redline | 89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
25-07-2021 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9E410393702B6902ABDE53FC8B588527.exe
Size

2.3MB
MD5

9e410393702b6902abde53fc8b588527
SHA1

0a4d2250a4d47e4e9993e0e806545d8731fe5b35
SHA256

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
SHA512

66353988d7a905232f1a7462397c4cc1eba7eed1a819a6f5ed22ddff050f97624a702d3780c535eef08eac0bebde1b9d4a92f08c35fcab266e6a77ab3c5f5386

Score

10^/10

redline @menvzlomali discovery evasion infostealer spyware stealer suricata themida trojan

Malware Config

Extracted

Family

redline

Botnet

@menvzlomali

xetadycami.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe	family_redline

suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exemine.execlip.exeMicrosoftApi.exeMicrosoftApi.execlip.execlip.execlip.execlip.exeScreanDriver.exe

pid	process
2080	7z.exe
3520	7z.exe
2152	7z.exe
1092	7z.exe
2948	7z.exe
1632	@menvzlomali.exe
3860	mine.exe
2008	clip.exe
620	MicrosoftApi.exe
2688	MicrosoftApi.exe
2368	clip.exe
2112	clip.exe
3896	clip.exe
3912	clip.exe
3860	ScreanDriver.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mine.exe

Loads dropped DLL 5 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe

pid process

2080 7z.exe
3520 7z.exe
2152 7z.exe
1092 7z.exe
2948 7z.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mine.exe	themida
behavioral2/memory/3860-167-0x00007FF766C10000-0x00007FF766C11000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\mine.exe	themida
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe	themida
behavioral2/memory/620-179-0x00007FF705B90000-0x00007FF705B91000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftApi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mine.exeMicrosoftApi.exeMicrosoftApi.exe

pid process

3860 mine.exe
620 MicrosoftApi.exe
2688 MicrosoftApi.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

clip.execlip.exe

description pid process target process

PID 2008 set thread context of 2368 2008 clip.exe clip.exe
PID 2368 set thread context of 3912 2368 clip.exe clip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2224 3912 WerFault.exe clip.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2368 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2380 timeout.exe
1424 timeout.exe

pid	process
3860	mine.exe
620	MicrosoftApi.exe
2688	MicrosoftApi.exe

description	pid	process	target process
PID 2008 set thread context of 2368	2008	clip.exe	clip.exe
PID 2368 set thread context of 3912	2368	clip.exe	clip.exe

pid	pid_target	process	target process
2224	3912	WerFault.exe	clip.exe

pid	process
2368	schtasks.exe

pid	process
2380	timeout.exe
1424	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

@menvzlomali.exepowershell.exeMicrosoftApi.exeScreanDriver.exe

pid	process
1632	@menvzlomali.exe
1632	@menvzlomali.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2688	MicrosoftApi.exe
2688	MicrosoftApi.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe
3860	ScreanDriver.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.execlip.exepowershell.exeMicrosoftApi.exeScreanDriver.exe

description	pid	process
Token: SeRestorePrivilege	2080	7z.exe
Token: 35	2080	7z.exe
Token: SeSecurityPrivilege	2080	7z.exe
Token: SeSecurityPrivilege	2080	7z.exe
Token: SeRestorePrivilege	3520	7z.exe
Token: 35	3520	7z.exe
Token: SeSecurityPrivilege	3520	7z.exe
Token: SeSecurityPrivilege	3520	7z.exe
Token: SeRestorePrivilege	2152	7z.exe
Token: 35	2152	7z.exe
Token: SeSecurityPrivilege	2152	7z.exe
Token: SeSecurityPrivilege	2152	7z.exe
Token: SeRestorePrivilege	1092	7z.exe
Token: 35	1092	7z.exe
Token: SeSecurityPrivilege	1092	7z.exe
Token: SeSecurityPrivilege	1092	7z.exe
Token: SeRestorePrivilege	2948	7z.exe
Token: 35	2948	7z.exe
Token: SeSecurityPrivilege	2948	7z.exe
Token: SeSecurityPrivilege	2948	7z.exe
Token: SeDebugPrivilege	1632	@menvzlomali.exe
Token: SeDebugPrivilege	2008	clip.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeDebugPrivilege	2688	MicrosoftApi.exe
Token: SeDebugPrivilege	3860	ScreanDriver.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

