redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Target

setup_x86_x64_install.exe
Size

2.2MB
MD5

e3b3a95ef03de0de77cca7a54ea22c94
SHA1

d318d234f8f27f25de660d9881113df9d11c24ff
SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA512

3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d

Score

10^/10

redline smokeloader vidar 706 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

vidar

Version

40.4

Botnet

706

https://romkaxarit.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3384	rundll32.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3384	rundll32.exe	19

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral9/memory/3448-285-0x0000000004D30000-0x0000000004D5E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral9/memory/4368-278-0x0000000003E40000-0x0000000003F13000-memory.dmp	family_vidar
behavioral9/memory/4368-300-0x0000000000400000-0x00000000021BE000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral9/files/0x000500000001ab19-122.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab19-125.dat	aspack_v212_v242
behavioral9/files/0x000600000001ab18-123.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab1b-128.dat	aspack_v212_v242
behavioral9/files/0x000600000001ab18-131.dat	aspack_v212_v242
behavioral9/files/0x000600000001ab18-130.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab1b-129.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	1504	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 35 IoCs

pid	Process
5060	setup_installer.exe
2868	setup_install.exe
4368	Fri1544861ac3fe6a.exe
2776	Fri155442fc38b.exe
700	Fri15af75ee9b.exe
2668	Fri157e25afd971.exe
4424	Fri1553f0ee90.exe
4440	Fri156ec98815f89c.exe
1504	rundll32.exe
1556	LzmwAqmV.exe
1616	Chrome 5.exe
2484	PublicDwlBrowser1100.exe
2648	2.exe
1508	setup.exe
1208	5158395.exe
1212	zab2our.exe
4988	Pubdate.exe
4760	5411537.exe
1868	setup_2.exe
3448	4687479.exe
4208	3002.exe
4244	setup_2.tmp
4420	jhuuee.exe
1428	BearVpn 3.exe
196	8569861.exe
2192	setup_2.exe
3748	8098945.exe
4964	4949573.exe
4712	WinHoster.exe
3184	3501459.exe
1324	1242339.exe
3168	setup_2.tmp
1792	3816385.exe
2272	3002.exe
908	8056319.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8098945.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8098945.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3816385.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3816385.exe

