504aba9ffc85b963c92b2725c54b2f16e8dca913b5dbe2b7d75786eee3692a38

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

©ɱ/098.exe
Size

128KB
MD5

51ce35af2290923c37c62e124ed09950
SHA1

8d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA256

70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512

d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
SSDEEP

3072:ly72UA+oBj8JUiTWGO6K5+HAa/lzimsvZcwEfmS:liY98qytO66UYw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

098.exeyaion.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	098.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yaion.exe

Executes dropped EXE 2 IoCs

Processes:

yaion.exeyaion.exe

pid process

1372 yaion.exe
1580 yaion.exe
Loads dropped DLL 2 IoCs

Processes:

098.exe

pid process

948 098.exe
948 098.exe

pid	process
1372	yaion.exe
1580	yaion.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yaion.exe098.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /h"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /b"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /j"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /r"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /e"	yaion.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	098.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /v"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /k"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /w"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /u"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /s"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /m"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /d"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /c"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /a"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /z"	098.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /t"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /i"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /z"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /l"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /n"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /g"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /q"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /f"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /p"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /y"	yaion.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /o"	yaion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /x"	yaion.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

098.exeyaion.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	yaion.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	yaion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	098.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

yaion.exe

description ioc process

File created C:\Users\Admin\c\autorun.inf yaion.exe
File opened for modification C:\Users\Admin\c\autorun.inf yaion.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

098.exeyaion.exe

description pid process target process

PID 1048 set thread context of 948 1048 098.exe 098.exe
PID 1372 set thread context of 1580 1372 yaion.exe yaion.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\c\autorun.inf	yaion.exe
File opened for modification	C:\Users\Admin\c\autorun.inf	yaion.exe

description	pid	process	target process
PID 1048 set thread context of 948	1048	098.exe	098.exe
PID 1372 set thread context of 1580	1372	yaion.exe	yaion.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

098.exeyaion.exe

pid	process
948	098.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe
1580	yaion.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

098.exe098.exeyaion.exeyaion.exe

pid process

1048 098.exe
948 098.exe
1372 yaion.exe
1580 yaion.exe

pid	process
1048	098.exe
948	098.exe
1372	yaion.exe
1580	yaion.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

098.exe098.exeyaion.exeyaion.execmd.execmd.execonhost.exe

description	pid	process	target process
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 1048 wrote to memory of 948	1048	098.exe	098.exe
PID 948 wrote to memory of 1372	948	098.exe	yaion.exe
PID 948 wrote to memory of 1372	948	098.exe	yaion.exe
PID 948 wrote to memory of 1372	948	098.exe	yaion.exe
PID 948 wrote to memory of 1372	948	098.exe	yaion.exe
PID 948 wrote to memory of 2020	948	098.exe	PhotoScreensaver.scr
PID 948 wrote to memory of 2020	948	098.exe	PhotoScreensaver.scr
PID 948 wrote to memory of 2020	948	098.exe	PhotoScreensaver.scr
PID 948 wrote to memory of 2020	948	098.exe	PhotoScreensaver.scr
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1372 wrote to memory of 1580	1372	yaion.exe	yaion.exe
PID 1580 wrote to memory of 632	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 632	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 632	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 632	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1984	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1984	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1984	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1984	1580	yaion.exe	cmd.exe
PID 632 wrote to memory of 1904	632	cmd.exe	cmd.exe
PID 632 wrote to memory of 1904	632	cmd.exe	cmd.exe
PID 632 wrote to memory of 1904	632	cmd.exe	cmd.exe
PID 632 wrote to memory of 1904	632	cmd.exe	cmd.exe
PID 1580 wrote to memory of 1716	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1716	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1716	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1716	1580	yaion.exe	cmd.exe
PID 1984 wrote to memory of 976	1984		ROUTE.EXE
PID 1984 wrote to memory of 976	1984		ROUTE.EXE
PID 1984 wrote to memory of 976	1984		ROUTE.EXE
PID 1984 wrote to memory of 976	1984		ROUTE.EXE
PID 1580 wrote to memory of 1664	1580	yaion.exe	conhost.exe
PID 1580 wrote to memory of 1664	1580	yaion.exe	conhost.exe
PID 1580 wrote to memory of 1664	1580	yaion.exe	conhost.exe
PID 1580 wrote to memory of 1664	1580	yaion.exe	conhost.exe
PID 1716 wrote to memory of 1172	1716	cmd.exe	conhost.exe
PID 1716 wrote to memory of 1172	1716	cmd.exe	conhost.exe
PID 1716 wrote to memory of 1172	1716	cmd.exe	conhost.exe
PID 1716 wrote to memory of 1172	1716	cmd.exe	conhost.exe
PID 1580 wrote to memory of 1076	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1076	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1076	1580	yaion.exe	cmd.exe
PID 1580 wrote to memory of 1076	1580	yaion.exe	cmd.exe
PID 1664 wrote to memory of 1408	1664	conhost.exe	ROUTE.EXE
PID 1664 wrote to memory of 1408	1664	conhost.exe	ROUTE.EXE
PID 1664 wrote to memory of 1408	1664	conhost.exe	ROUTE.EXE
PID 1664 wrote to memory of 1408	1664	conhost.exe	ROUTE.EXE

