azorult | 93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23d6c569893579789695f3d05accbe1.exe
Size

1.4MB
MD5

b23d6c569893579789695f3d05accbe1
SHA1

fa6b1d998500175e122de2c264869fda667bcd26
SHA256

93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
SHA512

e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633
SSDEEP

24576:ckJ57Lut19vrBg9qm+BZkvgt7DYOl+FbSoLCwcpN5tgLG6OI8mMe2WLPFouz:T7LG1V/dBZkY1Yo+X+tgLGPi2WLPFou

Score

10^/10

azorult raccoon zgrat 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer rat stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-164-0x0000000009F80000-0x000000000A0A4000-memory.dmp	family_zgrat_v1
behavioral1/memory/1256-165-0x0000000009F80000-0x000000000A09E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1256-166-0x0000000009F80000-0x000000000A09E000-memory.dmp	family_zgrat_v1

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2532-2465-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 7 IoCs

Processes:

Oggnfkemtibcinconsoleapp16.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	process
972	Oggnfkemtibcinconsoleapp16.exe
1892	Oggnfkemtibcinconsoleapp16.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2308	Oggnfkemtibcinconsoleapp16.exe
2328	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2952	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
1784	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Loads dropped DLL 14 IoCs

Processes:

WScript.exeOggnfkemtibcinconsoleapp16.exeWScript.exeHsbvhggsqlrfmuvyptooonsoleapp5.exeWerFault.exe

pid	process
2064	WScript.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
2544	WScript.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b23d6c569893579789695f3d05accbe1.exeOggnfkemtibcinconsoleapp16.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

description	pid	process	target process
PID 1256 set thread context of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 972 set thread context of 2308	972	Oggnfkemtibcinconsoleapp16.exe	Oggnfkemtibcinconsoleapp16.exe
PID 2868 set thread context of 1784	2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2052 1784 WerFault.exe Hsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	pid_target	process	target process
2052	1784	WerFault.exe	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

b23d6c569893579789695f3d05accbe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b23d6c569893579789695f3d05accbe1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b23d6c569893579789695f3d05accbe1.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeb23d6c569893579789695f3d05accbe1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOggnfkemtibcinconsoleapp16.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeHsbvhggsqlrfmuvyptooonsoleapp5.exe

pid	process
2580	powershell.exe
2880	powershell.exe
2436	powershell.exe
2476	powershell.exe
2852	powershell.exe
840	powershell.exe
1344	powershell.exe
1836	powershell.exe
3016	powershell.exe
1100	powershell.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1256	b23d6c569893579789695f3d05accbe1.exe
1640	powershell.exe
1276	powershell.exe
400	powershell.exe
1628	powershell.exe
1100	powershell.exe
2196	powershell.exe
1576	powershell.exe
2572	powershell.exe
2964	powershell.exe
1964	powershell.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
972	Oggnfkemtibcinconsoleapp16.exe
2448	powershell.exe
2572	powershell.exe
2108	powershell.exe
2332	powershell.exe
1772	powershell.exe
944	powershell.exe
2856	powershell.exe
2932	powershell.exe
2292	powershell.exe
1572	powershell.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe
2868	Hsbvhggsqlrfmuvyptooonsoleapp5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeIncreaseQuotaPrivilege	840	powershell.exe
Token: SeSecurityPrivilege	840	powershell.exe
Token: SeTakeOwnershipPrivilege	840	powershell.exe
Token: SeLoadDriverPrivilege	840	powershell.exe
Token: SeSystemProfilePrivilege	840	powershell.exe
Token: SeSystemtimePrivilege	840	powershell.exe
Token: SeProfSingleProcessPrivilege	840	powershell.exe
Token: SeIncBasePriorityPrivilege	840	powershell.exe
Token: SeCreatePagefilePrivilege	840	powershell.exe
Token: SeBackupPrivilege	840	powershell.exe
Token: SeRestorePrivilege	840	powershell.exe
Token: SeShutdownPrivilege	840	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeSystemEnvironmentPrivilege	840	powershell.exe
Token: SeRemoteShutdownPrivilege	840	powershell.exe
Token: SeUndockPrivilege	840	powershell.exe
Token: SeManageVolumePrivilege	840	powershell.exe
Token: 33	840	powershell.exe
Token: 34	840	powershell.exe
Token: 35	840	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeIncreaseQuotaPrivilege	1344	powershell.exe
Token: SeSecurityPrivilege	1344	powershell.exe
Token: SeTakeOwnershipPrivilege	1344	powershell.exe
Token: SeLoadDriverPrivilege	1344	powershell.exe
Token: SeSystemProfilePrivilege	1344	powershell.exe
Token: SeSystemtimePrivilege	1344	powershell.exe
Token: SeProfSingleProcessPrivilege	1344	powershell.exe
Token: SeIncBasePriorityPrivilege	1344	powershell.exe
Token: SeCreatePagefilePrivilege	1344	powershell.exe
Token: SeBackupPrivilege	1344	powershell.exe
Token: SeRestorePrivilege	1344	powershell.exe
Token: SeShutdownPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeSystemEnvironmentPrivilege	1344	powershell.exe
Token: SeRemoteShutdownPrivilege	1344	powershell.exe
Token: SeUndockPrivilege	1344	powershell.exe
Token: SeManageVolumePrivilege	1344	powershell.exe
Token: 33	1344	powershell.exe
Token: 34	1344	powershell.exe
Token: 35	1344	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeIncreaseQuotaPrivilege	1836	powershell.exe
Token: SeSecurityPrivilege	1836	powershell.exe
Token: SeTakeOwnershipPrivilege	1836	powershell.exe
Token: SeLoadDriverPrivilege	1836	powershell.exe
Token: SeSystemProfilePrivilege	1836	powershell.exe
Token: SeSystemtimePrivilege	1836	powershell.exe
Token: SeProfSingleProcessPrivilege	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: SeCreatePagefilePrivilege	1836	powershell.exe
Token: SeBackupPrivilege	1836	powershell.exe
Token: SeRestorePrivilege	1836	powershell.exe
Token: SeShutdownPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeSystemEnvironmentPrivilege	1836	powershell.exe
Token: SeRemoteShutdownPrivilege	1836	powershell.exe
Token: SeUndockPrivilege	1836	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b23d6c569893579789695f3d05accbe1.exeWScript.exeOggnfkemtibcinconsoleapp16.exe

