redline | 92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9

Analysis

max time kernel
119s
max time network
127s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-10-2021 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe
Size

68KB
MD5

ca9086de3f408d228e80d70078b92daa
SHA1

efb3169c11d03008d928e8b0b337a0f586abeaca
SHA256

92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9
SHA512

95e675cb0aac1087e930904000c88f2214c79f765ccfe8831b2af572a8ce0282d1d15b677fc6892ae6e6f8604db78d13833e2357d896f969a0af43c6935927e8

Score

10^/10

redline discovery infostealer persistence spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5104-195-0x0000000002BC0000-0x0000000002BED000-memory.dmp	family_redline
behavioral2/memory/5104-202-0x0000000002D70000-0x0000000002D9B000-memory.dmp	family_redline
behavioral2/memory/1076-203-0x0000000003470000-0x000000000348C000-memory.dmp	family_redline
behavioral2/memory/1076-206-0x00000000034F0000-0x000000000350B000-memory.dmp	family_redline

Executes dropped EXE 10 IoCs

Processes:

7466567.exe3113801.exe3427954.exe3898480.exe5839952.exeWinHoster.exe3427954.exe3427954.exe3113801.exe3113801.exe

pid	process
4392	7466567.exe
4468	3113801.exe
4428	3427954.exe
3192	3898480.exe
4008	5839952.exe
1812	WinHoster.exe
4824	3427954.exe
5104	3427954.exe
4376	3113801.exe
1076	3113801.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3898480.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3898480.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 wtfismyip.com
51 wtfismyip.com

flow	ioc
50	wtfismyip.com
51	wtfismyip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

3427954.exe3113801.exe

description	pid	process	target process
PID 4428 set thread context of 5104	4428	3427954.exe	3427954.exe
PID 4468 set thread context of 1076	4468	3113801.exe	3113801.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3113801.exe3427954.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	3113801.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000080000200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3427954.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	3427954.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	3427954.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	3113801.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3113801.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3427954.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	3427954.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	3427954.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3427954.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3113801.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3113801.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	3427954.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	3427954.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	3427954.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

7466567.exe5839952.exe3427954.exe3113801.exepowershell.exe3427954.exe

pid	process
4392	7466567.exe
4008	5839952.exe
4008	5839952.exe
4392	7466567.exe
4428	3427954.exe
4428	3427954.exe
4468	3113801.exe
4468	3113801.exe
2848	powershell.exe
2848	powershell.exe
2848	powershell.exe
5104	3427954.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe7466567.exe5839952.exe3113801.exe3427954.exepowershell.exe3113801.exe3427954.exe

description	pid	process
Token: SeDebugPrivilege	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe
Token: SeDebugPrivilege	4392	7466567.exe
Token: SeDebugPrivilege	4008	5839952.exe
Token: SeDebugPrivilege	4468	3113801.exe
Token: SeDebugPrivilege	4428	3427954.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1076	3113801.exe
Token: SeDebugPrivilege	5104	3427954.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe3898480.exe3427954.exe3113801.exe

description	pid	process	target process
PID 3040 wrote to memory of 4392	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	7466567.exe
PID 3040 wrote to memory of 4392	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	7466567.exe
PID 3040 wrote to memory of 4392	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	7466567.exe
PID 3040 wrote to memory of 4468	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3113801.exe
PID 3040 wrote to memory of 4468	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3113801.exe
PID 3040 wrote to memory of 4468	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3113801.exe
PID 3040 wrote to memory of 4428	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3427954.exe
PID 3040 wrote to memory of 4428	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3427954.exe
PID 3040 wrote to memory of 4428	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3427954.exe
PID 3040 wrote to memory of 3192	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3898480.exe
PID 3040 wrote to memory of 3192	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3898480.exe
PID 3040 wrote to memory of 3192	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	3898480.exe
PID 3040 wrote to memory of 4008	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	5839952.exe
PID 3040 wrote to memory of 4008	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	5839952.exe
PID 3040 wrote to memory of 4008	3040	92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe	5839952.exe
PID 3192 wrote to memory of 1812	3192	3898480.exe	WinHoster.exe
PID 3192 wrote to memory of 1812	3192	3898480.exe	WinHoster.exe
PID 3192 wrote to memory of 1812	3192	3898480.exe	WinHoster.exe
PID 4428 wrote to memory of 4824	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 4824	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 4824	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4428 wrote to memory of 5104	4428	3427954.exe	3427954.exe
PID 4468 wrote to memory of 2848	4468	3113801.exe	powershell.exe
PID 4468 wrote to memory of 2848	4468	3113801.exe	powershell.exe
PID 4468 wrote to memory of 2848	4468	3113801.exe	powershell.exe
PID 4468 wrote to memory of 4376	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 4376	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 4376	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe
PID 4468 wrote to memory of 1076	4468	3113801.exe	3113801.exe