C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe
"C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe
"C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"78
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\yaion.exe
"C:\Users\Admin\yaion.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\yaion.exe
"C:\Users\Admin\yaion.exe" 78
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 216.239.32.21 0.0.0.0
5⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\ROUTE.EXE
route add 216.239.32.21 0.0.0.0
6⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 216.239.34.21 0.0.0.0
5⤵
PID:1984

C:\Windows\SysWOW64\ROUTE.EXE
route add 216.239.34.21 0.0.0.0
6⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 216.239.36.21 0.0.0.0
5⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\ROUTE.EXE
route add 216.239.36.21 0.0.0.0
6⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 216.239.38.21 0.0.0.0
5⤵
PID:1664

C:\Windows\SysWOW64\ROUTE.EXE
route add 216.239.38.21 0.0.0.0
6⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 74.125.34.46 0.0.0.0
5⤵
PID:1076

C:\Windows\SysWOW64\ROUTE.EXE
route add 74.125.34.46 0.0.0.0
6⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 173.194.72.121 0.0.0.0
5⤵
PID:864

C:\Windows\SysWOW64\ROUTE.EXE
route add 173.194.72.121 0.0.0.0
6⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 5.39.93.201 0.0.0.0
5⤵
PID:2024

C:\Windows\SysWOW64\ROUTE.EXE
route add 5.39.93.201 0.0.0.0
6⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 207.46.0.0/16 0.0.0.0
5⤵
PID:1380

C:\Windows\SysWOW64\ROUTE.EXE
route add 207.46.0.0/16 0.0.0.0
6⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 65.52.0.0/14 0.0.0.0
5⤵
PID:1700

C:\Windows\SysWOW64\ROUTE.EXE
route add 65.52.0.0/14 0.0.0.0
6⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 157.54.0.0/15 0.0.0.0
5⤵
PID:360

C:\Windows\SysWOW64\ROUTE.EXE
route add 157.54.0.0/15 0.0.0.0
6⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 157.56.0.0/14 0.0.0.0
5⤵
PID:1256

C:\Windows\SysWOW64\ROUTE.EXE
route add 157.56.0.0/14 0.0.0.0
6⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 157.60.0.0/16 0.0.0.0
5⤵
PID:1904

C:\Windows\SysWOW64\ROUTE.EXE
route add 157.60.0.0/16 0.0.0.0
6⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 134.170.0.0/16 0.0.0.0
5⤵
PID:1988

C:\Windows\SysWOW64\ROUTE.EXE
route add 134.170.0.0/16 0.0.0.0
6⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 72.32.67.100 0.0.0.0
5⤵
PID:1536

C:\Windows\SysWOW64\ROUTE.EXE
route add 72.32.67.100 0.0.0.0
6⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 91.228.166.0/24 0.0.0.0
5⤵
PID:388

C:\Windows\SysWOW64\ROUTE.EXE
route add 91.228.166.0/24 0.0.0.0
6⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 91.228.167.0/24 0.0.0.0
5⤵
PID:960

C:\Windows\SysWOW64\ROUTE.EXE
route add 91.228.167.0/24 0.0.0.0
6⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 37.187.68.0/24 0.0.0.0
5⤵
PID:1208

