fatalrat | fee4bc48a833facbde77aeb03320697fe7a1e54d633f6d9f157cf994b2a405f1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d348b2fd315d69bb969cd00d30f1f11eeb45656e4e429e6555eebdd5a566e5b2.msi
Size

45.4MB
MD5

b548cd27d7cc4d966305c2fc5c0ee5e1
SHA1

2f116d9e09a8796c040abe8ca5f6637e1110ea8c
SHA256

d348b2fd315d69bb969cd00d30f1f11eeb45656e4e429e6555eebdd5a566e5b2
SHA512

8f5ec981769a44575f215fe53b58b4c6522efa98bfd7eb409ca166cd1dca766fc5f6f8af04ec9d3ace3ad1b54b3ad62612e8a599840161ff685c001aab32c086
SSDEEP

786432:1ELiyuxCaAPkt69LZSq5EfJ9WEH9aSeLHDKsn3MoNh2Z51JbY+R4+pjRxt7iQetk:1EiEaAW6FZSqSWs9aSeLHDWk2Z5O+fxX

Score

10^/10

fatalrat gh0strat discovery infostealer persistence privilege_escalation rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3720-453-0x0000000004220000-0x000000000436D000-memory.dmp	family_gh0strat
behavioral2/memory/3720-452-0x0000000004220000-0x000000000436D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/5060-275-0x0000000003060000-0x000000000308A000-memory.dmp	fatalrat
behavioral2/memory/3720-307-0x0000000002FE0000-0x000000000300A000-memory.dmp	fatalrat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3720-449-0x0000000004220000-0x000000000436D000-memory.dmp	upx
behavioral2/memory/3720-453-0x0000000004220000-0x000000000436D000-memory.dmp	upx
behavioral2/memory/3720-452-0x0000000004220000-0x000000000436D000-memory.dmp	upx

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exeMsiExec.exe

flow	pid	Process
2	3316	msiexec.exe
4	3316	msiexec.exe
6	3316	msiexec.exe
11	3316	msiexec.exe
31	4296	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

thelper.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	thelper.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI778D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI789C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58747f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78CC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI788B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3AEAE5B8-91CC-4989-AD2C-33C505411950}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B72.tmp	msiexec.exe
File created	C:\Windows\Installer\e58747f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

MSI7F7A.tmpMSI7F7B.tmpthelper.exeSogou.exethelper.exe

pid	Process
3596	MSI7F7A.tmp
2472	MSI7F7B.tmp
5060	thelper.exe
4380	Sogou.exe
3720	thelper.exe

Loads dropped DLL 48 IoCs

Processes:

MsiExec.exeMsiExec.exethelper.exethelper.exeSogou.exe

pid	Process
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4860	MsiExec.exe
4860	MsiExec.exe
4296	MsiExec.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
5060	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
3316	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeMSI7F7A.tmpMSI7F7B.tmpthelper.exeSogou.exethelper.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7F7A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7F7B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sogou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005d98d1691ddd1b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005d98d1690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005d98d169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5d98d169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005d98d16900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

thelper.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	thelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	thelper.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsiExec.exemsiexec.exeSogou.exethelper.exe

pid	Process
4296	MsiExec.exe
4296	MsiExec.exe
3744	msiexec.exe
3744	msiexec.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
4380	Sogou.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe
3720	thelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	3316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3316	msiexec.exe
Token: SeSecurityPrivilege	3744	msiexec.exe
Token: SeCreateTokenPrivilege	3316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3316	msiexec.exe
Token: SeLockMemoryPrivilege	3316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3316	msiexec.exe
Token: SeMachineAccountPrivilege	3316	msiexec.exe
Token: SeTcbPrivilege	3316	msiexec.exe
Token: SeSecurityPrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeLoadDriverPrivilege	3316	msiexec.exe
Token: SeSystemProfilePrivilege	3316	msiexec.exe
Token: SeSystemtimePrivilege	3316	msiexec.exe
Token: SeProfSingleProcessPrivilege	3316	msiexec.exe
Token: SeIncBasePriorityPrivilege	3316	msiexec.exe
Token: SeCreatePagefilePrivilege	3316	msiexec.exe
Token: SeCreatePermanentPrivilege	3316	msiexec.exe
Token: SeBackupPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeShutdownPrivilege	3316	msiexec.exe
Token: SeDebugPrivilege	3316	msiexec.exe
Token: SeAuditPrivilege	3316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3316	msiexec.exe
Token: SeChangeNotifyPrivilege	3316	msiexec.exe
Token: SeRemoteShutdownPrivilege	3316	msiexec.exe
Token: SeUndockPrivilege	3316	msiexec.exe
Token: SeSyncAgentPrivilege	3316	msiexec.exe
Token: SeEnableDelegationPrivilege	3316	msiexec.exe
Token: SeManageVolumePrivilege	3316	msiexec.exe
Token: SeImpersonatePrivilege	3316	msiexec.exe
Token: SeCreateGlobalPrivilege	3316	msiexec.exe
Token: SeBackupPrivilege	264	vssvc.exe
Token: SeRestorePrivilege	264	vssvc.exe
Token: SeAuditPrivilege	264	vssvc.exe
Token: SeBackupPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeBackupPrivilege	3504	srtasks.exe
Token: SeRestorePrivilege	3504	srtasks.exe
Token: SeSecurityPrivilege	3504	srtasks.exe
Token: SeTakeOwnershipPrivilege	3504	srtasks.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe
Token: SeTakeOwnershipPrivilege	3744	msiexec.exe
Token: SeRestorePrivilege	3744	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
3316	msiexec.exe
3316	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Sogou.exe