Loads dropped DLL 9 IoCs

pid	Process
2868	setup_install.exe
2868	setup_install.exe
2868	setup_install.exe
2868	setup_install.exe
2868	setup_install.exe
2868	setup_install.exe
1504	rundll32.exe
4244	setup_2.tmp
3168	setup_2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral9/files/0x000600000001ab50-279.dat	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5411537.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8098945.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3816385.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com
119	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3748	8098945.exe
1792	3816385.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-48RUH.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
2724	2648	WerFault.exe	99
5112	4368	WerFault.exe	88
3160	4368	WerFault.exe	88
1224	1508	WerFault.exe	100
5108	4368	WerFault.exe	88
5156	1508	WerFault.exe	100
5224	4368	WerFault.exe	88
5296	1508	WerFault.exe	100
5412	4368	WerFault.exe	88
5452	1508	WerFault.exe	100
5628	4368	WerFault.exe	88
5748	1508	WerFault.exe	100
5940	4368	WerFault.exe	88
6000	1508	WerFault.exe	100
6120	1508	WerFault.exe	100
424	4368	WerFault.exe	88
5616	4368	WerFault.exe	88
6072	4368	WerFault.exe	88
7004	4368	WerFault.exe	88
7044	4368	WerFault.exe	88
7364	4368	WerFault.exe	88
7524	4368	WerFault.exe	88
7912	4368	WerFault.exe	88
864	1208	WerFault.exe	102
6200	4368	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri15af75ee9b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
700	Fri15af75ee9b.exe
700	Fri15af75ee9b.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
5112	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe
3160	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
700	Fri15af75ee9b.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4712	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	Fri1553f0ee90.exe
Token: SeDebugPrivilege	2776	Fri155442fc38b.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2648	2.exe
Token: SeDebugPrivilege	2484	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	1208	5158395.exe
Token: SeDebugPrivilege	1428	BearVpn 3.exe
Token: SeDebugPrivilege	2724	WerFault.exe
Token: SeDebugPrivilege	196	8569861.exe
Token: SeDebugPrivilege	3184	3501459.exe
Token: SeRestorePrivilege	5112	WerFault.exe
Token: SeBackupPrivilege	5112	WerFault.exe
Token: SeBackupPrivilege	5112	WerFault.exe
Token: SeDebugPrivilege	5112	WerFault.exe
Token: SeDebugPrivilege	1212	zab2our.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	908	8056319.exe
Token: SeDebugPrivilege	1224	WerFault.exe
Token: SeDebugPrivilege	5108	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3168	setup_2.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 5060	4564	setup_x86_x64_install.exe	75
PID 4564 wrote to memory of 5060	4564	setup_x86_x64_install.exe	75
PID 4564 wrote to memory of 5060	4564	setup_x86_x64_install.exe	75
PID 5060 wrote to memory of 2868	5060	setup_installer.exe	77
PID 5060 wrote to memory of 2868	5060	setup_installer.exe	77
PID 5060 wrote to memory of 2868	5060	setup_installer.exe	77
PID 2868 wrote to memory of 4192	2868	setup_install.exe	80
PID 2868 wrote to memory of 4192	2868	setup_install.exe	80
PID 2868 wrote to memory of 4192	2868	setup_install.exe	80
PID 2868 wrote to memory of 4172	2868	setup_install.exe	81
PID 2868 wrote to memory of 4172	2868	setup_install.exe	81
PID 2868 wrote to memory of 4172	2868	setup_install.exe	81
PID 2868 wrote to memory of 4160	2868	setup_install.exe	82
PID 2868 wrote to memory of 4160	2868	setup_install.exe	82
PID 2868 wrote to memory of 4160	2868	setup_install.exe	82
PID 2868 wrote to memory of 4248	2868	setup_install.exe	83
PID 2868 wrote to memory of 4248	2868	setup_install.exe	83
PID 2868 wrote to memory of 4248	2868	setup_install.exe	83
PID 2868 wrote to memory of 4288	2868	setup_install.exe	84
PID 2868 wrote to memory of 4288	2868	setup_install.exe	84
PID 2868 wrote to memory of 4288	2868	setup_install.exe	84
PID 2868 wrote to memory of 4356	2868	setup_install.exe	87
PID 2868 wrote to memory of 4356	2868	setup_install.exe	87
PID 2868 wrote to memory of 4356	2868	setup_install.exe	87
PID 2868 wrote to memory of 4336	2868	setup_install.exe	85
PID 2868 wrote to memory of 4336	2868	setup_install.exe	85
PID 2868 wrote to memory of 4336	2868	setup_install.exe	85
PID 2868 wrote to memory of 4272	2868	setup_install.exe	86
PID 2868 wrote to memory of 4272	2868	setup_install.exe	86
PID 2868 wrote to memory of 4272	2868	setup_install.exe	86
PID 4172 wrote to memory of 4368	4172	cmd.exe	88
PID 4172 wrote to memory of 4368	4172	cmd.exe	88
PID 4172 wrote to memory of 4368	4172	cmd.exe	88
PID 4288 wrote to memory of 2776	4288	cmd.exe	89
PID 4288 wrote to memory of 2776	4288	cmd.exe	89
PID 4192 wrote to memory of 2820	4192	cmd.exe	90
PID 4192 wrote to memory of 2820	4192	cmd.exe	90
PID 4192 wrote to memory of 2820	4192	cmd.exe	90
PID 4356 wrote to memory of 700	4356	cmd.exe	91
PID 4356 wrote to memory of 700	4356	cmd.exe	91
PID 4356 wrote to memory of 700	4356	cmd.exe	91
PID 4248 wrote to memory of 2668	4248	cmd.exe	94
PID 4248 wrote to memory of 2668	4248	cmd.exe	94
PID 4248 wrote to memory of 2668	4248	cmd.exe	94
PID 4272 wrote to memory of 4424	4272	cmd.exe	93
PID 4272 wrote to memory of 4424	4272	cmd.exe	93
PID 4160 wrote to memory of 4440	4160	cmd.exe	92
PID 4160 wrote to memory of 4440	4160	cmd.exe	92
PID 4160 wrote to memory of 4440	4160	cmd.exe	92
PID 2668 wrote to memory of 1504	2668	Fri157e25afd971.exe	158
PID 2668 wrote to memory of 1504	2668	Fri157e25afd971.exe	158
PID 2668 wrote to memory of 1504	2668	Fri157e25afd971.exe	158
PID 4424 wrote to memory of 1556	4424	Fri1553f0ee90.exe	96
PID 4424 wrote to memory of 1556	4424	Fri1553f0ee90.exe	96
PID 4424 wrote to memory of 1556	4424	Fri1553f0ee90.exe	96
PID 1556 wrote to memory of 1616	1556	svchost.exe	97
PID 1556 wrote to memory of 1616	1556	svchost.exe	97
PID 1556 wrote to memory of 2484	1556	svchost.exe	98
PID 1556 wrote to memory of 2484	1556	svchost.exe	98
PID 1556 wrote to memory of 2648	1556	svchost.exe	99
PID 1556 wrote to memory of 2648	1556	svchost.exe	99
PID 1556 wrote to memory of 1508	1556	svchost.exe	100
PID 1556 wrote to memory of 1508	1556	svchost.exe	100
PID 1556 wrote to memory of 1508	1556	svchost.exe	100