description	pid	process	target process
PID 1256 wrote to memory of 2580	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2580	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2580	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2580	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2880	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2880	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2880	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2880	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2436	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2436	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2436	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2436	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2476	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2476	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2476	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2476	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2852	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2852	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2852	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2852	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 840	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 840	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 840	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 840	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1344	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1344	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1344	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1344	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1836	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1836	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1836	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1836	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 3016	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 3016	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 3016	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 3016	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1100	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1100	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1100	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 1100	1256	b23d6c569893579789695f3d05accbe1.exe	powershell.exe
PID 1256 wrote to memory of 2064	1256	b23d6c569893579789695f3d05accbe1.exe	WScript.exe
PID 1256 wrote to memory of 2064	1256	b23d6c569893579789695f3d05accbe1.exe	WScript.exe
PID 1256 wrote to memory of 2064	1256	b23d6c569893579789695f3d05accbe1.exe	WScript.exe
PID 1256 wrote to memory of 2064	1256	b23d6c569893579789695f3d05accbe1.exe	WScript.exe
PID 1256 wrote to memory of 3068	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532	1256	b23d6c569893579789695f3d05accbe1.exe	b23d6c569893579789695f3d05accbe1.exe
PID 2064 wrote to memory of 972	2064	WScript.exe	Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972	2064	WScript.exe	Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972	2064	WScript.exe	Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972	2064	WScript.exe	Oggnfkemtibcinconsoleapp16.exe
PID 972 wrote to memory of 1640	972	Oggnfkemtibcinconsoleapp16.exe	powershell.exe
PID 972 wrote to memory of 1640	972	Oggnfkemtibcinconsoleapp16.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
"C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
"C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"
4⤵
- Loads dropped DLL
PID:2544

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
"C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
6⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
6⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
6⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 112
7⤵
- Loads dropped DLL
- Program crash
PID:2052

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
4⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
4⤵
- Executes dropped EXE
PID:2308

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
2⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
2⤵
- Modifies system certificate store
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs
Filesize
118B

MD5
8e6ed0e063f11f70636a3f17f2a6ff0a

SHA1
4eb2da6280255683781c4b2e3e2e77de09d7d3ba

SHA256
bfd0eeb6d76e800e9fc6ffc2924ed0f8a4562bd2446ec503362ed325094e7561

SHA512
061a55f826961a96609717eb173b3f4bade372e4e26f9eae6b84f45b2bcdb97687e7d79b6d450f6a92a9805c799f623a04c7bb59550e2027ba3cf5d172a34e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs
Filesize
114B

MD5
eedf5b01d8c6919df80fb4eeef481b96

SHA1
c2f13824ede4e9781aa1d231c3bfe65ee57a5202

SHA256
c470d243098a7051aa0914fcda227fa4ae3b752556a5de16da5d73a169005aa4

SHA512
c9db4dff46d7517270dda041eca132368edc87bac7d0926b5179d7c385696a7b648c2b99bb444a08c60c95fd4dbd01700f17a8c9cb678bef680a8f681d248822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe
Filesize
367KB