9E410393702B6902ABDE53FC8B588527.execmd.exe@menvzlomali.exemine.exeMicrosoftApi.execmd.execmd.execlip.execlip.exeMicrosoftApi.exe

description	pid	process	target process
PID 3968 wrote to memory of 2168	3968	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 3968 wrote to memory of 2168	3968	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 2168 wrote to memory of 2452	2168	cmd.exe	mode.com
PID 2168 wrote to memory of 2452	2168	cmd.exe	mode.com
PID 2168 wrote to memory of 2080	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 2080	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 3520	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 3520	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 2152	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 2152	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 1092	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 1092	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 2948	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 2948	2168	cmd.exe	7z.exe
PID 2168 wrote to memory of 3912	2168	cmd.exe	attrib.exe
PID 2168 wrote to memory of 3912	2168	cmd.exe	attrib.exe
PID 2168 wrote to memory of 1632	2168	cmd.exe	@menvzlomali.exe
PID 2168 wrote to memory of 1632	2168	cmd.exe	@menvzlomali.exe
PID 2168 wrote to memory of 1632	2168	cmd.exe	@menvzlomali.exe
PID 1632 wrote to memory of 3860	1632	@menvzlomali.exe	mine.exe
PID 1632 wrote to memory of 3860	1632	@menvzlomali.exe	mine.exe
PID 1632 wrote to memory of 2008	1632	@menvzlomali.exe	clip.exe
PID 1632 wrote to memory of 2008	1632	@menvzlomali.exe	clip.exe
PID 1632 wrote to memory of 2008	1632	@menvzlomali.exe	clip.exe
PID 3860 wrote to memory of 620	3860	mine.exe	MicrosoftApi.exe
PID 3860 wrote to memory of 620	3860	mine.exe	MicrosoftApi.exe
PID 620 wrote to memory of 2932	620	MicrosoftApi.exe	cmd.exe
PID 620 wrote to memory of 2932	620	MicrosoftApi.exe	cmd.exe
PID 620 wrote to memory of 816	620	MicrosoftApi.exe	cmd.exe
PID 620 wrote to memory of 816	620	MicrosoftApi.exe	cmd.exe
PID 2932 wrote to memory of 2380	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2380	2932	cmd.exe	timeout.exe
PID 816 wrote to memory of 1424	816	cmd.exe	timeout.exe
PID 816 wrote to memory of 1424	816	cmd.exe	timeout.exe
PID 816 wrote to memory of 2368	816	cmd.exe	schtasks.exe
PID 816 wrote to memory of 2368	816	cmd.exe	schtasks.exe
PID 2932 wrote to memory of 2252	2932	cmd.exe	powershell.exe
PID 2932 wrote to memory of 2252	2932	cmd.exe	powershell.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2008 wrote to memory of 2368	2008	clip.exe	clip.exe
PID 2368 wrote to memory of 2112	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 2112	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 2112	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3896	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3896	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3896	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2368 wrote to memory of 3912	2368	clip.exe	clip.exe
PID 2688 wrote to memory of 3860	2688	MicrosoftApi.exe	ScreanDriver.exe
PID 2688 wrote to memory of 3860	2688	MicrosoftApi.exe	ScreanDriver.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3912 attrib.exe

pid	process
3912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe
"C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\attrib.exe
attrib +H "@menvzlomali.exe"
3⤵
- Views/modifies file attributes
PID:3912