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        
        PID:4368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 764
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 800
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 804
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 828
        6⤵
        Program crash
        
        PID:5224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 960
        6⤵
        Program crash
        
        PID:5412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 996
        6⤵
        Program crash
        
        PID:5628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1068
        6⤵
        Program crash
        
        PID:5940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1420
        6⤵
        Program crash
        
        PID:424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1604
        6⤵
        Program crash
        
        PID:5616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1404
        6⤵
        Program crash
        
        PID:6072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1672
        6⤵
        Program crash
        
        PID:7004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1392
        6⤵
        Program crash
        
        PID:7044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1772
        6⤵
        Program crash
        
        PID:7364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1708
        6⤵
        Program crash
        
        PID:7524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1720
        6⤵
        Program crash
        
        PID:7912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1848
        6⤵
        Program crash
        
        PID:6200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\is-0FEHP.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0FEHP.tmp\Fri157e25afd971.tmp" /SL5="$60048,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri157e25afd971.exe"
        6⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\is-LIINF.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LIINF.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Program Files\Windows Portable Devices\LUSUFWZJOG\ultramediaburner.exe
        
        "C:\Program Files\Windows Portable Devices\LUSUFWZJOG\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\is-NOFCC.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NOFCC.tmp\ultramediaburner.tmp" /SL5="$102D0,281924,62464,C:\Program Files\Windows Portable Devices\LUSUFWZJOG\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5432
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\55-45b7e-65b-99981-498449890e889\Tobaebolozhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55-45b7e-65b-99981-498449890e889\Tobaebolozhy.exe"
        8⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\9a-82530-1d1-88d82-0f9bf80654499\Ralinogego.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9a-82530-1d1-88d82-0f9bf80654499\Ralinogego.exe"
        8⤵
        
        PID:5664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tdt4zikj.u3u\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\tdt4zikj.u3u\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\tdt4zikj.u3u\GcleanerEU.exe /eufive
        10⤵
        
        PID:7184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yx0h43cq.lzr\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\yx0h43cq.lzr\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yx0h43cq.lzr\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:7424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1w50v4n3.p2i\anyname.exe & exit
        9⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\1w50v4n3.p2i\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\1w50v4n3.p2i\anyname.exe
        10⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\1w50v4n3.p2i\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1w50v4n3.p2i\anyname.exe" -u
        11⤵
        
