000000000000-mapping.dmp

Download
memory/1740-249-0x0000000000000000-mapping.dmp

Download
memory/1740-272-0x0000000002AB0000-0x0000000002AC4000-memory.dmp

Filesize
80KB

Download
memory/1740-271-0x0000000002C90000-0x0000000002FDA000-memory.dmp

Filesize
3.3MB

Download
memory/1740-270-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/1884-360-0x0000000000000000-mapping.dmp

Download
memory/2168-194-0x0000000000000000-mapping.dmp

Download
memory/2928-282-0x0000000008810000-0x000000000893F000-memory.dmp

Filesize
1.2MB

Download
memory/2928-354-0x000000000A1C0000-0x000000000A2C7000-memory.dmp

Filesize
1.0MB

Download
memory/2928-201-0x0000000008300000-0x00000000083CC000-memory.dmp

Filesize
816KB

Download
memory/2928-425-0x000000000AB90000-0x000000000ACA0000-memory.dmp

Filesize
1.1MB

Download
memory/2928-199-0x0000000008300000-0x00000000083CC000-memory.dmp

Filesize
816KB

Download
memory/2928-191-0x00000000081A0000-0x00000000082F7000-memory.dmp

Filesize
1.3MB

Download
memory/2928-273-0x0000000008590000-0x00000000086AE000-memory.dmp

Filesize
1.1MB

Download
memory/2928-351-0x0000000008940000-0x0000000008A71000-memory.dmp

Filesize
1.2MB

Download
memory/2928-280-0x0000000008810000-0x000000000893F000-memory.dmp

Filesize
1.2MB

Download
memory/3396-204-0x0000000000000000-mapping.dmp

Download
memory/3596-283-0x0000000000000000-mapping.dmp

Download
memory/4204-193-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4204-168-0x0000000000000000-mapping.dmp

Download
memory/4204-190-0x0000000001400000-0x0000000001411000-memory.dmp

Filesize
68KB

Download
memory/4204-189-0x0000000002F90000-0x00000000032DA000-memory.dmp

Filesize
3.3MB

Download
memory/4268-350-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

Filesize
80KB

Download
memory/4268-347-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/4268-327-0x0000000000000000-mapping.dmp

Download
memory/4268-349-0x0000000002A20000-0x0000000002D6A000-memory.dmp

Filesize
3.3MB

Download
memory/4268-353-0x0000000002D90000-0x0000000002DA4000-memory.dmp

Filesize
80KB

Download
memory/4268-356-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/4540-286-0x0000000000000000-mapping.dmp

Download
memory/4732-182-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-153-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-172-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-169-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-171-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-170-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-180-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-167-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4732-165-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-163-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-164-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-181-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-162-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-141-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-160-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-161-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-158-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-159-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-183-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-157-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-140-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-142-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-156-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-155-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-184-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-173-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-154-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-185-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-186-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-187-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-143-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-145-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-146-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-147-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-144-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-148-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-150-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-149-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-151-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4732-152-0x0000000003CE0000-0x0000000003D32000-memory.dmp

Filesize
328KB

Download
memory/4928-275-0x0000000000000000-mapping.dmp

Download
memory/5044-202-0x0000000000000000-mapping.dmp

Download
memory/5100-198-0x0000000000DE0000-0x0000000000E70000-memory.dmp

Filesize
576KB

Download
memory/5100-196-0x0000000000B30000-0x0000000000B4E000-memory.dmp

Filesize
120KB

Download
memory/5100-197-0x0000000000370000-0x000000000039B000-memory.dmp

Filesize
172KB

Download
memory/5100-195-0x0000000000FB0000-0x00000000012FA000-memory.dmp

Filesize
3.3MB

Download
memory/5100-192-0x0000000000000000-mapping.dmp

Download
memory/5100-200-0x0000000000370000-0x000000000039B000-memory.dmp

Filesize
172KB

Download
memory/5112-359-0x0000000001B60000-0x0000000001EAA000-memory.dmp

Filesize
3.3MB

Download
memory/5112-358-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

Filesize
184KB

Download
memory/5112-357-0x0000000000F50000-0x000000000102C000-memory.dmp

Filesize
880KB

Download
memory/5112-355-0x0000000000000000-mapping.dmp

Download