C:\Users\Admin\AppData\Local\Temp\92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe
"C:\Users\Admin\AppData\Local\Temp\92f6a6f2bac6d00837a05c422753c4bbf525842bbb30b4e5a1878f58e4752ac9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\7466567.exe
"C:\Users\Admin\AppData\Roaming\7466567.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Users\Admin\AppData\Roaming\3113801.exe
"C:\Users\Admin\AppData\Roaming\3113801.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\3113801.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Roaming\3113801.exe
"C:\Users\Admin\AppData\Roaming\3113801.exe"
3⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\AppData\Roaming\3113801.exe
"C:\Users\Admin\AppData\Roaming\3113801.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Roaming\3427954.exe
"C:\Users\Admin\AppData\Roaming\3427954.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Roaming\3427954.exe
"C:\Users\Admin\AppData\Roaming\3427954.exe"
3⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Roaming\3427954.exe
"C:\Users\Admin\AppData\Roaming\3427954.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Roaming\3898480.exe
"C:\Users\Admin\AppData\Roaming\3898480.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Roaming\5839952.exe
"C:\Users\Admin\AppData\Roaming\5839952.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
e76686fec5c2554e4d517cea97b70ee0

SHA1
9a5e81d94c3178afae9d4cabf99b4e5159bfc02c

SHA256
4d122af86946dd3f99b7eca4af8151f420db21c627eb6883bac5f12abcdf101b

SHA512
61d8cd211e41e73be4d3c7a3966cd2e8e949f11fdd4f3bd4a42b2a476273f1680eb6c7640ecb0cec3e399c25799d150e2631e0ffb6c2b9c6b7c9961d084e7eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0
MD5
9413c455af38f14ff664bb49b151903c

SHA1
9bc0ff597c433f911746eefeb64454e01e1cab50

SHA256
95a28fa5a61fd0dbd19799b2ea321bc9a90b56e0a1abe2020e0bbb50339b77c3

SHA512
dfcce638b4a8ea8c4c0ea7d69642673df44f18b1fe9c946b9c2e68b04a86243848590b4a444294109467f9e3f0ae71f417c7588592f022093ce441b7cf5c3878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7
MD5
87ce0b7b2a0e4900e158719b37a89372

SHA1
0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

SHA256
3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c

SHA512
552cbdfbe33421b682ab9e42cafe274e9d6f55eb971d18d0ab9e68d1e6fb715b0580efecf84198a61a458d9f7656f4e485f2b2643d575f17269d613b95063407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7
MD5
87ce0b7b2a0e4900e158719b37a89372

SHA1
0563b8630d62d75abbc8ab1e4bdfb5a899b24d43

SHA256
3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c

SHA512
552cbdfbe33421b682ab9e42cafe274e9d6f55eb971d18d0ab9e68d1e6fb715b0580efecf84198a61a458d9f7656f4e485f2b2643d575f17269d613b95063407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD
MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
461afca184a43d43ab5fd58fd5cef4c8