C:\Windows\SysWOW64\ROUTE.EXE
route add 37.187.68.0/24 0.0.0.0
6⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 46.4.58.0/24 0.0.0.0
5⤵
PID:1784

C:\Windows\SysWOW64\ROUTE.EXE
route add 46.4.58.0/24 0.0.0.0
6⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 46.4.62.0/24 0.0.0.0
5⤵
PID:1872

C:\Windows\SysWOW64\ROUTE.EXE
route add 46.4.62.0/24 0.0.0.0
6⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 46.4.66.0/24 0.0.0.0
5⤵
PID:1616

C:\Windows\SysWOW64\ROUTE.EXE
route add 46.4.66.0/24 0.0.0.0
6⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 46.4.67.0/24 0.0.0.0
5⤵
PID:336

C:\Windows\SysWOW64\ROUTE.EXE
route add 46.4.67.0/24 0.0.0.0
6⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 46.165.210.0/24 0.0.0.0
5⤵
PID:1792

C:\Windows\SysWOW64\ROUTE.EXE
route add 46.165.210.0/24 0.0.0.0
6⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 50.7.73.0/24 0.0.0.0
5⤵
PID:588

C:\Windows\SysWOW64\ROUTE.EXE
route add 50.7.73.0/24 0.0.0.0
6⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 50.7.100.0/24 0.0.0.0
5⤵
PID:1884

C:\Windows\SysWOW64\ROUTE.EXE
route add 50.7.100.0/24 0.0.0.0
6⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 50.115.125.0/24 0.0.0.0
5⤵
PID:1632

C:\Windows\SysWOW64\ROUTE.EXE
route add 50.115.125.0/24 0.0.0.0
6⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 67.15.0.0/24 0.0.0.0
5⤵
PID:388

C:\Windows\SysWOW64\ROUTE.EXE
route add 67.15.0.0/24 0.0.0.0
6⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 67.228.112.0/24 0.0.0.0
5⤵
PID:944

C:\Windows\SysWOW64\ROUTE.EXE
route add 67.228.112.0/24 0.0.0.0
6⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 74.86.245.0/24 0.0.0.0
5⤵
PID:864

C:\Windows\SysWOW64\ROUTE.EXE
route add 74.86.245.0/24 0.0.0.0
6⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 75.126.120.0/24 0.0.0.0
5⤵
PID:2028

C:\Windows\SysWOW64\ROUTE.EXE
route add 75.126.120.0/24 0.0.0.0
6⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 77.234.41.0/24 0.0.0.0
5⤵
PID:296

C:\Windows\SysWOW64\ROUTE.EXE
route add 77.234.41.0/24 0.0.0.0
6⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 77.234.43.0/24 0.0.0.0
5⤵
PID:1640

C:\Windows\SysWOW64\ROUTE.EXE
route add 77.234.43.0/24 0.0.0.0
6⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 77.234.44.0/24 0.0.0.0
5⤵
PID:1488

C:\Windows\SysWOW64\ROUTE.EXE
route add 77.234.44.0/24 0.0.0.0
6⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 91.213.143.0/24 0.0.0.0
5⤵
PID:1720

C:\Windows\SysWOW64\ROUTE.EXE
route add 91.213.143.0/24 0.0.0.0
6⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 95.211.196.0/24 0.0.0.0
5⤵
PID:972

C:\Windows\SysWOW64\ROUTE.EXE
route add 95.211.196.0/24 0.0.0.0
6⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 109.123.114.0/24 0.0.0.0
5⤵
PID:976

C:\Windows\SysWOW64\ROUTE.EXE
route add 109.123.114.0/24 0.0.0.0
6⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 109.123.117.0/24 0.0.0.0
5⤵
PID:824

C:\Windows\SysWOW64\ROUTE.EXE
route add 109.123.117.0/24 0.0.0.0
6⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 199.115.116.0/24 0.0.0.0
5⤵
PID:996

C:\Windows\SysWOW64\ROUTE.EXE
route add 199.115.116.0/24 0.0.0.0
6⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 173.193.20.0/24 0.0.0.0
5⤵
PID:1180

C:\Windows\SysWOW64\ROUTE.EXE
route add 173.193.20.0/24 0.0.0.0
6⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 173.193.138.0/24 0.0.0.0
5⤵
PID:1600