        PID:7768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
      - C:\Users\Admin\AppData\Roaming\5158395.exe
        
        "C:\Users\Admin\AppData\Roaming\5158395.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1208 -s 1936
        7⤵
        Program crash
        
        PID:864
      - C:\Users\Admin\AppData\Roaming\4687479.exe
        
        "C:\Users\Admin\AppData\Roaming\4687479.exe"
        6⤵
        Executes dropped EXE
        
        PID:3448
      - C:\Users\Admin\AppData\Roaming\8098945.exe
        
        "C:\Users\Admin\AppData\Roaming\8098945.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3748
      - C:\Users\Admin\AppData\Roaming\3501459.exe
        
        "C:\Users\Admin\AppData\Roaming\3501459.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
      - C:\Users\Admin\AppData\Roaming\5411537.exe
        
        "C:\Users\Admin\AppData\Roaming\5411537.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\1242339.exe
        
        "C:\Users\Admin\AppData\Roaming\1242339.exe"
        8⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\4949573.exe
        
        "C:\Users\Admin\AppData\Roaming\4949573.exe"
        8⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\8569861.exe
        
        "C:\Users\Admin\AppData\Roaming\8569861.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
        
        C:\Users\Admin\AppData\Roaming\3816385.exe
        
        "C:\Users\Admin\AppData\Roaming\3816385.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\8056319.exe
        
        "C:\Users\Admin\AppData\Roaming\8056319.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2648 -s 1528
        8⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 796
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 840
        8⤵
        Program crash
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 904
        8⤵
        Program crash
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 884
        8⤵
        Program crash
        
        PID:5452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1092
        8⤵
        Program crash
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1144
        8⤵
        Program crash
        
        PID:6000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 788
        8⤵
        Program crash
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\is-EQQUI.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EQQUI.tmp\setup_2.tmp" /SL5="$101F8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\7zS4C3BCB24\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:700

C:\Users\Admin\AppData\Local\Temp\is-35SKK.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-35SKK.tmp\setup_2.tmp" /SL5="$10220,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3168

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4712

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4044

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7196

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:8004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4C1A8A9BBF331B79D054C8E030E0E78 C
  2⤵
  PID:2756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ada855 /state1:0x41c64e6d
1⤵
PID:6212

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6592

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:3904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-312-0x000000001ADE0000-0x000000001ADE2000-memory.dmp

Filesize
8KB

Download
memory/196-297-0x0000000000880000-0x00000000008CA000-memory.dmp

Filesize
296KB

Download
memory/196-283-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/348-538-0x000001A3680A0000-0x000001A368114000-memory.dmp

Filesize
464KB

Download
memory/700-302-0x0000000002280000-0x0000000002289000-memory.dmp

Filesize
36KB

Download
memory/700-315-0x0000000000400000-0x0000000002152000-memory.dmp

Filesize
29.3MB

Download
memory/908-377-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1208-240-0x00000000014F0000-0x000000000152E000-memory.dmp

Filesize
248KB

Download
memory/1208-221-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1208-250-0x000000001BCA0000-0x000000001BCA2000-memory.dmp

Filesize
8KB

Download
memory/1212-231-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/1324-344-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/1428-271-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1428-264-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1504-184-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1508-350-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1508-379-0x0000000000400000-0x0000000002167000-memory.dmp

Filesize
29.4MB

Download
memory/1556-187-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1616-514-0x000000001D0F0000-0x000000001D0F2000-memory.dmp

Filesize
8KB

Download
memory/1616-197-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1792-368-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1792-352-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/1868-236-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2192-280-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2484-202-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2484-209-0x0000000000900000-0x0000000000917000-memory.dmp

Filesize
92KB

Download
memory/2484-211-0x000000001B390000-0x000000001B392000-memory.dmp

Filesize
8KB

Download
memory/2640-531-0x000001F019400000-0x000001F019474000-memory.dmp

Filesize
464KB

Download
memory/2640-542-0x000001F0197C0000-0x000001F019834000-memory.dmp

Filesize
464KB

Download
memory/2648-210-0x0000000002DF0000-0x0000000002DF2000-memory.dmp

Filesize
8KB

Download
memory/2648-207-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2668-172-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2776-183-0x000000001B3E0000-0x000000001B3E2000-memory.dmp