C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
"@menvzlomali.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\mine.exe
"C:\Users\Admin\AppData\Local\Temp\mine.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE228.tmp.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE258.tmp.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
7⤵
- Creates scheduled task(s)
PID:2368

C:\Users\Admin\AppData\Local\Temp\clip.exe
"C:\Users\Admin\AppData\Local\Temp\clip.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\clip.exe
"C:\Users\Admin\AppData\Local\Temp\clip.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\clip.exe
C:\Users\Admin\AppData\Local\Temp\clip.exe
6⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\clip.exe
C:\Users\Admin\AppData\Local\Temp\clip.exe
6⤵
- Executes dropped EXE
PID:3896

C:\Users\Admin\AppData\Local\Temp\clip.exe
C:\Users\Admin\AppData\Local\Temp\clip.exe
6⤵
- Executes dropped EXE
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 24
7⤵
- Program crash
PID:2224

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftApi.exe.log
MD5
91da0e0d6c73120560eafe3fb0a762fa

SHA1
450b05f8ca5afb737da4312cf7d1603e695ec136

SHA256
bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1

SHA512
05fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\clip.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
MD5
60645c8fa03001c29963e6646b89602b

SHA1
6164fca1552bfed57e8c0399a8f38ce2df165d06

SHA256
2334aab1e65fd6986d0bfc7587014a1b55235397d07a33deaedb9d9fd21cc285

SHA512
7632546e36317f9e466f52c729b9f4ddaf6eeeeb77cff09bb7bb0cb76d78cb1dfe2a2e0778e7edf3555fc398728e16b699f440fb01dd7ff855d16999b4f4a343

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
MD5
9c238b66e8e878add3c6d5ec2bb2b8ee

SHA1
01a129285a5738e6acf88d76e8861d7e4f66cf6d

SHA256
0b17daf75f88addfa5ea28e546842453b6b8e8677c81e6af5bced446a7e7cd10

SHA512
b00d7825e4da91645a3e723b0873ec98a96b40eacb4f3b070e8ddc46ecd6a3891dc62c835734e8fb3d26e82f18bd55813149f09c09f0b86d940c994f342b8092

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
MD5
17c65e9dd39033b1498d5b7127235bdb

SHA1
3f91c363bc3ae2ccbd4bdda2b8e2a327738af446

SHA256
4899f8459fa43698d043dd55347d7afde5529222dc09a9b5b46515d4dc78dbeb

SHA512
58a64286a2964cd8ff4877f5f4895cec01ed3135568c945d2232295f33fc1b19a30dc7fd5567fa4db46ac5e55ba29bb811cf89bdb4e12e7312cf73576c01c133

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
MD5
960172e158c04fe1a52ec200f8b603e3

SHA1
f866ab4b93f39adecf47053f9c4150c67f159d45

SHA256
b6fc5a261199c4cfbc37c61c26439a95bf2f302889e39e48b2926fd03270328d

SHA512
9d07a9d90dd87ff49087c56cb33e533d487806afbb57a41a72ac1f68cd8736aaaa2660c2449204652928a5edca3da12518701e6e1adf731b37b82267d993017d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
MD5
b8ac7bef4565972b105784581c036b1f

SHA1
3b2e982bdfbddac1e34edc0e0e270f9280767dab

SHA256
638e31294512e587d4f5f464ae12dd9319cbf0e29b17b0f69ff06c8c12c6549f

SHA512
d3d566a5d3e731e1aed6b59086f2206b49512b1b99183dfb1e38f37f0ff1694aca66bb17c3ee2fd9fb65ebd7986479ec8af392683b3f45affe450604ba8c4c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
MD5
6104565d86f6897d5598ca576d0cdb34

