Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
rdmr_3.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
rdmr_3.exe
Resource
win10-en-20211014
General
-
Target
rdmr_3.exe
-
Size
1.8MB
-
MD5
00c227b93837e5e5f7f24509459a0216
-
SHA1
8148f3df22b82dbdf664ff5e343bb053f01830b7
-
SHA256
0d93bc5a94ff11a3221e186b6fe8ee28aed9f2f1db2413e6562f43bc7f23786f
-
SHA512
574b1fdc7505aa597b078828d7559982e4b506c49466f2600b0dfcf4ba3584581df35e5c7baa91ddda97052c6e34d146d8d1e0457269f18ac7799deb9ef069db
Malware Config
Extracted
C:\Read Me.TXT
aloop@protonmail.com
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rdmr_3.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PingUnpublish.tiff rdmr_3.exe File created C:\Users\Admin\Pictures\FormatDeny.tif.redeem rdmr_3.exe File created C:\Users\Admin\Pictures\LimitRemove.tiff.redeem rdmr_3.exe File created C:\Users\Admin\Pictures\PingUnpublish.tiff.redeem rdmr_3.exe File created C:\Users\Admin\Pictures\UseRequest.crw.redeem rdmr_3.exe File opened for modification C:\Users\Admin\Pictures\LimitRemove.tiff rdmr_3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 17 IoCs
Processes:
rdmr_3.exedescription ioc process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rdmr_3.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rdmr_3.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini rdmr_3.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
rdmr_3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nOTGmo9caCtb5ZQm7jp07g54cTviSAkZNGTlKSw0bMGGNhRtyRN\nO+Z361jnoEdIyRTuuHxm/gw/Kr+oVHOGzsDFOaZQOu3VrC+Y5U\nF5JenNtKAvMNEJnggiWiCzJommGWhU4oKJZMBRsx3uT3HVD9X9\n4ZlPBXVc/khMWDpQSMSBtlfMTBsbq2bsea2erKdDslvN+RFP95\nu7wSeX0AKTfrM8+4X0p8jvADpZrYvngm0hCdmol25uf5Kg3/P2\nIRdVg45ZyG3BzTN9inBBBpgx7bXrVxMdKFNDgXUoOi7qoHwO1w\n25nbsh4OAwhDx/LyGDI1rUaw4vKwjkMITinbh8f00WfYo3WaII\nIn2VMMZdtmbbsTAnMdpx4VpjYULfWjy+Unoqfl2yL+bHJ+HPqo\n3p4M31i/jJf0eCA4QQHMoHs3GwD7OTUMiFW8pdDLRynAxp0Ft/\nhzlBpvLWQpsXzWK4kuLIin9hkZ+299qM8Jal8d2rWjjcvnPxVu\nlhNQGMzvkhaHYJDOmNxADmmeqHGriAYsQ+Gj2yyYu+sPcmzHRQ\n0GPL0oaX9FJEFY8y865yF6ttzzdUeGGvkYcWw76MS+S4hKP+JP\nlAbN685WLF7eBlVpQHYl55ctH+wCAFn7ZkFOw6kSNYrKuttDtg\nnZyNciSJZdwb8R8fTZMU/3pad6sJr+oOh9Jw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted" rdmr_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nOTGmo9caCtb5ZQm7jp07g54cTviSAkZNGTlKSw0bMGGNhRtyRN\nO+Z361jnoEdIyRTuuHxm/gw/Kr+oVHOGzsDFOaZQOu3VrC+Y5U\nF5JenNtKAvMNEJnggiWiCzJommGWhU4oKJZMBRsx3uT3HVD9X9\n4ZlPBXVc/khMWDpQSMSBtlfMTBsbq2bsea2erKdDslvN+RFP95\nu7wSeX0AKTfrM8+4X0p8jvADpZrYvngm0hCdmol25uf5Kg3/P2\nIRdVg45ZyG3BzTN9inBBBpgx7bXrVxMdKFNDgXUoOi7qoHwO1w\n25nbsh4OAwhDx/LyGDI1rUaw4vKwjkMITinbh8f00WfYo3WaII\nIn2VMMZdtmbbsTAnMdpx4VpjYULfWjy+Unoqfl2yL+bHJ+HPqo\n3p4M31i/jJf0eCA4QQHMoHs3GwD7OTUMiFW8pdDLRynAxp0Ft/\nhzlBpvLWQpsXzWK4kuLIin9hkZ+299qM8Jal8d2rWjjcvnPxVu\nlhNQGMzvkhaHYJDOmNxADmmeqHGriAYsQ+Gj2yyYu+sPcmzHRQ\n0GPL0oaX9FJEFY8y865yF6ttzzdUeGGvkYcWw76MS+S4hKP+JP\nlAbN685WLF7eBlVpQHYl55ctH+wCAFn7ZkFOw6kSNYrKuttDtg\nnZyNciSJZdwb8R8fTZMU/3pad6sJr+oOh9Jw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal." rdmr_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1812 vssadmin.exe 1228 vssadmin.exe -