SHA1
32ad425ca44aec3ed45ab7dcc0d6d14359bde410

SHA256
50fae29ee7e14587a16adf5a4d786ea7204fedb631569100a205de4506a7a9b0

SHA512
d308ba6a857aafcb4818343132a071c578b1be4334f7dad0dd5a25543e114e33ff0d9da2db4604796a339c33dc139a9913e4bd16e35301de4a371740994c548a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CAAD487C6DC014CC76BDDB95FED82CB0
MD5
4dabb77300a9e198786170eaf04fe09d

SHA1
29bee3156494b074c57da298ea837b5ac7829eaa

SHA256
86e1be76e58764f7eb5b9c095cff4b963a5c1dbd053dc0d6532210daff896c4a

SHA512
2f554e4ac5afa29ec5047106a9df9b51afa31399c63086cbb1dd3516c966b5c062c7f51996d619f9d2375e804e181e8f0126576211ad691784ae74c8b1b9c1b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
2563c01b20177ba19bac34a26e053fb6

SHA1
5d75e007d278f8a605ffd6d3a514f2b2590ca77f

SHA256
f4e7b2a1dae82f4d38c80c99b13d950c7899d048d1a642edd80d807d44742306

SHA512
67bd72b31e779f37ff54904cd59175fa0d8176861547f71a3b06b54f8b07b8222fd84ff201fe5f3ec4908ea6a3c55b610c34c52a56f6c3e3d760854b74ac644d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7
MD5
e031208abe8e3addd30c077747b4fe5d

SHA1
75c8abd326634f42e043e7d8775bd7869c66db78

SHA256
b86c0231d0a60663ae83cf6d1a29c4453be4bcdfacbff9fdfa7cf85ccd6c9fb0

SHA512
0ede2dfd24d4d5e29db563bab97515f371320e0aeeb38916de3f4f16b381d9f8c54113859df2875533e41a680351acbad4c8b75899155b1680693622c4921a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7
MD5
e031208abe8e3addd30c077747b4fe5d

SHA1
75c8abd326634f42e043e7d8775bd7869c66db78

SHA256
b86c0231d0a60663ae83cf6d1a29c4453be4bcdfacbff9fdfa7cf85ccd6c9fb0

SHA512
0ede2dfd24d4d5e29db563bab97515f371320e0aeeb38916de3f4f16b381d9f8c54113859df2875533e41a680351acbad4c8b75899155b1680693622c4921a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD
MD5
e6d16b73ea6a467150b5d3d93f9a528d

SHA1
d3d12c838443268fbb99176bd8d13fb6b3530e3a

SHA256
da8bdf363607558eed7bdd6b5a46c78c99f21c011065fd71af3f4533bebeffb4

SHA512
a0bfa6c54ada29379467758a458a910bc8488f4f5aa755a83f42ba009edf5462329259055177abf595487e3119aee9b0c5465cfdbe81b56cb49c69a933f53950

Download Submit
C:\Users\Admin\AppData\Roaming\3113801.exe
MD5
5962d92df09f3a2c500af24357e15f68

SHA1
4c751b1a844e8e09de5f73b6cca20a15e10cdd8f

SHA256
6dc0458faebacdaa695d3a0a78a8b07b71141c8c2fcc0a7909acfe5975ef284e

SHA512
bbe2674bbd7d8d6fb3f04e77249db34b3ec458c13594d5508adedd73d87090184a1aee75c8c83c7c30c582253f4a4b53af9360b3704d1156639c2b0eb19a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\3113801.exe
MD5
5962d92df09f3a2c500af24357e15f68

SHA1
4c751b1a844e8e09de5f73b6cca20a15e10cdd8f

SHA256
6dc0458faebacdaa695d3a0a78a8b07b71141c8c2fcc0a7909acfe5975ef284e

SHA512
bbe2674bbd7d8d6fb3f04e77249db34b3ec458c13594d5508adedd73d87090184a1aee75c8c83c7c30c582253f4a4b53af9360b3704d1156639c2b0eb19a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\3113801.exe
MD5
5962d92df09f3a2c500af24357e15f68