Filesize
8KB

Download
memory/2776-162-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2776-174-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/2820-256-0x00000000088D0000-0x00000000088D1000-memory.dmp

Filesize
4KB

Download
memory/2820-192-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/2820-176-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2820-194-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/2820-180-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2820-400-0x0000000007123000-0x0000000007124000-memory.dmp

Filesize
4KB

Download
memory/2820-381-0x000000007EB90000-0x000000007EB91000-memory.dmp

Filesize
4KB

Download
memory/2820-179-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/2820-191-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2820-238-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/2820-190-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/2820-181-0x0000000007122000-0x0000000007123000-memory.dmp

Filesize
4KB

Download
memory/2820-228-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/2868-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2868-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2868-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2868-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2868-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2868-136-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2868-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3052-365-0x0000000001010000-0x0000000001025000-memory.dmp

Filesize
84KB

Download
memory/3168-307-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3184-332-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3184-304-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3184-292-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3448-266-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3448-309-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3448-303-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/3448-296-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3448-290-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3448-293-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/3448-285-0x0000000004D30000-0x0000000004D5E000-memory.dmp

Filesize
184KB

Download
memory/3748-346-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3748-331-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4044-540-0x00000000042A0000-0x00000000042FF000-memory.dmp

Filesize
380KB

Download
memory/4044-529-0x0000000004194000-0x0000000004295000-memory.dmp

Filesize
1.0MB

Download
memory/4244-260-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4368-300-0x0000000000400000-0x00000000021BE000-memory.dmp

Filesize
29.7MB

Download
memory/4368-278-0x0000000003E40000-0x0000000003F13000-memory.dmp

Filesize
844KB

Download
memory/4424-175-0x000000001B790000-0x000000001B792000-memory.dmp

Filesize
8KB

Download
memory/4424-168-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4636-545-0x0000023F47250000-0x0000023F4729D000-memory.dmp

Filesize
308KB

Download
memory/4712-333-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4760-244-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4760-235-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4760-254-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4760-258-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4760-253-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/4760-249-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/4964-316-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4976-533-0x0000028B8A440000-0x0000028B8A4B4000-memory.dmp

Filesize
464KB

Download
memory/4988-387-0x0000000003E33000-0x0000000003E34000-memory.dmp

Filesize
4KB

Download
memory/4988-374-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4988-398-0x0000000003E34000-0x0000000003E36000-memory.dmp

Filesize
8KB

Download
memory/4988-371-0x0000000003D70000-0x0000000003DA0000-memory.dmp

Filesize
192KB

Download
memory/4988-389-0x0000000000400000-0x000000000216E000-memory.dmp

Filesize
29.4MB

Download
memory/4988-384-0x0000000003E32000-0x0000000003E33000-memory.dmp

Filesize
4KB

Download
memory/5348-407-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5432-420-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5500-419-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/5664-458-0x0000000000742000-0x0000000000744000-memory.dmp

Filesize
8KB

Download
memory/5664-536-0x0000000000745000-0x0000000000746000-memory.dmp

Filesize
4KB

Download
memory/5664-463-0x0000000000744000-0x0000000000745000-memory.dmp

Filesize
4KB

Download
memory/5664-434-0x0000000000740000-0x0000000000742000-memory.dmp

Filesize
8KB

Download
memory/5724-485-0x0000000000F35000-0x0000000000F37000-memory.dmp

Filesize
8KB

Download
memory/5724-466-0x0000000000F34000-0x0000000000F35000-memory.dmp

Filesize
4KB

Download
memory/5724-436-0x0000000000F30000-0x0000000000F32000-memory.dmp

Filesize
8KB

Download
memory/5724-461-0x0000000000F32000-0x0000000000F34000-memory.dmp

Filesize
8KB

Download