Modifies registry class 7 IoCs
Processes:
cmd.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file." cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer" cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exerdmr_3.exedescription pid process Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe Token: SeSecurityPrivilege 1692 wevtutil.exe Token: SeBackupPrivilege 1692 wevtutil.exe Token: SeSecurityPrivilege 620 wevtutil.exe Token: SeBackupPrivilege 620 wevtutil.exe Token: SeSecurityPrivilege 1016 wevtutil.exe Token: SeBackupPrivilege 1016 wevtutil.exe Token: SeSecurityPrivilege 1276 wevtutil.exe Token: SeBackupPrivilege 1276 wevtutil.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe Token: SeTakeOwnershipPrivilege 1508 rdmr_3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rdmr_3.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1508 wrote to memory of 1836 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1836 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1836 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1836 1508 rdmr_3.exe cmd.exe PID 1836 wrote to memory of 1812 1836 cmd.exe vssadmin.exe PID 1836 wrote to memory of 1812 1836 cmd.exe vssadmin.exe PID 1836 wrote to memory of 1812 1836 cmd.exe vssadmin.exe PID 1836 wrote to memory of 1812 1836 cmd.exe vssadmin.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1532 wrote to memory of 1692 1532 cmd.exe wevtutil.exe PID 1532 wrote to memory of 1692 1532 cmd.exe wevtutil.exe PID 1532 wrote to memory of 1692 1532 cmd.exe wevtutil.exe PID 1532 wrote to memory of 1692 1532 cmd.exe wevtutil.exe PID 1508 wrote to memory of 1476 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1476 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1476 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1476 1508 rdmr_3.exe cmd.exe PID 1476 wrote to memory of 620 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 620 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 620 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 620 1476 cmd.exe wevtutil.exe PID 1508 wrote to memory of 1660 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1660 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1660 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1660 1508 rdmr_3.exe cmd.exe PID 1660 wrote to memory of 1016 1660 cmd.exe wevtutil.exe PID 1660 wrote to memory of 1016 1660 cmd.exe wevtutil.exe PID 1660 wrote to memory of 1016 1660 cmd.exe wevtutil.exe PID 1660 wrote to memory of 1016 1660 cmd.exe wevtutil.exe PID 1508 wrote to memory of 1604 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1604 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1604 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1604 1508 rdmr_3.exe cmd.exe PID 1604 wrote to memory of 1276 1604 cmd.exe wevtutil.exe PID 1604 wrote to memory of 1276 1604 cmd.exe wevtutil.exe PID 1604 wrote to memory of 1276 1604 cmd.exe wevtutil.exe PID 1604 wrote to memory of 1276 1604 cmd.exe wevtutil.exe PID 1508 wrote to memory of 1084 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1084 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1084 