pid	Process
4380	Sogou.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

msiexec.exethelper.exe

description	pid	Process	procid_target
PID 3744 wrote to memory of 3504	3744	msiexec.exe	91
PID 3744 wrote to memory of 3504	3744	msiexec.exe	91
PID 3744 wrote to memory of 4296	3744	msiexec.exe	93
PID 3744 wrote to memory of 4296	3744	msiexec.exe	93
PID 3744 wrote to memory of 4296	3744	msiexec.exe	93
PID 3744 wrote to memory of 4860	3744	msiexec.exe	94
PID 3744 wrote to memory of 4860	3744	msiexec.exe	94
PID 3744 wrote to memory of 4860	3744	msiexec.exe	94
PID 3744 wrote to memory of 3596	3744	msiexec.exe	95
PID 3744 wrote to memory of 3596	3744	msiexec.exe	95
PID 3744 wrote to memory of 3596	3744	msiexec.exe	95
PID 3744 wrote to memory of 2472	3744	msiexec.exe	96
PID 3744 wrote to memory of 2472	3744	msiexec.exe	96
PID 3744 wrote to memory of 2472	3744	msiexec.exe	96
PID 5060 wrote to memory of 3720	5060	thelper.exe	99
PID 5060 wrote to memory of 3720	5060	thelper.exe	99
PID 5060 wrote to memory of 3720	5060	thelper.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d348b2fd315d69bb969cd00d30f1f11eeb45656e4e429e6555eebdd5a566e5b2.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B8CDED353A06569963FEFC8F5975767
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BAFDF2344B793BD39FC8A8E210A4C922 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4860
- C:\Windows\Installer\MSI7F7A.tmp
  "C:\Windows\Installer\MSI7F7A.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3596
- C:\Windows\Installer\MSI7F7B.tmp
  "C:\Windows\Installer\MSI7F7B.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\ProgramData\Microsoft\MF\thelper.exe
"C:\ProgramData\Microsoft\MF\thelper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\thelper.exe
  "C:\Users\Admin\AppData\Local\thelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

C:\Users\Admin\AppData\Roaming\Sogou.exe
"C:\Users\Admin\AppData\Roaming\Sogou.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587482.rbs

Filesize
377KB

MD5
c380593737c4a8585c04d64dc57ad939

SHA1
4e99188a7ce157d0b3b6f677e76ac11b3d2ce409

SHA256
f6e96a53aab0b29cfe7e88b07b553616191483ac1e1e5e88c9fce0b709544522

SHA512
8598d572da6c8677eadb26c3d161dc87c8d013b7f9cd6b9cbba46e8758c09dfe2efa3eb6390a796c16964e7e5543d4e4a47d387f2d5855afa3b20f49806c6c3c

Download Submit
C:\ProgramData\Microsoft\MF\Mi.jpg

Filesize
199KB

MD5
6623c712226ec7da02b7a6d2e636f93b

SHA1
ca7cc067795d66d9592f40e7b7f7be2fb8d2381a

SHA256
27550491d63f83141fa86cd048434c4c3990dc215a1d77d2ae6395cea3b0d996

SHA512
b5503e7af6d094a4c5741d621e1ea99eef8bf2a6d77cc994975c2629ebab2b0317a1ad51ce7ddcd44dafaa7461f032ae5d45d79e4537504846989e1b9bb0170b

