redline | 114ea9b07c8ace69fd226de16f2555c3fcb038696919f4941c4f07d4d800ebf5

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

8.6MB
MD5

03437bed2c1be98cc70efda4e1028565
SHA1

f7980b42bf62b9bdac3e2d033d43cba7f78801a1
SHA256

114ea9b07c8ace69fd226de16f2555c3fcb038696919f4941c4f07d4d800ebf5
SHA512

7fd362dceb4a3ac58e4a13191ec6835bbbf178c5b0bd02c130386f5bd51f7141c23f6154b9b44db6242e04c107085ad45e907a5d0a017a3049de04f4fea01a93
SSDEEP

98304:n1EqlRyB+/T6Mzg2NA6S6m2ytriL3Yj+ijoIq:niwRyB+xUwQtrijuW

Score

10^/10

redline smokeloader 777 backdoor infostealer ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\EDA4\C\Program Files\7-Zip\History.txt

Ransom Note

HISTORY of the 7-Zip -------------------- 19.00 2019-02-21 ------------------------- - Encryption strength for 7z archives was increased: the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved. - Some bugs were fixed. 18.06 2018-12-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 3-10%, and there are minor changes in compression ratio. - Some bugs were fixed. - The bug in 7-Zip 18.02-18.05 was fixed: there was memory leak in xz decoder. - 7-Zip 18.02-18.05 used only one CPU thread for bz2 archive creation. 18.05 2018-04-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 8% for fastest/fast compression levels and by 3% for normal/maximum compression levels. - 7-Zip now shows Properties (Info) window and CRC/SHA results window as "list view" window instead of "message box" window. - Some improvements in zip, hfs and dmg code. - Previous versions of 7-Zip could work incorrectly in "Large memory pages" mode in Windows 10 because of some BUG with "Large Pages" in Windows 10. Now 7-Zip doesn't use "Large Pages" on Windows 10 up to revision 1709 (16299). - The vulnerability in RAR unpacking code was fixed (CVE-2018-10115). - Some bugs were fixed. 18.03 beta 2018-03-04 ------------------------- - The speed for single-thread LZMA/LZMA2 decoding was increased by 30% in x64 version and by 3% in x86 version. - 7-Zip now can use multi-threading for 7z/LZMA2 decoding, if there are multiple independent data chunks in LZMA2 stream. - 7-Zip now can use multi-threading for xz decoding, if there are multiple blocks in xz stream. - New localization: Kabyle. - Some bugs were fixed. 18.01 2018-01-28 ------------------------- - 7-Zip now can unpack DMG archives that use LZFSE compression method. - 7-Zip now doesn't allow update operation for archives that have read-only attribute. - The BUG was fixed: extracting from tar with -si switch didn't set timestamps for directories. - Some bugs were fixed. 18.00 beta 2018-01-10 ------------------------- - 7-Zip now can unpack OBJ/COFF files. - new -sse switch to stop archive creating, if 7-Zip can't open some input file. - Some bugs were fixed. 17.01 beta 2017-08-28 ------------------------- - Minor speed optimization for LZMA2 (xz and 7z) multi-threading compression. 7-Zip now uses additional memory buffers for multi-block LZMA2 compression. CPU utilization was slightly improved. - 7-zip now creates multi-block xz archives by default. Block size can be specified with -ms[Size]{m|g} switch. - xz decoder now can unpack random block from multi-block xz archives. 7-Zip File Manager now can open nested multi-block xz archives (for example, image.iso.xz) without full unpacking of xz archive. - 7-Zip now can create zip archives from stdin to stdout. - 7-Zip command line: @listfile now doesn't work after -- switch. Use -i@listfile before -- switch instead. - The BUGs were fixed: 7-Zip could add unrequired alternate file streams to WIM archives, for commands that contain filename wildcards and -sns switch. 7-Zip 17.00 beta crashed for commands that write anti-item to 7z archive. 7-Zip 17.00 beta ignored "Use large memory pages" option. 17.00 beta 2017-04-29 ------------------------- - ZIP unpacking code was improved. - 7-Zip now reserves file space before writing to file (for extraction from archive). It can reduce file fragmentation. - Some bugs were fixed. 7-Zip could crash in some cases. - Internal changes in code. 16.04 2016-10-04 ------------------------- - The bug was fixed: 7-Zip 16.03 exe installer under Vista didn't create links in Start / Programs menu. - Some bugs were fixed in RAR code. 16.03 2016-09-28 ------------------------- - Installer and SFX modules now use some protection against DLL preloading attack. - Some bugs were fixed in 7z, NSIS, SquashFS, RAR5 and another code. 16.02 2016-05-21 ------------------------- - 7-Zip now can extract multivolume ZIP archives (z01, z02, ... , zip). - Some bugs were fixed. 15.14 2015-12-31 ------------------------- - 7-Zip File Manager: - The code for "Open file from archive" operation was improved. - The code for "Tools/Options" window was improved. - The BUG was fixed: there was incorrect mouse cursor capture for drag-and-drop operations from open archive to Explorer window. - Some bugs were fixed. - New localization: Yoruba. 15.12 2015-11-19 ------------------------- - The release version. 15.11 beta 2015-11-14 ------------------------- - Some bugs were fixed. 15.10 beta 2015-11-01 ------------------------- - The BUG in 9.21 - 15.09 was fixed: 7-Zip could ignore some parameters, specified for archive creation operation for gzip and bzip2 formats in "Add to Archive" window and in command line version (-m switch). - Some bugs were fixed. 