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1084 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 900 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 900 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 900 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 900 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 864 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 864 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 864 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 864 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1920 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1920 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1920 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1920 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1508 wrote to memory of 1532 1508 rdmr_3.exe cmd.exe PID 1532 wrote to memory of 1228 1532 cmd.exe vssadmin.exe PID 1532 wrote to memory of 1228 1532 cmd.exe vssadmin.exe PID 1532 wrote to memory of 1228 1532 cmd.exe vssadmin.exe PID 1532 wrote to memory of 1228 1532 cmd.exe vssadmin.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Application2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Security2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log Setup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil clear-log System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc .redeem=redeemer2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rem.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Application3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Security3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log Setup3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil clear-log System3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\attrib.exeattrib -h -r -s *.*3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0c1919a0-44c8-4fae-925e-48a839f4156c.tmp.redeemMD5
0c7e678bff2b4b47da14b9714de39b86
SHA157da27dea61264431928dce479944f05be441437
SHA2566e472704068c1a04e178a08e94723de9ff62447acb171982eae5c402422bc12a
SHA512cb3e0a9c7ff55d213384d8a79f8b9816d8cdc03c0533e5e5b44d151855d039fc04aee6208b0793bedc2a484bd66f9eefdc797646beb821fed9341110551194cf
-
C:\Users\Admin\AppData\Local\Temp\1b3ed5da-7a5f-4f4e-bdaf-7e40401ba0c7.tmp.redeemMD5
de48aad377804ccd4724f39c376749b6
SHA1d8aeed479ec7a71b4528deada34e625b8be30768
SHA2562b8de0c59d331b0decf6bea3a4da3e559c59d7c30f8a9b1cdf029eb839a94c06
SHA512eb9b93ef20b046cb33b5d2facf97a9c03f30fb4d9ea4dd1162a66fb2bd9eeab80b68f71fc9ea76ab4407a6e593c413b9266e7b92531da40c0aac8ad62ba071cc
-
C:\Users\Admin\AppData\Local\Temp\2ba67d42-8a01-4556-b51e-6d2a52d9fd26.tmp.redeemMD5
4ffad08ef9b804dd852e86a15a9343a7
SHA101fa0139cb0fbc8892abf590400136022309120b
SHA25600c69adc8f996e27a4afdd3273de1981c3b680d9c020bf2d14efc8163194596c
SHA51282050aaf09b928f2f2e27bf282502d38fbd0fa565bd8d7e6f4415f47c0bfe28e922919cc35eace8ad55c862e41d192a6f05d3c43221d6c38f516c0efc7b9a75c
-
C:\Users\Admin\AppData\Local\Temp\6b72f755-a2e9-49ad-92c7-f6b2676f7a82.tmp.redeemMD5
e9a0591f6f6cc8a67800a3d72774aca3
SHA15479eaf074838f5e59c2ee5f4adaf8a64dff61e0
SHA2564026b72ecef9967d8823dc07d7b13e899e3b7f549e714cefa34a57e9d075f821