Download Submit
C:\ProgramData\Microsoft\MF\XLFSIO.dll

Filesize
900KB

MD5
a06090c5f2d3df2cedc51cc99e19e821

SHA1
701ac97c2fd140464b234f666a0453d058c9fabf

SHA256
64ffdffb82fc649e6847b3c4f8678d9cca0d5117fa54c9abbb746625d3feef89

SHA512
541804db74a25fc5f50801f23b4d9f2be788d3c95d3d23dd8098f4c8888d1fc808e6eb6959c458965c639ea28b594a87dff7f3a89c4750c109b29b573c4535cf

Download Submit
C:\ProgramData\Microsoft\MF\XLFSIO2.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
C:\ProgramData\Microsoft\MF\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
C:\ProgramData\Microsoft\MF\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
C:\ProgramData\Microsoft\MF\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
C:\ProgramData\Microsoft\MF\ic.dll

Filesize
1.6MB

MD5
bb1197bea58b158554fa3fa25866d1ea

SHA1
cae7f395ed42fa2dd3362f4c816fb678072feb49

SHA256
20a04729fdd8e02e2fb5be79af130c364d0f3ce85e49478a6819a0a2020ae844

SHA512
f80b7669da861400a5b5add8148b85cc62994819e3a3a2220475d7ec2fc31f70bc3c683d5a5d6043b319b428a0ac47b9b41201aee7aba5d5cc927a8556dd7b73

Download Submit
C:\ProgramData\Microsoft\MF\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
C:\ProgramData\Microsoft\MF\libpng13.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
C:\ProgramData\Microsoft\MF\mt.dll

Filesize
1.5MB

MD5
9ded3fdffb0ff7f62e6a0a7f996c0caf

SHA1
fcc959b28a32923ccdb1ca4e304c74a31dede929

SHA256
87aab1db611adb132f503c08c32dc4efc23c9216d97e918f7279f86920701c93

SHA512
a7e7cb96a78827b01e71c595ca0d106eaf7afe35d4a548e5beccf0b009cc02d33274822958dca4998a427d8b4027eaefe99b40b3648e24730c81df34eab32ba0

Download Submit
C:\ProgramData\Microsoft\MF\thelper.exe

Filesize
226KB

MD5
17749f66292f190ef93652eb512c5ab7

SHA1
e2f651aa9d37404063ffc79e920787c9d3e71fdb

SHA256
0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24

SHA512
2ef192a191dc40a16c9b8768e749175c1a57319ab896809691effcc5de61c4a38fd8a8388b8907a1985e505907a8529f4d10990e362831092c75dafb8900b13e

Download Submit
C:\ProgramData\Microsoft\MF\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
1KB

MD5
3d640ee6ac8b5855df5f6cae6f0c2ab5

SHA1
8048c98b890b6baa5b09c6ec8e3ab805fb2e3ff3

SHA256
826ee51625aca602c13e753a3d88811a9cc1f4416c529480db8f4bf2567c9b22

SHA512
3c7d57c2c06b6a72e18c0105a1fc19b09345c8212737fe6fcd49d07423135f6081286295971f84dab627c8641852a142f19d665bbf27db86c6f46d0ed337dada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_F891537EEBBDBB955ED6C40DCF761C31

Filesize
2KB

MD5
9b7a46275e7095ce102f4a528d998404

SHA1
cb080163caab8be2c16e522b65bd759792ac1035

SHA256
c57a6d779565c08eb1fff650035d83ba0bf2f739fb2e51fe649175b3172ec4be

SHA512
785612a40fe5ce1979251cb95f264082e58dc93f7176623b681c305c807ef7c9400d617018288360ce93395199b4f4621556aa5ff4be7c6a561d03469de09117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
412B

MD5
835caab0de545ba536fcb96e1585fc3d

SHA1
52d44ad171c3c11679e17f38a159673ac295db36

SHA256
5b569205be72092b239942d226854d1fe1888d404c8ee61ed56623b616d42b30

SHA512
82d5eaca79b16f70cf9c0c64049574406277ece57103f33ea66bfea0e689138d7db5660e9672b3215fe0dab09f88830963776ec1b2022b24ec38085f6489c63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_F891537EEBBDBB955ED6C40DCF761C31

Filesize
428B

MD5
0a513d6140b688892e9b764b57ff575c

SHA1
a5283522aa94191035c41231b2a7afb39ac29591

SHA256
61135aa3992b1d169b5c313cab81e535ad8e743ff58ddaf4f399d4f94c42301a

SHA512
3ecfbb59f0d8e45d67b9b29e95bb678dbfa397d1cc5468ae0983d957019783f7b57d2c37d50965dc0a535265ce6f5217e600a516bdffd16e9c5876f67fddbf3c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c89e2ff508bfba81eedd\74.24.63\tracking.ini