SHA1
4c751b1a844e8e09de5f73b6cca20a15e10cdd8f

SHA256
6dc0458faebacdaa695d3a0a78a8b07b71141c8c2fcc0a7909acfe5975ef284e

SHA512
bbe2674bbd7d8d6fb3f04e77249db34b3ec458c13594d5508adedd73d87090184a1aee75c8c83c7c30c582253f4a4b53af9360b3704d1156639c2b0eb19a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\3113801.exe
MD5
5962d92df09f3a2c500af24357e15f68

SHA1
4c751b1a844e8e09de5f73b6cca20a15e10cdd8f

SHA256
6dc0458faebacdaa695d3a0a78a8b07b71141c8c2fcc0a7909acfe5975ef284e

SHA512
bbe2674bbd7d8d6fb3f04e77249db34b3ec458c13594d5508adedd73d87090184a1aee75c8c83c7c30c582253f4a4b53af9360b3704d1156639c2b0eb19a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\3427954.exe
MD5
f50e41bbe3484ac879b5a7646d0086df

SHA1
1ea0eadfb2791ba3c2bfe7f2e61951e769ccc0e8

SHA256
ec9a5087c5d52277f50dcd3a7383cfc38b6c793adcc6cfd685fe5ae38b8ae7aa

SHA512
4c55d8c4be76dc1e9d5f615a2d141319519eaca916e4954dc9e4947a92c2463db3c492947bf19b852fbe3fbd54285a0ab05644e2cc86b988462c1c35d3ab9c33

Download Submit
C:\Users\Admin\AppData\Roaming\3427954.exe
MD5
f50e41bbe3484ac879b5a7646d0086df

SHA1
1ea0eadfb2791ba3c2bfe7f2e61951e769ccc0e8

SHA256
ec9a5087c5d52277f50dcd3a7383cfc38b6c793adcc6cfd685fe5ae38b8ae7aa

SHA512
4c55d8c4be76dc1e9d5f615a2d141319519eaca916e4954dc9e4947a92c2463db3c492947bf19b852fbe3fbd54285a0ab05644e2cc86b988462c1c35d3ab9c33

Download Submit
C:\Users\Admin\AppData\Roaming\3427954.exe
MD5
f50e41bbe3484ac879b5a7646d0086df

SHA1
1ea0eadfb2791ba3c2bfe7f2e61951e769ccc0e8

SHA256
ec9a5087c5d52277f50dcd3a7383cfc38b6c793adcc6cfd685fe5ae38b8ae7aa

SHA512
4c55d8c4be76dc1e9d5f615a2d141319519eaca916e4954dc9e4947a92c2463db3c492947bf19b852fbe3fbd54285a0ab05644e2cc86b988462c1c35d3ab9c33

Download Submit
C:\Users\Admin\AppData\Roaming\3427954.exe
MD5
f50e41bbe3484ac879b5a7646d0086df

SHA1
1ea0eadfb2791ba3c2bfe7f2e61951e769ccc0e8

SHA256
ec9a5087c5d52277f50dcd3a7383cfc38b6c793adcc6cfd685fe5ae38b8ae7aa

SHA512
4c55d8c4be76dc1e9d5f615a2d141319519eaca916e4954dc9e4947a92c2463db3c492947bf19b852fbe3fbd54285a0ab05644e2cc86b988462c1c35d3ab9c33

Download Submit
C:\Users\Admin\AppData\Roaming\3898480.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\3898480.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\5839952.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\5839952.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\7466567.exe
MD5
665db314ea52d4331c8f0dd49cc0c9e5

SHA1
65fc408b35d057bad6c55ea7d06edbd5001bdcc1

SHA256
dd43e6de713f9b199855a8d101069560121223bd5c5cea999a80a96bd84f4b4a

SHA512
6b1d41db7e50c32f01c2b4d5b3851adc37816fcf8d8b3cbcb0f2602d3a10652a82a9376379bb437439d29292d6a48e6c0ae785a7fda93d2b604c84d3293068fc