SHA5125e8cba6103b3ac1977a5e72dd18dff07421c36e4d51df110706b1dfb45e93a2022f12f67291088615b709e6abf79ba6e691cc22962c49a82f434132b5c88c0cb
-
C:\Users\Admin\AppData\Local\Temp\8ff4d7b2-c0c7-4c01-a745-1de4db285eeb.tmp.redeemMD5
cf16d1291633d53e7bd3647ea60843df
SHA121e7af5f6e32d2df5850dd142ae437e1f80c7712
SHA256ad8953cc412a7f6fcb98ea7950df9a4260405f00411c79cda7e34e5428c09249
SHA512514fd1a81bdd4d3d29a1305e624826b3f1465606d2ca3de5736cd402b9488780e4081340cf5408af2b2fb82b1ee1e5e6fb68eacc9811e4dd4504117764d396b7
-
C:\Users\Admin\AppData\Local\Temp\9a80f130-1150-4939-9893-99021df73ea0.tmp.redeemMD5
11059b1a61425de8ec71572df1040bc7
SHA12aa275973840506b2b8f23470d3054912dcb6124
SHA2569308b5c95f928c32487daa4e864b710fa1918af97bdb727e0901e398b9beb358
SHA51244ce3e9e70cae573e2188654dbbee992893a6ad9c0b2dfa8bbeb968dc690082e778e0ac3d084cbc5a814811b5d6d54222c8f40f645976b3f18f88f63f7455215
-
C:\Users\Admin\AppData\Local\Temp\9f24dec6-69fc-4aa5-a967-c61157822192.tmp.redeemMD5
52ca694197c52933edb5c4402a185a47
SHA18d94afa918b9abcaa9855d15106b510990a523dd
SHA256e0ea6e4d04647bbee4424c8ccc5368658b6e61a4f58ab2af8d5ed44846385023
SHA512fa94a737e2a32668eedd7436e9cdd99db4b3ebdbe5366c4081cf98c931aeeaf7d8ed90f4ab3e8a7d8997c09d32a1362d1e13ac59aa34b79b2dfc2bdd05a20b48
-
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log.redeemMD5
d00f9cc0d037cb771423f45a8c43f320
SHA18cacf7e0b3618ae9670b0c420e2d56563476a0c1
SHA25611bcc34f15924f13a6e79efeceb267d8c2fd04f5d725c9a5e5733417cf5df7c0
SHA512f40363b6f522086d94fc67076e6c4effdae0ca13aaae1d853ee3d659f5e814c88b5072f22cbc8ae7861cc4921b30fcc96162fdaa8e6fa21e5140df8ba41ee3b7
-
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log.redeemMD5
8d10b56e079ab764041079852f7b92fb
SHA1b855f16d440da519b3e7073474b9851fa2f7ad17
SHA256ed1f7e0955277dabd2ad9ae3278a80d544d3138032b533ad58571c7ca873feaa
SHA512a2e6e4038da384d642807360cdd093f96ac5b6d5ff91876281787ce9ce90060cef0b49547969a5324fa7ddaaa63e9276e04a7a8808cd119298455aa065c2435c
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmp.redeemMD5
983110444bb1e2e3367f7d1bec91a199
SHA14e367b885988fae3e8b9df93ef85f98aed8ec717
SHA2561795dfa6d6691cc76185d7d90a117980a7277b08a1476a77d812b53016e10f51
SHA5127b1d251398e42b8745eee98990d7bad8017d92b283f588fd6a427ec32b36e9e642f2742311d12653591faa3a219ae28ced992e63a70454ff50ea1f3149d362b7
-
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.redeemMD5
4a78b0fae960a233950c06bf75e5ac02
SHA1ee39eb7ef831c59143bb31f16de9c4e73e861002
SHA256b5b4f27581541c674896d5b5ed845a521c20607bf97e85590703bfaa27e7ca08
SHA512846e12a996ebfe83ff3454dc8a7614fd676d2832050cda2b0a547888cd6c4418858b81f4f6042ebb5aff4c38e56aaf9292a4d6b29995d9100b5bff8c5567ff08
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753-MSI_netfx_Full_x64.msi.txt.redeemMD5
3f7661e740a6458c125d8706d7f8d516
SHA159cf26ad1e8347efaae8bff993929407669cdaa2
SHA256c2af58a280b46efabf5424b434de714cc503ac07eababc15aa038635e3582c35
SHA512ac9770a7bae6f0812e0c28b39e8132341b8d93a3ac586e596b84464eb9a01305ba5256da24c3b1474b373e7dff3768646d794a7f5d1ac9d411cb52532784a88c
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753.html.redeemMD5
8f1df694ace567ff50226f7ddc1dea54