SHA1
5c6249bb6f5f4648549bebc9f6c27d27cc0cf470

SHA256
b9badec8e882abe16db8a7b85e168cd712b99bb75cee0cc5c2b66fbeda07f4d8

SHA512
b6f593d4ff0a4050b7fa907242298ec25dae653073b1a13a1ea13afaabc91d1db4a1c0857b4cccf93dc78d95156a8ca05fe1af95bab568e6720582f83607df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
MD5
1db985429ea59b5e0ee3bf05de444e3f

SHA1
f5a960489b8141fcf746db2e1b9cc899cc839db5

SHA256
1b7c0b233b405bf1c9534319ddce9b72e61e6701c41287684e5f4f489d5f51bd

SHA512
cf8758b04a3d924c4608df42d0eef538925bb86c26fc3918cf838f827380bbe891f28e13537fb4bdde340c020bbf347e65c5bc19efdc643ea1d3f8b87d8c5f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
MD5
95e9d038587986bbfae1f3ff2703751c

SHA1
f755fc147be4c89a8f4a8ef8303458a9c2f384c7

SHA256
e94dc2d6675a9b0bef924a79e67e01107ac1725704c7c870939833c2e0ec7c22

SHA512
472969d8183aad603ff6063aa69b233833fe193f3f06b6fbee2c032bafe031900cbc35251219c4b850584bd4721bb132252a3bbc695056ddf92fb0416d142e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE228.tmp.cmd
MD5
0b89344862b81532417a21763b3c6769

SHA1
65d9f0a3ab993281d0d7ac6e09a43bd19c22256e

SHA256
72b2284cd05d7c5fa66d2d782ef803e6a51cd831ed5b9d8eef84f4015ced214a

SHA512
48f50f911c5e6fa1bde143036203d99c3787be80e99e98dce6690bda731ded3f947930224824ec557063da0b419a8399ea1e4810cf21b248580ef8d8c6ef7eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE258.tmp.cmd
MD5
d633feb5d84b3f4a3f79c120b9a0bad2

SHA1
8c88865c2f8ecc54b9f740c6ca04643cbec6930b

SHA256
8f3ae8ee949ba4ec41b49da468f33c958388a927d80cd6843253a65fe416bcbf

SHA512
c280c41b76f67e8dec4dd5b30ae1bfaf84ae5bfd14e17dbd1a4676dc01cd373406bcc93f57930fee249128f9f1a83b827c0d296a8e6a643998ded8a5437fdaad

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dll
MD5
5a5ab6c6bf9a23d07bc72cc19c37a432

SHA1
12fd67b780088a9d95eecd06c59658447e42f65c

SHA256
85ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791

SHA512
16f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
b4102e57647e9bdc4003fa11198891e5

SHA1
e99cb9f6019dce929b5adfcddf002e2359ada930

SHA256
ad61311a23f5d81dd3f8f73deff2c5f40fd5cc4648f1efc44d61b66b8edb88b5

SHA512
9dd1771ebfd348f10c8ac3687caef7a5a19e9daa898619cc9b23804473a7b312dcb9b836381c2684382ef377305e53fee74368580161e294e8ff8348e51161ca

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
MD5
7d5dce7315ef85297c70b1cc5dfe90fc

SHA1
cd782852ecb85cbc4355003e265d5caa7003da20

SHA256
4c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370

SHA512
aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
MD5
7d5dce7315ef85297c70b1cc5dfe90fc

SHA1
cd782852ecb85cbc4355003e265d5caa7003da20

SHA256
4c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370

SHA512
aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/620-182-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

Filesize
4KB

Download
memory/620-181-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

Filesize
8KB

Download
memory/620-179-0x00007FF705B90000-0x00007FF705B91000-memory.dmp

Filesize
4KB

Download
memory/620-176-0x0000000000000000-mapping.dmp

Download
memory/816-184-0x0000000000000000-mapping.dmp

Download
memory/1092-130-0x0000000000000000-mapping.dmp

Download
memory/1424-188-0x0000000000000000-mapping.dmp

Download
memory/1632-145-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1632-155-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/1632-154-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1632-153-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1632-152-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/1632-151-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1632-150-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1632-149-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1632-148-0x0000000004BD0000-0x00000000051D6000-memory.dmp