15.09 beta 2015-10-16 ------------------------- - 7-Zip now can extract ext2 and multivolume VMDK images. - Some bugs were fixed. 15.08 beta 2015-10-01 ------------------------- - 7-Zip now can extract ext3 and ext4 (Linux file system) images. - Some bugs were fixed. 15.07 beta 2015-09-17 ------------------------- - 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI images. - 7-Zip now can extract solid WIM archives with LZMS compression. - Some bugs were fixed. 15.06 beta 2015-08-09 ------------------------- - 7-Zip now can extract RAR5 archives. - 7-Zip now doesn't sort files by type while adding to solid 7z archive. - new -mqs switch to sort files by type while adding to solid 7z archive. - The BUG in 7-Zip File Manager was fixed: The "Move" operation to open 7z archive didn't delete empty files. - The BUG in 15.05 was fixed: console version added some text to the end of stdout stream, is -so switch was used. - The BUG in 9.30 - 15.05 was fixed: 7-Zip could not open multivolume sfx RAR archive. - Some bugs were fixed. 15.05 beta 2015-06-14 ------------------------- - 7-Zip now uses new installer. - 7-Zip now can create 7z, xz and zip archives with 1536 MB dictionary for LZMA/LZMA2. - 7-Zip File Manager now can operate with alternate file streams at NTFS volumes via "File / Alternate Streams" menu command. - 7-Zip now can extract .zipx (WinZip) archives that use xz compression. - new optional "section size" parameter for BCJ2 filter for compression ratio improving. Example: -mf=BCJ2:d9M, if largest executable section in files is smaller than 9 MB. - Speed optimizations for BCJ2 filter and SHA-1 and SHA-256 calculation. - Console version now uses stderr stream for error messages. - Console version now shows names of processed files only in progress line by default. - new -bb[0-3] switch to set output log level. -bb1 shows names of processed files in log. - new -bs[o|e|p][0|1|2] switch to set stream for output messages; o: output, e: error, p: progress line; 0: disable, 1: stdout, 2: stderr. - new -bt switch to show execution time statistics. - new -myx[0-9] switch to set level of file analysis. - new -mmtf- switch to set single thread mode for filters. - The BUG was fixed: 7-Zip didn't restore NTFS permissions for folders during extracting from WIM archives. - The BUG was fixed: The command line version: if the command "rn" (Rename) was called with more than one pair of paths, 7-Zip used only first rename pair. - The BUG was fixed: 7-Zip crashed for ZIP/LZMA/AES/AES-NI. - The BUG in 15.01-15.02 was fixed: 7-Zip created incorrect ZIP archives, if ZipCrypto encryption was used. 7-Zip 9.20 can extract such incorrect ZIP archives. - Some bugs were fixed. 9.38 beta 2015-01-03 ------------------------- - Some bugs were fixed. 9.36 beta 2014-12-26 ------------------------- - The BUG in command line version was fixed: 7-Zip created temporary archive in current folder during update archive operation, if -w{Path} switch was not specified. The fixed 7-Zip creates temporary archive in folder that contains updated archive. - The BUG in 9.33-9.35 was fixed: 7-Zip silently ignored file reading errors during 7z or gz archive creation, and the created archive contained only part of file that was read before error. The fixed 7-Zip stops archive creation and it reports about error. - Some bugs were fixed. 9.35 beta 2014-12-07 ------------------------- - The BUG was fixed: 7-Zip crashed during ZIP archive creation, if the number of CPU threads was more than 64. - The BUG in 9.31-9.34 was fixed: 7-Zip could not correctly extract ISO archives that are larger than 4 GiB. - The BUG in 9.33-9.34 was fixed: The option "Compress shared files" and -ssw switch didn't work. - The BUG in 9.26-9.34 was fixed: 7-Zip File Manager could crash for some archives open in "Flat View" mode. - Some bugs were fixed. 9.34 alpha 2014-06-22 ------------------------- - The BUG in 9.33 was fixed: Command line version of 7-Zip could work incorrectly, if there is relative path in exclude filename optiton (-x) and absolute path as include filename. - The BUG in 9.26-9.33 was fixed: 7-Zip could not open some unusual 7z archives that were created by another software (not by 7-Zip). - The BUG in 9.31-9.33 was fixed: 7-Zip could crash with switch -tcab. 9.33 alpha 2014-06-15 ------------------------- - 7-Zip now can show icons for 7-Zip items in Explorer's context menu. - "Add to archive" dialog box: - new options in "Path Mode" - new option "Delete files after compression" - new "NTFS" options for WIM and TAR formats: - Store symbolic links - Store hard links - Store alternate data streams - Store file security - "Extract" dialog box: - new optional field to set output folder name - new option "Eliminate duplication of root folder" - new option "Absolute pathnames" in "Path Mode". - new option "Restore file security" (that works for WIM archives only) - 7-Zip File Manager: - new "File / Link" dialog box in to create symbolic links and hard links. - Command line version: - new -spd switch to Disable wildcard matching for file names - new -spe switch to Eliminate duplication of root folder for extract archive command - new -snh switch to store hard links as links (WIM and TAR formats only) - new -snl switch to store symbolic links as links (WIM and TAR formats only) - NSIS support was improved. - The problem was fixed: The command "extract to \*" with multiple archives could use same output folder, if archives are placed inside PE (EXE) file. - The BUG of 9.31-9.32 was fixed: Command line version for test and extract commands returned the value 0 as exit code, if it couldn't open archive. - The BUG was fixed: 7-Zip could not create archives with anti-items for any archive type, except of 7z type - Some bugs were fixed. - New localization: Mongolian (script). 