C:\Windows\SysWOW64\ROUTE.EXE
route add 173.193.138.0/24 0.0.0.0
6⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 173.193.216.0/24 0.0.0.0
5⤵
PID:924

C:\Windows\SysWOW64\ROUTE.EXE
route add 173.193.216.0/24 0.0.0.0
6⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 174.37.222.0/24 0.0.0.0
5⤵
PID:2024

C:\Windows\SysWOW64\ROUTE.EXE
route add 174.37.222.0/24 0.0.0.0
6⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 174.36.55.0/24 0.0.0.0
5⤵
PID:1380

C:\Windows\SysWOW64\ROUTE.EXE
route add 174.36.55.0/24 0.0.0.0
6⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 174.36.237.0/24 0.0.0.0
5⤵
PID:1816

C:\Windows\SysWOW64\ROUTE.EXE
route add 174.36.237.0/24 0.0.0.0
6⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 199.115.116.0/24 0.0.0.0
5⤵
PID:1564

C:\Windows\SysWOW64\ROUTE.EXE
route add 199.115.116.0/24 0.0.0.0
6⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 208.43.71.0/24 0.0.0.0
5⤵
PID:1616

C:\Windows\SysWOW64\ROUTE.EXE
route add 208.43.71.0/24 0.0.0.0
6⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 208.53.149.0/24 0.0.0.0
5⤵
PID:1792

C:\Windows\SysWOW64\ROUTE.EXE
route add 208.53.149.0/24 0.0.0.0
6⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 216.185.103.0/24 0.0.0.0
5⤵
PID:1964

C:\Windows\SysWOW64\ROUTE.EXE
route add 216.185.103.0/24 0.0.0.0
6⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 4.28.136.0/24 0.0.0.0
5⤵
PID:644

C:\Windows\SysWOW64\ROUTE.EXE
route add 4.28.136.0/24 0.0.0.0
6⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 38.124.168.0/24 0.0.0.0
5⤵
PID:1984

C:\Windows\SysWOW64\ROUTE.EXE
route add 38.124.168.0/24 0.0.0.0
6⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 38.117.98.0/24 0.0.0.0
5⤵
PID:1076

C:\Windows\SysWOW64\ROUTE.EXE
route add 38.117.98.0/24 0.0.0.0
6⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 77.74.183.0/24 0.0.0.0
5⤵
PID:1120

C:\Windows\SysWOW64\ROUTE.EXE
route add 77.74.183.0/24 0.0.0.0
6⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 80.239.169.0/24 0.0.0.0
5⤵
PID:992

C:\Windows\SysWOW64\ROUTE.EXE
route add 80.239.169.0/24 0.0.0.0
6⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 80.239.174.0/24 0.0.0.0
5⤵
PID:864

C:\Windows\SysWOW64\ROUTE.EXE
route add 80.239.174.0/24 0.0.0.0
6⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 80.239.197.0/24 0.0.0.0
5⤵
PID:1700

C:\Windows\SysWOW64\ROUTE.EXE
route add 80.239.197.0/24 0.0.0.0
6⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 85.12.58.0/24 0.0.0.0
5⤵
PID:360

C:\Windows\SysWOW64\ROUTE.EXE
route add 85.12.58.0/24 0.0.0.0
6⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 85.17.72.0/24 0.0.0.0
5⤵
PID:336

C:\Windows\SysWOW64\ROUTE.EXE
route add 85.17.72.0/24 0.0.0.0
6⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 93.159.230.0/24 0.0.0.0
5⤵
PID:1980

C:\Windows\SysWOW64\ROUTE.EXE
route add 93.159.230.0/24 0.0.0.0
6⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 94.75.236.0/24 0.0.0.0
5⤵
PID:832

C:\Windows\SysWOW64\ROUTE.EXE
route add 94.75.236.0/24 0.0.0.0
6⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 93.191.13.0/24 0.0.0.0
5⤵
PID:588

C:\Windows\SysWOW64\ROUTE.EXE
route add 93.191.13.0/24 0.0.0.0
6⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 95.167.139.0/24 0.0.0.0
5⤵
PID:2004

C:\Windows\SysWOW64\ROUTE.EXE
route add 95.167.139.0/24 0.0.0.0
6⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 95.211.85.0/24 0.0.0.0
5⤵
PID:1920

