arkei | 2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb

Analysis

max time kernel
152s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
12-10-2021 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
Size

175KB
MD5

16dac496ddda6108f8a0a5f5c29f777f
SHA1

9fc6750104fac8148800c9144aeee4e52a491b02
SHA256

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb
SHA512

f67a5a40f04e76d763257567105409d06e7c08b5426f0bd24886d54e6187c9e5d35549cae80b2af81852b4da773e0e53606e4ff268edaaf034c16113a3e88638

Score

10^/10

arkei raccoon redline servhelper smokeloader xmrig 159 8d179b9e611eee525425544ee8c6d77360ab7cd9 w1 backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

redline

Botnet

159

190.2.136.29:3279

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3764-150-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/3764-158-0x000000000041B222-mapping.dmp	family_redline
behavioral1/memory/3536-159-0x0000000000750000-0x0000000000781000-memory.dmp	family_redline
behavioral1/memory/3536-168-0x0000000002760000-0x000000000277C000-memory.dmp	family_redline
behavioral1/memory/3764-183-0x0000000004DD0000-0x00000000053D6000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Arkei Stealer Payload 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1224-123-0x0000000000400000-0x0000000000B71000-memory.dmp	family_arkei
behavioral1/memory/1224-125-0x0000000000400000-0x0000000000B71000-memory.dmp	family_arkei
behavioral1/memory/1224-126-0x0000000000400000-0x0000000000B71000-memory.dmp	family_arkei
behavioral1/memory/1224-130-0x0000000000400000-0x0000000000B71000-memory.dmp	family_arkei

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

F860.exeFDFE.exe9E6.exe1224.exe1AE0.exe2F82.exe475362202.exe475362202.exefodhelper.exefodhelper.exe

pid	Process
1224	F860.exe
2980	FDFE.exe
2648	9E6.exe
952	1224.exe
3536	1AE0.exe
792	2F82.exe
1932	475362202.exe
1648	475362202.exe
1356	fodhelper.exe
3488	fodhelper.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F860.exe9E6.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F860.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F860.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9E6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9E6.exe

Deletes itself 1 IoCs

Processes:

pid	Process
2428

Loads dropped DLL 3 IoCs

Processes:

F860.exe

pid	Process
1224	F860.exe
1224	F860.exe
1224	F860.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x00050000000155fd-132.dat	themida
behavioral1/memory/2648-137-0x0000000001360000-0x0000000001361000-memory.dmp	themida
behavioral1/files/0x00050000000155fd-1160.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9E6.exeF860.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9E6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F860.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

F860.exe9E6.exe

pid	Process
1224	F860.exe
2648	9E6.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exeFDFE.exe475362202.exefodhelper.exe

description	pid	Process	procid_target
PID 632 set thread context of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 2980 set thread context of 3764	2980	FDFE.exe	83
PID 1932 set thread context of 1648	1932	475362202.exe	92
PID 1356 set thread context of 3488	1356	fodhelper.exe	119

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3256	1224	WerFault.exe	74

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3556	schtasks.exe
3896	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1220	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

pid	Process
2080	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
2080	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428
2428

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2428

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
616

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

pid	Process
2080	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe1AE0.exe9E6.exeRegSvcs.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeRestorePrivilege	3256	WerFault.exe
Token: SeBackupPrivilege	3256	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	3256	WerFault.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	3536	1AE0.exe
Token: SeDebugPrivilege	2648	9E6.exe
Token: SeDebugPrivilege	3764	RegSvcs.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeShutdownPrivilege	2428
Token: SeCreatePagefilePrivilege	2428

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
2428
2428

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid	Process
2428
2428

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2428

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exeFDFE.exe2F82.exe1AE0.exe475362202.exepowershell.execsc.exe475362202.exe