9.32 alpha 2013-12-01 ------------------------- - 7-Zip now can create multivolume SFX archives in 7z format. Standalone sfx module now can unpack external 7z archive with name that is matched to name of sfx module. For example, sfx module renamed to archive.exe can unpack archive.7z or archive.7z.001 . - ZIP, NSIS, HFS, AR support was improved. - 7-Zip now supports files larger than 4 GiB in ISO archives. - Improved compression ratio in 7z format with maximum or ultra level for executable files (EXE and DLL) that are larger than 16 MB (improved BCJ2 filter). - Improved support for file pathnames longer than 260 characters. - CRC and SHA checksum calculation for files can be called via Explorer's context menu. - 7-Zip File Manager now also takes into account the numbers in filenames for sorting order. - 7-Zip File Manager now can use RAM buffers instead of temp files to open nested archives, if temp file is smaller than 1/4 of RAM size. - 7-Zip File Manager can open files in "Parser" mode via "Open Archive > #" context menu command. It shows the list of archives inside file. - Command line version: - new -t# switch to open file in "Parser" mode and show the list of archives inside file. - new -stx{Type} switch to exclude archive type from using. - -scs switch now supports UTF-16 encoding. - now it shows time and memory usage statistics at the end of execution. - The BUGs were fixed: - 7-Zip 9.30 and early versions created ZIP archives with minor errors in extra field of headers for directory items, if AES (WinZip-AES) encryption was used. - 7-Zip could work incorrectly in decompression of more than one multi-volume archive in one command. - 7-Zip 9.24 alpha - 9.30 alpha versions could not extract ZIP archives encrypted with PKWARE-AES method. - Minimum supported system now is Windows 2000. 7-Zip doesn't work on Windows 95/98/ME. - New localization: Irish. 9.30 alpha 2012-10-26 ------------------------- - LZMA2 now is default compression method for .7z format. - 7-Zip now can update WIM archives. - 7-Zip File Manager now can move files to archives. - The default encoding for TAR format now is UTF-8. You can use -mcp=1 switch for OEM encoding. - Command line version: - new "rn" command to rename files in archive. - new -sdel switch to delete files after including to archive. - new -sns switch to store NTFS alternate streams (for WIM format only). - new -sni switch to store NT security information for files (for WIM format only). - new -stl switch to set archive timestamp from the most recently modified file. - Speed optimizations for opening big archives and big disk folders. - 7-Zip now writes special padding blocks to headers of 7z archives for faster archive opening. Note that 7-Zip 4.50 - 4.58 contain BUG, so these old versions can't correctly work with such new 7z archives. - DMG support was improved - Some bugs were fixed. - The BUG in 7-Zip 9.26 alpha - 9.29 alpha versions was fixed. These alpha versions could not open non-solid 7z archive, if some files were skipped during creation of that archive. That problem is also related to 7z archives created in solid mode, if each solid block contains no more than one file. Note: 7-Zip skips files that were open for writing by another application and shows warning in that case. - New localization: Aragonese. 9.25 alpha 2011-09-16 ------------------------- - LZMA decompression speed was improved. - "compress and send to email" code was improved to support more email clients. - New command "h" to calculate hash values CRC-32, CRC-64, SHA-256 or SHA-1 for files on disk. - New -spf switch to store full file paths including drive letter to archive. If you use that switch with extract command, please check that file names in archive are correct. - Some bugs were fixed. 9.23 alpha 2011-06-07 ------------------------- - The format of language files was changed. - Some bugs were fixed. - New localization: Karakalpak. 9.22 beta 2011-04-18 ------------------------- - 7-Zip now uses progress indicator displayed on a taskbar button under Windows 7. - The BUG in 7-Zip 9.21 beta was fixed: 7-Zip could ignore some options when you created ZIP archives. For example, it could use ZipCrypto cipher instead of AES-256. 9.21 beta 2011-04-11 ------------------------- - 7-Zip now can unpack UEFI BIOS files. - 64-bit version of 7-Zip now includes additional 32-bit shell extension DLL. So other 32-bit programs can call 64-bit 7-Zip via context menu. - Now it's possible to associate 7-Zip with file types without Administrator rights. - New -mf=FilterID switch to specify compression filter. Examples: 7z a -mf=bcj2 a.7z a.tar 7z a -mf=delta:4 a.7z a.wav 7z a -mf=bcj a.tar.xz a.tar - 32-bit 7-Zip running under 64-bit Windows now c