C:\Windows\SysWOW64\ROUTE.EXE
route add 95.211.85.0/24 0.0.0.0
6⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 195.16.117.0/24 0.0.0.0
5⤵
PID:1056

C:\Windows\SysWOW64\ROUTE.EXE
route add 195.16.117.0/24 0.0.0.0
6⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 195.122.169.0/24 0.0.0.0
5⤵
PID:1476

C:\Windows\SysWOW64\ROUTE.EXE
route add 195.122.169.0/24 0.0.0.0
6⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 130.117.190.0/24 0.0.0.0
5⤵
PID:984

C:\Windows\SysWOW64\ROUTE.EXE
route add 130.117.190.0/24 0.0.0.0
6⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 144.140.113.0/24 0.0.0.0
5⤵
PID:1724

C:\Windows\SysWOW64\ROUTE.EXE
route add 144.140.113.0/24 0.0.0.0
6⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 212.73.221.0/24 0.0.0.0
5⤵
PID:1936

C:\Windows\SysWOW64\ROUTE.EXE
route add 212.73.221.0/24 0.0.0.0
6⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c route add 125.39.66.0/24 0.0.0.0
5⤵
PID:468

C:\Windows\SysWOW64\ROUTE.EXE
route add 125.39.66.0/24 0.0.0.0
6⤵
PID:2024

C:\Windows\SysWOW64\PhotoScreensaver.scr
"C:\Windows\System32\PhotoScreensaver.scr" /S
3⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1111028288-1003725932-21153933021176003123120903443-12254546912355766991204771885"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "935409602-1062993595765765045186243836131917711453302811940641879-1399143573"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-658610594-393362563317211575-115776618185517064218965395131765499291160031657"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-297723372-1651597770-1545184869709863409782730801980336030-1915247331-463676031"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1601498860-623956559-210387562513741168551730133061500702790890409680-505625190"
1⤵
PID:520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17083414041151175402262144520-93880553-569111863371579694-1613988875-590101883"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "651931000-907699476-9397025666587385402102796354108523411812131837031475630465"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1508095783-19067322451848632655-497700163-1972635833-642224708-689440232-1982896676"
1⤵
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1198182482-956718880-474440032444924235-1776691426-1868763321406917062-79092440"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "92905872667447991-2037231086-1109753181-2107628755-56936870196319083505857537"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-138609520911717181011081603345-1264305789-1076757288-950028986-1467282769762748954"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88455588883978169-316763198-1885913931144265900-477790916778295073367566698"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15640989691493183488-15255021316268758581090068621-1373780970-965259993-1926992433"
1⤵
PID:388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-632278528-1566745464252869424-19263293211033301442-19326789341326333425-1954337874"
1⤵
PID:584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-328677624-1614038537391706709-546654150-1532414805-51096830354829005-660293883"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2088071804-1402297946162454832621131668741523179006-1063289818592124805-2051484077"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "143764575813703810621285860842-1774038897-1321798512-535179037251380097-1234389868"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1651646863-683047381158215659-756157064-1311845175276218895171105777590346077"
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yaion.exe
Filesize
128KB

MD5
51ce35af2290923c37c62e124ed09950

SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23

SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6

SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60

Download Submit
C:\Users\Admin\yaion.exe
Filesize
128KB

MD5
51ce35af2290923c37c62e124ed09950

SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23

SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6

SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60

Download Submit
C:\Users\Admin\yaion.exe
Filesize
128KB

MD5
51ce35af2290923c37c62e124ed09950

SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23

SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6

SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60

Download Submit
\Users\Admin\yaion.exe
Filesize
128KB

MD5
51ce35af2290923c37c62e124ed09950

SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23

SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6

SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60

Download Submit
\Users\Admin\yaion.exe
Filesize
128KB

MD5
51ce35af2290923c37c62e124ed09950

SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23

SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6

SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60

Download Submit
memory/296-171-0x0000000000000000-mapping.dmp

Download
memory/324-159-0x0000000000000000-mapping.dmp

Download
memory/336-144-0x0000000000000000-mapping.dmp

Download
memory/360-112-0x0000000000000000-mapping.dmp

Download
memory/388-160-0x0000000000000000-mapping.dmp

Download
memory/388-126-0x0000000000000000-mapping.dmp

Download
memory/520-138-0x0000000000000000-mapping.dmp

Download
memory/584-105-0x0000000000000000-mapping.dmp

Download
memory/588-151-0x0000000000000000-mapping.dmp

Download
memory/632-86-0x0000000000000000-mapping.dmp

Download
memory/864-166-0x0000000000000000-mapping.dmp

Download
memory/864-101-0x0000000000000000-mapping.dmp

Download
memory/944-163-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-63-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/948-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-57-0x00000000004010E0-mapping.dmp