description	pid	Process	procid_target
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 632 wrote to memory of 2080	632	2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe	72
PID 2428 wrote to memory of 1224	2428		74
PID 2428 wrote to memory of 1224	2428		74
PID 2428 wrote to memory of 1224	2428		74
PID 2428 wrote to memory of 2980	2428		76
PID 2428 wrote to memory of 2980	2428		76
PID 2428 wrote to memory of 2980	2428		76
PID 2428 wrote to memory of 2648	2428		78
PID 2428 wrote to memory of 2648	2428		78
PID 2428 wrote to memory of 2648	2428		78
PID 2428 wrote to memory of 952	2428		80
PID 2428 wrote to memory of 952	2428		80
PID 2428 wrote to memory of 952	2428		80
PID 2980 wrote to memory of 3764	2980	FDFE.exe	83
PID 2980 wrote to memory of 3764	2980	FDFE.exe	83
PID 2980 wrote to memory of 3764	2980	FDFE.exe	83
PID 2980 wrote to memory of 3764	2980	FDFE.exe	83
PID 2428 wrote to memory of 3536	2428		84
PID 2428 wrote to memory of 3536	2428		84
PID 2428 wrote to memory of 3536	2428		84
PID 2980 wrote to memory of 3764	2980	FDFE.exe	83
PID 2428 wrote to memory of 792	2428		87
PID 2428 wrote to memory of 792	2428		87
PID 2428 wrote to memory of 792	2428		87
PID 792 wrote to memory of 3580	792	2F82.exe	88
PID 792 wrote to memory of 3580	792	2F82.exe	88
PID 792 wrote to memory of 3580	792	2F82.exe	88
PID 3536 wrote to memory of 1932	3536	1AE0.exe	90
PID 3536 wrote to memory of 1932	3536	1AE0.exe	90
PID 3536 wrote to memory of 1932	3536	1AE0.exe	90
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 3580 wrote to memory of 1356	3580	powershell.exe	93
PID 3580 wrote to memory of 1356	3580	powershell.exe	93
PID 3580 wrote to memory of 1356	3580	powershell.exe	93
PID 1356 wrote to memory of 1260	1356	csc.exe	94
PID 1356 wrote to memory of 1260	1356	csc.exe	94
PID 1356 wrote to memory of 1260	1356	csc.exe	94
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1932 wrote to memory of 1648	1932	475362202.exe	92
PID 1648 wrote to memory of 3556	1648	475362202.exe	95
PID 1648 wrote to memory of 3556	1648	475362202.exe	95
PID 1648 wrote to memory of 3556	1648	475362202.exe	95
PID 3580 wrote to memory of 2596	3580	powershell.exe	97
PID 3580 wrote to memory of 2596	3580	powershell.exe	97
PID 3580 wrote to memory of 2596	3580	powershell.exe	97
PID 3580 wrote to memory of 1652	3580	powershell.exe	99
PID 3580 wrote to memory of 1652	3580	powershell.exe	99
PID 3580 wrote to memory of 1652	3580	powershell.exe	99
PID 3580 wrote to memory of 964	3580	powershell.exe	101
PID 3580 wrote to memory of 964	3580	powershell.exe	101
PID 3580 wrote to memory of 964	3580	powershell.exe	101
PID 3580 wrote to memory of 2068	3580	powershell.exe	103
PID 3580 wrote to memory of 2068	3580	powershell.exe	103

C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
"C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
  "C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2080

C:\Users\Admin\AppData\Local\Temp\F860.exe
C:\Users\Admin\AppData\Local\Temp\F860.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1264
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3256

C:\Users\Admin\AppData\Local\Temp\FDFE.exe
C:\Users\Admin\AppData\Local\Temp\FDFE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3764

C:\Users\Admin\AppData\Local\Temp\9E6.exe
C:\Users\Admin\AppData\Local\Temp\9E6.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Local\Temp\1224.exe
C:\Users\Admin\AppData\Local\Temp\1224.exe
1⤵
- Executes dropped EXE
PID:952

C:\Users\Admin\AppData\Local\Temp\1AE0.exe
C:\Users\Admin\AppData\Local\Temp\1AE0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\475362202.exe
  "C:\Users\Admin\AppData\Local\Temp\475362202.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\475362202.exe
    C:\Users\Admin\AppData\Local\Temp\475362202.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
      4⤵
      Creates scheduled task(s)
      PID:3556

C:\Users\Admin\AppData\Local\Temp\2F82.exe
C:\Users\Admin\AppData\Local\Temp\2F82.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rudw1t01\rudw1t01.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6571.tmp" "c:\Users\Admin\AppData\Local\Temp\rudw1t01\CSC5D483C6DF943CB8D111B916C7B4922.TMP"
      4⤵
      PID:1260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:1344
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:3064
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:380

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1356
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\1224.exe