Extracted

Family

redline

Botnet

777

95.217.98.127:4274

Attributes

auth_value
58fc2772b7573b1ce3f9690fcf509049

Signatures

Detects Smokeloader packer 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1324-144-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1324-145-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1324-146-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1016-215-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1016-221-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/93960-173-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

6C09.exe6D43.exeaudwvfvaudwvfvServan_v0.9_Servan_windows_64.exe

pid process

3692 6C09.exe
112 6D43.exe
90908 audwvfv
1016 audwvfv
4032 Servan_v0.9_Servan_windows_64.exe

pid	process
3692	6C09.exe
112	6D43.exe
90908	audwvfv
1016	audwvfv
4032	Servan_v0.9_Servan_windows_64.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6C09.exe	upx
C:\Users\Admin\AppData\Local\Temp\6C09.exe	upx
behavioral2/memory/3692-160-0x0000000000D10000-0x0000000001B2D000-memory.dmp	upx
behavioral2/memory/3692-196-0x0000000000D10000-0x0000000001B2D000-memory.dmp	upx
behavioral2/memory/3692-210-0x0000000000D10000-0x0000000001B2D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe	upx
C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe	upx
behavioral2/memory/4032-219-0x00000000001A0000-0x0000000000FBD000-memory.dmp	upx
behavioral2/memory/4032-222-0x00000000001A0000-0x0000000000FBD000-memory.dmp	upx
behavioral2/memory/4032-228-0x00000000001A0000-0x0000000000FBD000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeaudwvfv

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	audwvfv

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

Setup.exe6D43.exeaudwvfv

description	pid	process	target process
PID 2820 set thread context of 1324	2820	Setup.exe	Setup.exe
PID 112 set thread context of 93960	112	6D43.exe	AppLaunch.exe
PID 90908 set thread context of 1016	90908	audwvfv	audwvfv