Filesize
84B

MD5
5301ca3f1494bc5307773cc0b003c78e

SHA1
3089d199c8bedd766dc06009459bab72352dd4b1

SHA256
3b446147fa359b5f71276e4240f83d00cea1aeb903042d57a6a664a1e56ead83

SHA512
0b04e578fc48b3b6dadfbcde0e82c24b94abc563560665c673e08ce7bd385cbe785fa7bb207b04936c6b38dc5d81f0737f93a1d9f486cd9ff9ff27e63b198e2d

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c89e2ff508bfba81eedd\74.24.63\tracking.ini

Filesize
84B

MD5
d92144e53e4f8706e979e529a55a7c42

SHA1
e802db24efef1c28d1681304690eaa61c42a4efb

SHA256
eaaf03d8af8d73533174d37d6a901fb54dac1ca23e36bade8e6192d4ecb90909

SHA512
e5aa32cb690986390ffa630ab990b8ae3520ccaf52fa4eb8898189baee4729b3eb92dbd4b303ebc4c4fe576073c6252168a0882c847e76e127d96fba2305c273

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c89e2ff508bfba81eedd\74.24.63\{7DF54D76-9449-47D3-8414-F9283BA58B6C}.session

Filesize
13KB

MD5
02729a4a14d25476407e20833126c350

SHA1
8934c9dab77378e577bf364e0854fd36d559bd1c

SHA256
6ff91788a9b11d74c65524e5bb3028ac50507cdbd09d7e0eee275c2dc85ccbe7

SHA512
20d54a69aefdc8820cf465d8bea656872ad34738377552fc3efce89678fa1e3902c0b0bd9643d4094f9a913a065b39200f16ec5066c76a0d4be5820d3f4794d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\HWSignature.dll

Filesize
82KB

MD5
0c4dd80545d113d33edcd16cfe92c44a

SHA1
7dabdd84e24f0b8947f9e83339d21ca0cfa8dbe9

SHA256
1fd6c12b48a08dd19af04f763f27786e55a58747968bea17ae51198f49c02478

SHA512
20dd4ad7682264f35416413edaef953a8a5cbd4a0920ec790bbda06147cdd2faa0ab1702e93ee12cf4fe5fb525576a13e5307c3882fbc71de92e9a5fba2952fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\InstallOptions.dll

Filesize
15KB

MD5
67d8f4d5acdb722e9cb7a99570b3ded1

SHA1
f4a729ba77332325ea4dbdeea98b579f501fd26f

SHA256
fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7

SHA512
03999cc26a76b0de6f7e4e8a45137ee4d9c250366ac5a458110f00f7962158311eea5f22d3ee4f32f85aa6969eb143bdb8f03ca989568764ed2bc488c89b4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\SetupLib.dll

Filesize
2.5MB

MD5
96e5de7481ab4c69be46bc2055b8c0b3

SHA1
26854a0b1a0e4c08d0fda1fbb2b430c7a5aa1183

SHA256
c9cb61c290140cf63e8fcfcecb4bc6edd43d9d9b5ff0df93f8f71b26c5cd21dc

SHA512
e419b2d4f751b8dbb8c4e9ffcb3bf6ec0bbf69e488e144ea7188d8b1d3574567c559346d941068fa341286342c8ce75f57d074db6cd959d0fdb1d96eb9b4719e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\ioSpecial.ini

Filesize
954B

MD5
fe1997fe60d019f2b10599ee088b112f

SHA1
4ef398046adfa091bd0b8e51c3688cd1e013e94b

SHA256
a9c34926ae358a8e97b12f60b4affe25cc260a9a68f5ccc2fa5396df7ab31d33

SHA512
ef847e453bc0ec51c3b4f6e58ebf9905d02bdc1c5c966360e8c97b171df2bef3c1653c8acc40b3304767b361b30a112537397837d58179c8a10d2a3efa764372

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8412.tmp\validate.ini

Filesize
111B

MD5
6f833a68105fa15445fd02a71f5f6b70

SHA1
65bf80d5978ad1d5f505577e086f476976ee08fd

SHA256
b3134f47d62c3551b288d0b1e64e3643622ee0c9ba7c78a113e78fd372c92356

SHA512
51a080c93183f36ea53acc5a148486441176ee7122cbf3bdb1cb4f7bf3ae25bba190d5be617160a201b032de51d2dfec2eedb2197c30a12f07f95a7e4212dce6