SHA1a990e7ecde898f0ce436418308efb323c5bedeab
SHA25680252ebe761d24d306fa78b2d86ebaa043649c8d90d06b909f251cbe61a399ce
SHA51290d024113f693fb01461387255a6852cb9a835abe33fbbb2fcc9e1a3afd772b573966ffbdb82dbddd0eb9e4a5263f55d471472e47165ed6a6a566f87ed6ab303
-
C:\Users\Admin\AppData\Local\Temp\RD6F36.tmp.redeemMD5
690eb88f7a4490be373b3b68c61e6093
SHA1d6dff9943ff77f30981dd11972a6b7653fc9ad55
SHA256dc2fbfd16da3006ff18fd27028e966d3f9bafbe9791adac84cf2a302aa127712
SHA51248929a4dd7ea9ba97a6c79f35783e4d08f9f364037ceaebe4eb58540cb9e31e5ca67359410632276ae59a971d922b27052bf1dabe21875a3f47794b431b079f8
-
C:\Users\Admin\AppData\Local\Temp\RGI1871.tmp-tmp.redeemMD5
162d854357803eb78723b8ce1ae4fad5
SHA148ecf31a3824ec94caf2c759da05809f1d1b0a8c
SHA256406aefd8b59944042facfbc5887fccf958c2363959144870fc1b5c48e4cf6689
SHA5126e8349161857e01fcd3e29bbbdb16a7d0049c309ce7b489797efafefba16fe86c24c7d4ceefd0ebdb33d20cee46cd7084dc40b80a761e4b428d672b2632063f8
-
C:\Users\Admin\AppData\Local\Temp\RGI1871.tmp.redeemMD5
5c0124cbfbbeb54394eda5b698564b5f
SHA10bf509ce6b6ade7333eaf787b57b34a03ab183e3
SHA256edcc3ffdc3daea7a094e78350f95eb218bb01dd84cfafe2df5a3c19dbea0c70b
SHA51283daebf10aea47e19e29346fad90ddc22094cb27e94f18d2217dac73e731afa73da1c2a6a71ca3e695fab88260b9cee776fa4173c53bdc2ea20a6d9044182ad0
-
C:\Users\Admin\AppData\Local\Temp\Read Me.TXTMD5
f52cd750015318b7b57ba5d7fe166f23
SHA16bdfdb224fe0b077d658f4e4471980ee243d3fc3
SHA25663c935290037541a1a5f85508c0135974516aaaca778a2dd3354121fab768ef0
SHA5121477f371d5e10f1c515b01e588a7949bd6adefaed5566bcce857b05dbd27e8dc4c01413df2659721b7fcfcd9c1d12122a5f5138815dd00346cebbf12a0a5fe26
-
C:\Users\Admin\AppData\Local\Temp\SetupExe(202109201319267F8).log.redeemMD5
e82cd1a2d7a986adcd366b107e122851
SHA1ef374e0ce495fe171d4e645ed92662e78fe4bb1b
SHA256252995a40cbf4518a9b31e0f901602c51ccb9e9525f44b19662720e06fb6d0cc
SHA512042c0c0d24f0cceec81a2735e4d988b38772950788d7d69c3b908c5f9992f32c38b9cf392b0904f80a89e055d63fa27474de99a11da925d74216d0678fefe5ba
-
C:\Users\Admin\AppData\Local\Temp\c60bcdcc-1e5c-4b98-8712-bd44cf4c7af8.tmp.redeemMD5
967a5a140c04841edb69ebf990ecbd33
SHA15d9acd1d7b11af4c3e89a39349b8a4fa2fb8f0b1
SHA256834eafbc6831d0f0b768d7f3bb9109d81de5b800112cf476596bef27a779e7eb
SHA5127e854c3407c788a88cdc3a32b049fe5fb5134691b7de121c9d1e03a86cc3a2a0f72c358bcc353fa550f0fee9de2ef46b1e7f03b02cef75ac2ebe6521c46087a1
-
C:\Users\Admin\AppData\Local\Temp\cbd69d6e-a4b2-445e-b5cb-61393562b8ad.tmp.redeemMD5
edfcc21874024f15e0486549450f24dc
SHA15158a51595d5d7fdbb2e204bbf170948800da5a0
SHA256c42ebb34788653d935288caa6c5a6699f62e5d1c61619fbe4944c7fda835e694
SHA512246443815a2a695c606be13449eebf04aa42cf854455d0e53be269f7cd188d6e0708dc7f3d084f09b040199436ada1377a2d95eaf8ba02ff88a9cd466aa85926
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.redeemMD5
f9d9baac2cfbea1f1f1fcd8df9893876
SHA1f7b536ebd167e960c1c8d7817329e2013c1c49ba
SHA25690be2bc43841bc7151d68b8342e33fadc04914233bd87fa32ed66177bdd667e8
SHA5125e3a5e87f8b741995a35e589487b477193f6ed0bcd9883cf75579dd5b4feb1fcd283b3130fea0aa97632f0c9d7e322fd8bdab054b7678954091b54e9b628fecd
-
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.redeemMD5
b53a4f1fa39e9f1a2ab6609db8ec2884