MD5
fca0bfc8b0d37eab0b75c773882c8c0c

SHA1
5791c1090645b42575d0100e97c56d444406c194

SHA256
e8dfe564f572301aa67110c28d0d6850133705a72f6ada7e96c16a65aa3d8da2

SHA512
d6a91a7223ffa99cdf0ed8a56dda350ffd5982f2b1da521ade028ccb097e4014ef0ac2a8546896f5ecb7be23346a8add5e61e0dc0ecc8a9471596045ee8b7b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1224.exe

MD5
fca0bfc8b0d37eab0b75c773882c8c0c

SHA1
5791c1090645b42575d0100e97c56d444406c194

SHA256
e8dfe564f572301aa67110c28d0d6850133705a72f6ada7e96c16a65aa3d8da2

SHA512
d6a91a7223ffa99cdf0ed8a56dda350ffd5982f2b1da521ade028ccb097e4014ef0ac2a8546896f5ecb7be23346a8add5e61e0dc0ecc8a9471596045ee8b7b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AE0.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AE0.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F82.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F82.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\475362202.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\475362202.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\475362202.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E6.exe

MD5
e76fbeba883358d5b660b3aacbc59836

SHA1
1d7049647a7b1bf008c12fa17e2c27832b215bd8

SHA256
7f061b78c4b3cba6950bbb540a6c1595c45a1318f662d196647e77c01d027e2d

SHA512
eb983832a6fdd98a7829439934e087aee69dfdfcca7f22104b69061399033bc73c0a363ffaf303fba81bebef03087ba8500dbed2fea265f8973d9358aa6103cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E6.exe

MD5
e76fbeba883358d5b660b3aacbc59836

SHA1
1d7049647a7b1bf008c12fa17e2c27832b215bd8

SHA256
7f061b78c4b3cba6950bbb540a6c1595c45a1318f662d196647e77c01d027e2d

SHA512
eb983832a6fdd98a7829439934e087aee69dfdfcca7f22104b69061399033bc73c0a363ffaf303fba81bebef03087ba8500dbed2fea265f8973d9358aa6103cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F860.exe

MD5
86f28c786f513a1d3c770dfea2aee499

SHA1
2666a98deab2188f1ea43c02f2cdcc7cf29eb3a3

SHA256
5f839b5ecfb8b2a57eb7023a640bba23ed8c95791be439ab3f121a6ced0bb6cf

SHA512
e8affa29834e1e660e0e0ab6c67c301040e1b9e026355cf5b8a71551440a19950d32b7bf70cfdf7e11aae21e9fc902f9673938179abd1d891461c7631af62caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F860.exe

MD5
86f28c786f513a1d3c770dfea2aee499

SHA1
2666a98deab2188f1ea43c02f2cdcc7cf29eb3a3

SHA256
5f839b5ecfb8b2a57eb7023a640bba23ed8c95791be439ab3f121a6ced0bb6cf

SHA512
e8affa29834e1e660e0e0ab6c67c301040e1b9e026355cf5b8a71551440a19950d32b7bf70cfdf7e11aae21e9fc902f9673938179abd1d891461c7631af62caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDFE.exe

MD5
1eba0d5807acd00840d7f0a897d3d00e

SHA1
fd06e6d1fd068ba5a6a40c5a4324d0a4192c847f

SHA256
c17316ca6d248f467b2aa44bc67d2ca32040a35864ef0c0c10446d5bd5c6ff18

SHA512
a9a2111a6355a2794a02ec7eebb302ece4e56802d5abc357f0ae6e30c9422786102511db7da4481cc4781bda6469a1d14cc67b3646a04c242755b1bda1c51740

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDFE.exe

MD5
1eba0d5807acd00840d7f0a897d3d00e

SHA1
fd06e6d1fd068ba5a6a40c5a4324d0a4192c847f

SHA256
c17316ca6d248f467b2aa44bc67d2ca32040a35864ef0c0c10446d5bd5c6ff18

SHA512
a9a2111a6355a2794a02ec7eebb302ece4e56802d5abc357f0ae6e30c9422786102511db7da4481cc4781bda6469a1d14cc67b3646a04c242755b1bda1c51740

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6571.tmp

MD5
e25ddaedd61d9aa1b4bf9960db86105a

SHA1
98eea302a5573a220fb6472d822101ff9251672f

SHA256
06b910ec98505eace68c708de8453d02df41e3b760b90f7b8a4e452c18bbc087

SHA512
747a5540767a706cfae90226f653376010b3485e1a404b08558af40192c4f7766aefd9e5d4d8568b6402bbe0faadc679bcc9e6fb265f39719219ab8dda99409d