Download
memory/960-130-0x0000000000000000-mapping.dmp

Download
memory/972-121-0x0000000000000000-mapping.dmp

Download
memory/976-92-0x0000000000000000-mapping.dmp

Download
memory/992-133-0x0000000000000000-mapping.dmp

Download
memory/1076-97-0x0000000000000000-mapping.dmp

Download
memory/1112-115-0x0000000000000000-mapping.dmp

Download
memory/1172-95-0x0000000000000000-mapping.dmp

Download
memory/1176-117-0x0000000000000000-mapping.dmp

Download
memory/1180-100-0x0000000000000000-mapping.dmp

Download
memory/1208-132-0x0000000000000000-mapping.dmp

Download
memory/1256-114-0x0000000000000000-mapping.dmp

Download
memory/1372-66-0x0000000000000000-mapping.dmp

Download
memory/1380-106-0x0000000000000000-mapping.dmp

Download
memory/1408-98-0x0000000000000000-mapping.dmp

Download
memory/1408-158-0x0000000000000000-mapping.dmp

Download
memory/1408-127-0x0000000000000000-mapping.dmp

Download
memory/1488-176-0x0000000000000000-mapping.dmp

Download
memory/1524-154-0x0000000000000000-mapping.dmp

Download
memory/1536-123-0x0000000000000000-mapping.dmp

Download
memory/1564-145-0x0000000000000000-mapping.dmp

Download
memory/1568-165-0x0000000000000000-mapping.dmp

Download
memory/1580-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1580-124-0x0000000003E10000-0x00000000048CA000-memory.dmp

Filesize
10.7MB

Download
memory/1580-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1580-75-0x00000000004010E0-mapping.dmp

Download
memory/1580-85-0x0000000003250000-0x0000000003D0A000-memory.dmp

Filesize
10.7MB

Download
memory/1616-141-0x0000000000000000-mapping.dmp

Download
memory/1620-135-0x0000000000000000-mapping.dmp

Download
memory/1632-125-0x0000000000000000-mapping.dmp

Download
memory/1632-156-0x0000000000000000-mapping.dmp

Download
memory/1640-111-0x0000000000000000-mapping.dmp

Download
memory/1640-173-0x0000000000000000-mapping.dmp

Download
memory/1664-94-0x0000000000000000-mapping.dmp

Download
memory/1684-170-0x0000000000000000-mapping.dmp

Download
memory/1700-108-0x0000000000000000-mapping.dmp

Download
memory/1704-162-0x0000000000000000-mapping.dmp

Download
memory/1716-91-0x0000000000000000-mapping.dmp

Download
memory/1724-109-0x0000000000000000-mapping.dmp

Download
memory/1784-136-0x0000000000000000-mapping.dmp

Download
memory/1792-148-0x0000000000000000-mapping.dmp

Download
memory/1816-174-0x0000000000000000-mapping.dmp

Download
memory/1872-139-0x0000000000000000-mapping.dmp

Download
memory/1884-153-0x0000000000000000-mapping.dmp

Download
memory/1904-89-0x0000000000000000-mapping.dmp

Download
memory/1904-118-0x0000000000000000-mapping.dmp

Download
memory/1960-150-0x0000000000000000-mapping.dmp

Download
memory/1984-88-0x0000000000000000-mapping.dmp

Download
memory/1988-120-0x0000000000000000-mapping.dmp

Download
memory/1992-147-0x0000000000000000-mapping.dmp

Download
memory/1996-129-0x0000000000000000-mapping.dmp

Download
memory/2000-143-0x0000000000000000-mapping.dmp

Download
memory/2020-71-0x0000000000000000-mapping.dmp

Download
memory/2024-103-0x0000000000000000-mapping.dmp

Download
memory/2028-168-0x0000000000000000-mapping.dmp

Download