SHA19fe8026f9ca70a92e4c2e20ca9e05cfce60632c6
SHA256ad83f0c3217f4c982439551ab39c0b979d9996e260176a03442369c97500b9c5
SHA512fd77addbc5e56f3808e07ddcec566c8fb2ebd8371b4f71aeb1e8f8bda6e57f98a166c77b6b785f7b1aacecbc686ac1ded56dd308cf0822cec0908492707a5875
-
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.redeemMD5
014233fe16188887a6eac08084527dde
SHA15c407bf80340beb6774ceb04f6ef4163b76e9323
SHA2563261f48a24979bc4d1e0100801be8ef6f8050a9d15f6868d874c4cbf9ae4872b
SHA5124936e4c609edd714fe0d9d6c7bb4dda9182558b322255db496a85a5e30ed9afa648ef902b0a123dfa2d1568c72feee3f4ed41d38061a108bdc150af23bba9baa
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI37BF.txt.redeemMD5
38020ecbc9d03c6be200304ba73e93e5
SHA1843c6c9b3e7c41821583c9be1297a05813b7b787
SHA2560d540529e93c6139c475e3db34326322670dcaf44607595adcb3004ef69ef051
SHA512dbb68de1bfffdf5a4640406f4df9d8146023d8ee13c974544313218099337c2ba8064195c6643eaa2c37520cc1a06d97ba2bf32184b7e32169879efd7f76993e
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI37BF.txt.redeemMD5
3bc5dc384e52109f55436f81b43a82f5
SHA15a8745c059e699f96d0c665e949feae3240d52c4
SHA256141b28ba2475d7a7a21c43f49ed1b22efd6480abea686d7f58519c52c6ede495
SHA512ed1b5d754a94212e045be7de7539a797339b10c6e03124d6724b07cbbfb4779fa714b01df43e9155388835db77b81ecdad133bcbd966937e1c7c2102ff9338b3
-
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20210920_131101_805.txt.redeemMD5
1856169476e78f44bbe2d708451b71d4
SHA1b671797351a67f55f1763617612061294e561108
SHA25651d01e3bf410527b1dd96c71760c32fe43cb10149d4bed8d7f738fe54c27ef37
SHA512797a1fc951cde587c2798b37f78fddf5e97d430f8000a1aa26912495e54b5ccbee1fa788a8d18718ca154007c8586b9dc4871c385e95207ebd8691e40051ad61
-
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20210920_131103_412.txt.redeemMD5
2375527ea3538d9598ea1a57ca9621e5
SHA1f85814f23e2f68528a5dd91a0cca7db646840068
SHA256d0ce3e7f61a5071d3f64f55b08c5ed255e8fdc4740233f447ee9b6dc2a65582b
SHA5127370599ecd280b1a7577abbbb7c67834ad165b6280719f4455ec558775c260268bb21b921074ff41781f0bbc255d355d49352395dfa8a0df95931f674f8827d0
-
C:\Users\Admin\AppData\Local\Temp\java_install.log.redeemMD5
c8bfba3899ea9f8a57def232e97e5cb9
SHA1280b45f4dbc5eb16f63005a6482bd6c612365aed
SHA256f5db611bf129c39e47650d46b1df51f4c0140bcd3428136f0312ef24b1786cd6
SHA512cae670659674d214907655cc37c8f0ff794fb9c9c2599e96b156f67bcaf8e7398fd26269850dbea14891a07682bc8432063162f72e8ae76a199dd95b67e643ac
-
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log.redeemMD5
eb017720064d2c187fdfd6c0598f3979
SHA16a3783d7c0a0326a44971c9052ff625331e3431d
SHA256131a01d3548ad1aa66e054e57eb7d92fc33a369a0f3a679fd728ae9bcee53e04
SHA51259f979c1cde579f9a2b651a60ba015ab0b1ea7ff53cdfbd4ddd8a617b796ea04845476fbe203f9e8bad1396b6505d57d765a6683e6f6abf088d29bfd35150ca5
-
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.redeemMD5
fa7e24ad0011f369703acc3f4dac8c62
SHA1dd1895049781d7b9c441ade7c0134f3996f34cc3
SHA2564d91cd8ae2fd7454404bcb03104f3bb117ed5ecfb8e7821d38b1ec315938c6ad
SHA51255aa8d5d31858a437ebcf90d0485eb2b2c642190682c10038996f803e6c79d4c2bc144399de2837ef8c1091685484216fb59e5f57ff751f34974d72ccfc3ec2d
-
C:\Users\Admin\AppData\Local\Temp\jusched.log.redeemMD5