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudw1t01\rudw1t01.dll

MD5
6213cf02c9bffbfafb6a202f793f1c2d

SHA1
d0de4935259ec18b09a718ce7eec81db46b33e09

SHA256
e8ef7d876af1c96d132336df90c545c47de119b22e0330678b966138fb36b3e1

SHA512
a8f83eb3051aa9846cd7a8950f4f22c17ed4d2b3ca0dfe0c467da7b81640fc1f63fa2c1eaa248d7bb10c12b8d7071be93279193818184ec1a323356e94e273f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

MD5
db70c7f42b07a25fd11e7d0e43816a9f

SHA1
1a0bea42f1ee93890edb81b45a6e96398348fe0e

SHA256
de340912baa570a143d025279595ce8cc66ca7d43a24ba6e2ebdb729649b06f0

SHA512
4af3c634444f6337471c57a843384c5eb08b6ef2d0e8850d61df46ce441d4e6789fd3b2bf4c6d048284e143a212530eb9833d8bd123ab7f48d506702f35bc119

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rudw1t01\CSC5D483C6DF943CB8D111B916C7B4922.TMP

MD5
6ddb2643bcce7d17da5a2d87379bd4f0

SHA1
3d7fccbc1fe6c1c469afd014bbfacb546acf2024

SHA256
b973a3f5eae71cf88246161bd668e7d3d4e2db3cc41639e90f194d4952dd5c1c

SHA512
49bf7303922830e87441025d098092684c8ce91f9973ea61f4ffc8bdd2980add06cadd91d145b0cc35ff2de3206a40ea796b2b545acb0b3ccbc119df2764b0b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rudw1t01\rudw1t01.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rudw1t01\rudw1t01.cmdline

MD5
712f07658a5b415a43fbabc4026809ae

SHA1
26ff5e0e506719ae7cc684e4fd8564b6cf3e9629

SHA256
21ae4c698d26d5d07552999dcc891dd9e550f16356472c3c7b9577137a32dbd3

SHA512
1917f4045ad72751aa8bd1c7ff2cf03f22b157745419982e183b7179d2f924b173ed24242bc1adc4b5105c55bef9bbc73e7667bfc8fb74694026e17efdae6b2b

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/340-1115-0x0000000000000000-mapping.dmp

Download
memory/380-1168-0x0000000000000000-mapping.dmp

Download
memory/632-114-0x0000000000611000-0x000000000061A000-memory.dmp

Filesize
36KB

Download
memory/632-115-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/648-1121-0x0000000000000000-mapping.dmp

Download
memory/792-197-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/792-195-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/792-201-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/792-194-0x0000000005602000-0x0000000005603000-memory.dmp

Filesize
4KB

Download
memory/792-205-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/792-186-0x0000000000000000-mapping.dmp

Download
memory/792-196-0x0000000005603000-0x0000000005604000-memory.dmp

Filesize
4KB

Download
memory/792-189-0x0000000000A43000-0x0000000000E49000-memory.dmp

Filesize
4.0MB

Download
memory/792-193-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/792-206-0x0000000005604000-0x0000000005605000-memory.dmp

Filesize
4KB

Download
memory/792-192-0x0000000000E50000-0x0000000001252000-memory.dmp

Filesize
4.0MB

Download
memory/792-190-0x0000000005A10000-0x0000000005E0F000-memory.dmp

Filesize
4.0MB

Download
memory/952-142-0x0000000000841000-0x0000000000890000-memory.dmp

Filesize
316KB

Download
memory/952-139-0x0000000000000000-mapping.dmp

Download
memory/952-180-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/952-184-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/964-905-0x000000007F130000-0x000000007F131000-memory.dmp

Filesize
4KB

Download
memory/964-811-0x0000000004462000-0x0000000004463000-memory.dmp

Filesize
4KB

Download
memory/964-810-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/964-801-0x0000000000000000-mapping.dmp