MD5
81b52a797709cd2b43a567beb918f288

SHA1
91f7feded933ff4861dd2c00f971595d7dd89513

SHA256
ce7db669ec00c7169451964b79a5b3ac018e87c5dfd2ed0c89482c30f74d4bae

SHA512
70cfe54f9bf63e5d639b377efbb530b0983dcaaf6f09b0ac74b349ab1640a5eeeb98d9f22f4241a5e2da28868f183574393ffd6823bdfab00c5b102ae9443123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e3599a94c6e4e54fcbf3339214de3a0e

SHA1
785d8d88dd40e328d17210a8c2fa2065095b1e2e

SHA256
8a426d48850befa06b361a5f8ab5b9424fab84d53230f11d02441116ae29e1c8

SHA512
115f35e6c2bdf284749876fad76a41086731b00a075db1a995e07ec4c88ef204b6289fd546188f6361dd92913571e79267fc68b3b46c02f236695ee5de1a82a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8e5e13ff63e461fe8dbdc7dbec80b298

SHA1
b2f1a32e316af60fd047893fadb4aa442dc5ef73

SHA256
a737a3cfac5f0620d5d27bae694b502d4b5b69b918dd42ea5483e7dd2578bb47

SHA512
89633023d236a244cdb50186e423427771c30b18a3f9f9177b959d26561555876c52f1bcfb7b868f007c5789c14a7268bc1ef931aa7c53507c5f0f86109ac0b2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
Filesize
754KB

MD5
bff1438036ccf8be218ec89f2e92230b

SHA1
805cabda5796988cdf0b624585fc4fcc514f141d

SHA256
493aa6892b773d1e49a1f861eb163134759fa1a9f44708bfdf1148231606b4be

SHA512
f9f3b256998e157d5140c0d3e8f1aa103a8d361c6cafb745e22bc1f805cad0f3d4599880534c50443ec1fd9ae907e2e6d6643c89e503e71df8e4769bc02034ff

Download Submit
\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
Filesize
704KB

MD5
533e3640e395a9ee9c48b3e58e3c8792

SHA1
3a349edcdf0ff6d78fafee9b55e57dbde0c060cf

SHA256
a16541270099eaee1c8bc1a3463a31623956af8341ef4f52f5d980672538e203

SHA512
29a5f2ece551b0a81df4f856411a6f6643f8a51e14df6717ce1b214322de8124ab3b1827666606ae35291d32fd58e64d1c06991c2f13bf67aa933db91b25f909

Download Submit
memory/840-54-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/840-49-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/840-53-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/840-51-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Filesize
5.7MB

Download
memory/840-52-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/840-50-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/972-2462-0x0000000000190000-0x0000000000252000-memory.dmp

Filesize
776KB

Download
memory/972-2463-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/972-2464-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/1100-99-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/1100-95-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-100-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-98-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/1100-97-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-96-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/1256-159-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-161-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-0-0x0000000000260000-0x00000000003CC000-memory.dmp

Filesize
1.4MB

Download
memory/1256-1-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/1256-121-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-2458-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-166-0x0000000009F80000-0x000000000A09E000-memory.dmp

Filesize
1.1MB

Download
memory/1256-165-0x0000000009F80000-0x000000000A09E000-memory.dmp

Filesize
1.1MB

Download
memory/1256-164-0x0000000009F80000-0x000000000A0A4000-memory.dmp

Filesize
1.1MB

Download
memory/1256-163-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-38-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-157-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-155-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-153-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-151-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-117-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-147-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-145-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-143-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-141-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-139-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-137-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-135-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-133-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-131-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-129-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-127-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-125-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-123-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-119-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-101-0x0000000007FA0000-0x00000000080F8000-memory.dmp

Filesize
1.3MB

Download
memory/1256-102-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-103-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-105-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-107-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-109-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-111-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-113-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-115-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1256-149-0x0000000007FA0000-0x00000000080F3000-memory.dmp

Filesize
1.3MB

Download
memory/1344-63-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1344-62-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-60-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-61-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1344-65-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/1344-64-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-2475-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/1640-2474-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/1640-2473-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-2472-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/1640-2471-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/1836-71-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-73-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1836-72-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1836-76-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/1836-75-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-74-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-21-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-22-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-23-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-31-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-30-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-32-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-2465-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2580-7-0x000000006F480000-0x000000006FA2B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-6-0x000000006F480000-0x000000006FA2B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-5-0x000000006F480000-0x000000006FA2B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-39-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2852-42-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-40-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-43-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-41-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2880-15-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-13-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-14-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-85-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-83-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-84-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/3016-89-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-88-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/3016-87-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/3016-86-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download