eb4be91db59b23ddbb3633df87c87dad
SHA18a933d9ccb00825a85f5563a3049696dbb59a28c
SHA2569945370823d4d1f21b4616b9792fb2f9073d4268022aba8d710961f2b051fd84
SHA512bc493b7c3be1919e6a609085a2953567cdf0663f441247d4c3d3145c59674a05b1cfd254aecb5e2624390b5882bfbef25957f4dcba8ac3d8f0b96ddc8c67b70f
-
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-132802-0.log.redeemMD5
1fff0a29afd2e7f5cecb433365493a51
SHA1ac2f17eb563378993580e4bdee54c45cdede1ea6
SHA2564601510dffb7e761501981dc0621c0f4680fc1a7f94d17a81eb82cd56f30e3e2
SHA51261a83dabae85e3a99ef6ea69c4e04917658b0f9d578c9ac0a826fdf8bc1140e4b05b30a2afcd1443d254d286f266300d458dcd719c0dbb493d94b6a1d5901b29
-
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-133137-0.log.redeemMD5
7d4551e4c04c3ce97dbd2d2e19aa4fc6
SHA1b2fcbd49ca11f435c001a088fbaa79234a0c95e9
SHA256818b27ee94485fc32f3ed61ea6701d55ac50572c4d1eb936a2dc79bc821aaf24
SHA51291290f867dd781a7e21f25d08a2f7a55beb79ed43ddbc351c84972c7e75c385b5da24140c7228d48029f32700d66039f80ebb7f4175f99d692232b6ebb51be19
-
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-133450-0.log.redeemMD5
b6c47924f5069f712eba8d1a4f3011a8
SHA18d3811ff6c76cb74f3b256d83140733768a6061c
SHA256b882075e22744d9258bcc99736255759d2dfbc5549d168671161bf222e84c5e2
SHA51278175e019a88b95ab051fd42faed693413d20435cfb6dcb6409c6c93e4bd0a22d62471bac9ebbec0fa99756f620c1e43f581ce53caf3a79d77973c6aee2c9008
-
C:\Users\Admin\AppData\Local\Temp\rem.batMD5
6881b34456863e9f8fa0a66fb60bb21a
SHA1ccc31f6057c273c774a36b1ac76b2e2e0faf9d6f
SHA256a932f4eb13c4c7bc0ca0152ff3fdbd58c8ec8d218350b439837fd3f7242cf64b
SHA5125ce597dc94a8af0d315aa2fa2b6bd84a65666f4bc0cb297fe3768acc0a4f1a918bac80a9fb571991854aa3d8e058c4aa954cc95c67ad613d0d0a12d165c39551
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.redeemMD5
9271178a34227276e9e3d2fe61fb73b9
SHA1d62e0cbcf198f39cbcf0188490af9d7150c44890
SHA256b68f99e134d9ac2605938daaac846230657a731eabc7ef7ef6de01905f8a46fd
SHA512f0f5e9a2ab132c0e6e85e68cbb355067d7207ba5ebbd0952bcfde515decf9decaf5fa861cbce042ac43a59000e56b89d78f000a8b98a543e85967c379b23c834
-
memory/620-59-0x0000000000000000-mapping.dmp
-
memory/864-66-0x0000000000000000-mapping.dmp
-
memory/900-65-0x0000000000000000-mapping.dmp
-
memory/1016-61-0x0000000000000000-mapping.dmp
-
memory/1084-64-0x0000000000000000-mapping.dmp
-
memory/1228-71-0x0000000000000000-mapping.dmp
-
memory/1276-74-0x0000000000000000-mapping.dmp
-
memory/1276-63-0x0000000000000000-mapping.dmp
-
memory/1440-72-0x0000000000000000-mapping.dmp
-
memory/1476-58-0x0000000000000000-mapping.dmp
-
memory/1508-53-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1532-69-0x0000000000000000-mapping.dmp
-
memory/1532-56-0x0000000000000000-mapping.dmp
-
memory/1564-77-0x0000000000000000-mapping.dmp
-
memory/1604-62-0x0000000000000000-mapping.dmp
-
memory/1660-73-0x0000000000000000-mapping.dmp
-
memory/1660-60-0x0000000000000000-mapping.dmp
-
memory/1692-57-0x0000000000000000-mapping.dmp
-
memory/1724-76-0x0000000000000000-mapping.dmp
-
memory/1812-55-0x0000000000000000-mapping.dmp
-
memory/1836-54-0x0000000000000000-mapping.dmp
-
memory/1920-67-0x0000000000000000-mapping.dmp
-
memory/1936-75-0x0000000000000000-mapping.dmp