Filesize
6.0MB

Download
memory/1632-147-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1632-146-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1632-143-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1632-141-0x0000000000000000-mapping.dmp

Download
memory/2008-170-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2008-163-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/2008-173-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2008-158-0x0000000000000000-mapping.dmp

Download
memory/2008-236-0x0000000001360000-0x0000000001374000-memory.dmp

Filesize
80KB

Download
memory/2008-169-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2008-235-0x00000000012F0000-0x0000000001345000-memory.dmp

Filesize
340KB

Download
memory/2008-189-0x0000000002E40000-0x0000000002E6D000-memory.dmp

Filesize
180KB

Download
memory/2008-161-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2008-174-0x0000000008F60000-0x0000000008FAE000-memory.dmp

Filesize
312KB

Download
memory/2080-118-0x0000000000000000-mapping.dmp

Download
memory/2152-126-0x0000000000000000-mapping.dmp

Download
memory/2168-114-0x0000000000000000-mapping.dmp

Download
memory/2252-191-0x0000000000000000-mapping.dmp

Download
memory/2252-200-0x0000021EE9F60000-0x0000021EE9F61000-memory.dmp

Filesize
4KB

Download
memory/2252-224-0x0000021EE9493000-0x0000021EE9495000-memory.dmp

Filesize
8KB

Download
memory/2252-223-0x0000021EE9490000-0x0000021EE9492000-memory.dmp

Filesize
8KB

Download
memory/2252-225-0x0000021EE9496000-0x0000021EE9498000-memory.dmp

Filesize
8KB

Download
memory/2252-229-0x0000021EE9498000-0x0000021EE9499000-memory.dmp

Filesize
4KB

Download
memory/2252-196-0x0000021EE9440000-0x0000021EE9441000-memory.dmp

Filesize
4KB

Download
memory/2368-190-0x0000000000000000-mapping.dmp

Download
memory/2368-237-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-238-0x000000000040E80E-mapping.dmp

Download
memory/2368-244-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2368-245-0x0000000002FF0000-0x0000000003066000-memory.dmp

Filesize
472KB

Download
memory/2368-243-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/2380-186-0x0000000000000000-mapping.dmp

Download
memory/2452-116-0x0000000000000000-mapping.dmp

Download
memory/2688-251-0x0000023443990000-0x0000023443992000-memory.dmp

Filesize
8KB

Download
memory/2688-253-0x00000234438F0000-0x00000234438F1000-memory.dmp

Filesize
4KB

Download
memory/2932-183-0x0000000000000000-mapping.dmp

Download
memory/2948-134-0x0000000000000000-mapping.dmp

Download
memory/3520-122-0x0000000000000000-mapping.dmp

Download
memory/3860-257-0x000001F1CDEA0000-0x000001F1CDEA1000-memory.dmp

Filesize
4KB

Download
memory/3860-172-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

Filesize
4KB

Download
memory/3860-254-0x0000000000000000-mapping.dmp

Download
memory/3860-171-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

Filesize
8KB

Download
memory/3860-167-0x00007FF766C10000-0x00007FF766C11000-memory.dmp

Filesize
4KB

Download
memory/3860-156-0x0000000000000000-mapping.dmp

Download
memory/3860-259-0x000001F1E84A0000-0x000001F1E84A2000-memory.dmp

Filesize
8KB

Download
memory/3860-260-0x000001F1E84A2000-0x000001F1E84A4000-memory.dmp

Filesize
8KB

Download
memory/3860-261-0x000001F1E84A4000-0x000001F1E84A6000-memory.dmp

Filesize
8KB

Download
memory/3912-249-0x0000000000401949-mapping.dmp

Download
memory/3912-248-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3912-140-0x0000000000000000-mapping.dmp

Download