Download Submit
C:\Users\Admin\AppData\Roaming\7466567.exe
MD5
665db314ea52d4331c8f0dd49cc0c9e5

SHA1
65fc408b35d057bad6c55ea7d06edbd5001bdcc1

SHA256
dd43e6de713f9b199855a8d101069560121223bd5c5cea999a80a96bd84f4b4a

SHA512
6b1d41db7e50c32f01c2b4d5b3851adc37816fcf8d8b3cbcb0f2602d3a10652a82a9376379bb437439d29292d6a48e6c0ae785a7fda93d2b604c84d3293068fc

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
memory/1076-228-0x0000000005AE2000-0x0000000005AE3000-memory.dmp

Filesize
4KB

Download
memory/1076-223-0x0000000005AE4000-0x0000000005AE6000-memory.dmp

Filesize
8KB

Download
memory/1076-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-199-0x000000000040CD2F-mapping.dmp

Download
memory/1076-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-203-0x0000000003470000-0x000000000348C000-memory.dmp

Filesize
112KB

Download
memory/1076-224-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1076-206-0x00000000034F0000-0x000000000350B000-memory.dmp

Filesize
108KB

Download
memory/1076-229-0x0000000005AE3000-0x0000000005AE4000-memory.dmp

Filesize
4KB

Download
memory/1076-227-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-188-0x000000000AFF0000-0x000000000AFF1000-memory.dmp

Filesize
4KB

Download
memory/1812-187-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1812-171-0x0000000000000000-mapping.dmp

Download
memory/2848-233-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2848-213-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2848-196-0x0000000000000000-mapping.dmp

Download
memory/2848-232-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/2848-329-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/2848-235-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2848-236-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/2848-225-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/2848-238-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/2848-215-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/2848-246-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download
memory/2848-222-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/2848-220-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/2848-210-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/3040-121-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/3040-115-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3040-117-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3192-153-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3192-137-0x0000000000000000-mapping.dmp

Download
memory/3192-142-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3192-148-0x000000000B350000-0x000000000B351000-memory.dmp

Filesize
4KB

Download
memory/3192-140-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4008-144-0x0000000000000000-mapping.dmp

Download
memory/4008-183-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4008-147-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4008-150-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4008-152-0x0000000005180000-0x00000000051C8000-memory.dmp

Filesize
288KB

Download
memory/4008-154-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4008-174-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4008-177-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4392-132-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4392-129-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4392-133-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/4392-118-0x0000000000000000-mapping.dmp

Download
memory/4392-122-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4392-143-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/4392-127-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4392-130-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/4392-128-0x0000000001010000-0x0000000001059000-memory.dmp

Filesize
292KB

Download
memory/4428-189-0x0000000000A21000-0x0000000000A22000-memory.dmp

Filesize
4KB

Download
memory/4428-151-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4428-186-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4428-134-0x0000000000000000-mapping.dmp

Download
memory/4468-190-0x0000000002A81000-0x0000000002A82000-memory.dmp

Filesize
4KB

Download
memory/4468-124-0x0000000000000000-mapping.dmp

Download
memory/4468-131-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/4468-184-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/5104-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5104-193-0x000000000040CD2F-mapping.dmp

Download
memory/5104-204-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/5104-195-0x0000000002BC0000-0x0000000002BED000-memory.dmp

Filesize
180KB

Download
memory/5104-221-0x0000000002BB4000-0x0000000002BB6000-memory.dmp

Filesize
8KB

Download
memory/5104-230-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5104-218-0x0000000002BB3000-0x0000000002BB4000-memory.dmp

Filesize
4KB

Download
memory/5104-217-0x0000000002BB2000-0x0000000002BB3000-memory.dmp

Filesize
4KB

Download
memory/5104-216-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/5104-214-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5104-211-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/5104-202-0x0000000002D70000-0x0000000002D9B000-memory.dmp

Filesize
172KB

Download
memory/5104-208-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download