Download Submit
C:\Users\Admin\AppData\Roaming\Sogou.exe

Filesize
38.4MB

MD5
166da5372ada91e8c0ede06ca3db2096

SHA1
9c86e5640b341519c1dba0548c25b732e8164ec2

SHA256
e9cc52087141132cb6026a3cbf5519f621f321adf8c5406f794bad8d7c7cc8af

SHA512
c1dc98dd6b649c439306b09bae9c4304e9832533fb6695408d76f3a550afcb7a226a14815e73edd90f99870157054bec124459d5580b9db77dacbe5f06d5b789

Download Submit
C:\Windows\Installer\MSI75F6.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSI778D.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI77CF.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
C:\Windows\Installer\MSI79F9.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI7F7A.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
de7df04988a79194b3821d99fb7ce261

SHA1
9bbfbb3940b6b97fa3dfd37ff4725a9fe58d6c86

SHA256
66d1df070a234a83c00be69ece0479f6d049af24ce128fce7581cf4ffb0a4408

SHA512
56553a167256d06c6e3599f681ae760a44571e54972f0217bfbe20e25302104d7b2f12354aa5518d155a4e89b5eb32374d2668a81830cced5ae20229ea024668

Download Submit
\??\Volume{69d1985d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8fcf855b-7c49-4e95-8930-ce10b715b716}_OnDiskSnapshotProp

Filesize
6KB

MD5
aa2b13fa86a8d69876f92df6585d7077

SHA1
61531869fcb661fb447c71b8c63dd761f51ee3c9

SHA256
c459ada59f8707e2dc75aa36aa5783c4c643dc02d0a2d215c5e91e973a05a6c5

SHA512
9acf0749f9836ee3f507f81d340b9d4471c7e3468622d6d2cd09dcabe8271b53d31dfde06eb4304e6bcacdad49261ed31c109809b7bc7aff2dcbf5a4ab1d82ba

Download Submit
memory/3720-303-0x00000000030A0000-0x00000000030D1000-memory.dmp

Filesize
196KB

Download
memory/3720-431-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/3720-452-0x0000000004220000-0x000000000436D000-memory.dmp

Filesize
1.3MB

Download
memory/3720-293-0x00000000015D0000-0x000000000160F000-memory.dmp

Filesize
252KB

Download
memory/3720-291-0x00000000014C0000-0x00000000015C8000-memory.dmp

Filesize
1.0MB

Download
memory/3720-453-0x0000000004220000-0x000000000436D000-memory.dmp

Filesize
1.3MB

Download
memory/3720-449-0x0000000004220000-0x000000000436D000-memory.dmp

Filesize
1.3MB

Download
memory/3720-432-0x0000000074960000-0x0000000074B77000-memory.dmp

Filesize
2.1MB

Download
memory/3720-433-0x0000000074720000-0x0000000074954000-memory.dmp

Filesize
2.2MB

Download
memory/3720-296-0x0000000001610000-0x0000000001645000-memory.dmp

Filesize
212KB

Download
memory/3720-307-0x0000000002FE0000-0x000000000300A000-memory.dmp

Filesize
168KB

Download
memory/3720-300-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/3720-301-0x0000000074960000-0x0000000074B77000-memory.dmp

Filesize
2.1MB

Download
memory/3720-302-0x0000000074720000-0x0000000074954000-memory.dmp

Filesize
2.2MB

Download
memory/4380-429-0x00000000755B0000-0x000000007564F000-memory.dmp

Filesize
636KB

Download
memory/4380-328-0x0000000003450000-0x0000000003469000-memory.dmp

Filesize
100KB

Download
memory/4380-430-0x0000000073120000-0x0000000073570000-memory.dmp

Filesize
4.3MB

Download
memory/4380-320-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5060-263-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/5060-271-0x0000000003020000-0x0000000003051000-memory.dmp

Filesize
196KB

Download
memory/5060-251-0x0000000001180000-0x00000000011BF000-memory.dmp

Filesize
252KB

Download
memory/5060-275-0x0000000003060000-0x000000000308A000-memory.dmp

Filesize
168KB

Download
memory/5060-248-0x0000000001530000-0x0000000001638000-memory.dmp

Filesize
1.0MB

Download
memory/5060-298-0x0000000074960000-0x0000000074B77000-memory.dmp

Filesize
2.1MB

Download
memory/5060-268-0x0000000074960000-0x0000000074B77000-memory.dmp

Filesize
2.1MB

Download
memory/5060-261-0x00000000011F0000-0x0000000001225000-memory.dmp

Filesize
212KB

Download
memory/5060-269-0x0000000074720000-0x0000000074954000-memory.dmp

Filesize
2.2MB

Download
memory/5060-299-0x0000000074720000-0x0000000074954000-memory.dmp

Filesize
2.2MB

Download
memory/5060-297-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download