Download
memory/1064-1118-0x0000000000000000-mapping.dmp

Download
memory/1220-1076-0x0000000000000000-mapping.dmp

Download
memory/1224-124-0x00000000779F0000-0x0000000077B7E000-memory.dmp

Filesize
1.6MB

Download
memory/1224-130-0x0000000000400000-0x0000000000B71000-memory.dmp

Filesize
7.4MB

Download
memory/1224-119-0x0000000000000000-mapping.dmp

Download
memory/1224-122-0x0000000000400000-0x0000000000B71000-memory.dmp

Filesize
7.4MB

Download
memory/1224-123-0x0000000000400000-0x0000000000B71000-memory.dmp

Filesize
7.4MB

Download
memory/1224-125-0x0000000000400000-0x0000000000B71000-memory.dmp

Filesize
7.4MB

Download
memory/1224-126-0x0000000000400000-0x0000000000B71000-memory.dmp

Filesize
7.4MB

Download
memory/1260-257-0x0000000000000000-mapping.dmp

Download
memory/1344-1119-0x0000000000000000-mapping.dmp

Download
memory/1356-1133-0x0000000002C60000-0x0000000002CD6000-memory.dmp

Filesize
472KB

Download
memory/1356-254-0x0000000000000000-mapping.dmp

Download
memory/1540-1077-0x0000000000000000-mapping.dmp

Download
memory/1612-1123-0x0000000000000000-mapping.dmp

Download
memory/1648-289-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1648-265-0x000000000040202B-mapping.dmp

Download
memory/1652-545-0x0000000000000000-mapping.dmp

Download
memory/1652-556-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/1652-557-0x0000000007052000-0x0000000007053000-memory.dmp

Filesize
4KB

Download
memory/1652-582-0x000000007F020000-0x000000007F021000-memory.dmp

Filesize
4KB

Download
memory/1772-1125-0x0000000000000000-mapping.dmp

Download
memory/1932-238-0x0000000000000000-mapping.dmp

Download
memory/1932-253-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2068-1075-0x0000000000000000-mapping.dmp

Download
memory/2080-117-0x0000000000402DF8-mapping.dmp

Download
memory/2080-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2164-1122-0x0000000000000000-mapping.dmp

Download
memory/2428-118-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2532-1114-0x0000000000000000-mapping.dmp

Download
memory/2596-301-0x0000000006BE2000-0x0000000006BE3000-memory.dmp

Filesize
4KB

Download
memory/2596-300-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/2596-326-0x000000007ED90000-0x000000007ED91000-memory.dmp

Filesize
4KB

Download
memory/2596-290-0x0000000000000000-mapping.dmp

Download
memory/2648-148-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2648-163-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2648-131-0x0000000000000000-mapping.dmp

Download
memory/2648-134-0x00000000779F0000-0x0000000077B7E000-memory.dmp

Filesize
1.6MB

Download
memory/2648-137-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/2648-145-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/2648-146-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2648-147-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2648-200-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2648-198-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/2648-149-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2980-127-0x0000000000000000-mapping.dmp

Download
memory/3064-1120-0x0000000000000000-mapping.dmp

Download
memory/3068-1124-0x0000000000000000-mapping.dmp

Download
memory/3488-1135-0x000000000040202B-mapping.dmp

Download
memory/3536-185-0x00000000051C4000-0x00000000051C5000-memory.dmp

Filesize
4KB

Download
memory/3536-159-0x0000000000750000-0x0000000000781000-memory.dmp

Filesize
196KB

Download
memory/3536-212-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3536-203-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3536-168-0x0000000002760000-0x000000000277C000-memory.dmp

Filesize
112KB

Download
memory/3536-179-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/3536-153-0x0000000000000000-mapping.dmp

Download
memory/3536-220-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/3536-181-0x00000000051C2000-0x00000000051C3000-memory.dmp

Filesize
4KB

Download
memory/3536-182-0x00000000051C3000-0x00000000051C4000-memory.dmp

Filesize
4KB

Download
memory/3556-267-0x0000000000000000-mapping.dmp

Download
memory/3580-228-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/3580-223-0x0000000000000000-mapping.dmp

Download
memory/3580-229-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/3580-263-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/3764-165-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3764-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3764-183-0x0000000004DD0000-0x00000000053D6000-memory.dmp

Filesize
6.0MB

Download
memory/3764-158-0x000000000041B222-mapping.dmp

Download
memory/3808-1167-0x0000000000000000-mapping.dmp

Download
memory/3896-1137-0x0000000000000000-mapping.dmp

Download