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

93980 112 WerFault.exe 6D43.exe

pid	pid_target	process	target process
93980	112	WerFault.exe	6D43.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

audwvfvSetup.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	audwvfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	audwvfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	audwvfv

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3384 taskkill.exe
2256 taskkill.exe

pid	process
3384	taskkill.exe
2256	taskkill.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSetup.exeSetup.exe

pid	process
2156	powershell.exe
2156	powershell.exe
2820	Setup.exe
2820	Setup.exe
1324	Setup.exe
1324	Setup.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2596
Suspicious behavior: MapViewOfSection 14 IoCs

Processes:

Setup.exeaudwvfv

pid process

1324 Setup.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
1016 audwvfv

pid	process
2596

pid	process
1324	Setup.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
1016	audwvfv

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Setup.exepowershell.exetaskkill.exetaskkill.exeaudwvfvpowershell.exeAppLaunch.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2820	Setup.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	90908	audwvfv
Token: SeDebugPrivilege	93972	powershell.exe
Token: SeDebugPrivilege	93960	AppLaunch.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.execmd.exenet.exe6D43.exeaudwvfv6C09.exe

description	pid	process	target process
PID 2820 wrote to memory of 2156	2820	Setup.exe	powershell.exe
PID 2820 wrote to memory of 2156	2820	Setup.exe	powershell.exe
PID 2820 wrote to memory of 2156	2820	Setup.exe	powershell.exe
PID 2820 wrote to memory of 2024	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 2024	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 2024	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2820 wrote to memory of 1324	2820	Setup.exe	Setup.exe
PID 2596 wrote to memory of 4336	2596		cmd.exe
PID 2596 wrote to memory of 4336	2596		cmd.exe
PID 4336 wrote to memory of 2112	4336	cmd.exe	net.exe
PID 4336 wrote to memory of 2112	4336	cmd.exe	net.exe
PID 2112 wrote to memory of 4080	2112	net.exe	net1.exe
PID 2112 wrote to memory of 4080	2112	net.exe	net1.exe
PID 4336 wrote to memory of 3384	4336	cmd.exe	taskkill.exe
PID 4336 wrote to memory of 3384	4336	cmd.exe	taskkill.exe
PID 4336 wrote to memory of 2256	4336	cmd.exe	taskkill.exe
PID 4336 wrote to memory of 2256	4336	cmd.exe	taskkill.exe
PID 4336 wrote to memory of 4060	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 4060	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 4108	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 4108	4336	cmd.exe	reg.exe
PID 2596 wrote to memory of 3692	2596		6C09.exe
PID 2596 wrote to memory of 3692	2596		6C09.exe
PID 2596 wrote to memory of 112	2596		6D43.exe
PID 2596 wrote to memory of 112	2596		6D43.exe
PID 2596 wrote to memory of 112	2596		6D43.exe
PID 2596 wrote to memory of 2460	2596		explorer.exe
PID 2596 wrote to memory of 2460	2596		explorer.exe
PID 2596 wrote to memory of 2460	2596		explorer.exe
PID 2596 wrote to memory of 2460	2596		explorer.exe
PID 2596 wrote to memory of 28756	2596		explorer.exe
PID 2596 wrote to memory of 28756	2596		explorer.exe
PID 2596 wrote to memory of 28756	2596		explorer.exe
PID 2596 wrote to memory of 68840	2596		explorer.exe
PID 2596 wrote to memory of 68840	2596		explorer.exe
PID 2596 wrote to memory of 68840	2596		explorer.exe
PID 2596 wrote to memory of 68840	2596		explorer.exe
PID 2596 wrote to memory of 90900	2596		explorer.exe
PID 2596 wrote to memory of 90900	2596		explorer.exe
PID 2596 wrote to memory of 90900	2596		explorer.exe
PID 2596 wrote to memory of 90900	2596		explorer.exe
PID 112 wrote to memory of 93960	112	6D43.exe	AppLaunch.exe
PID 112 wrote to memory of 93960	112	6D43.exe	AppLaunch.exe
PID 112 wrote to memory of 93960	112	6D43.exe	AppLaunch.exe
PID 112 wrote to memory of 93960	112	6D43.exe	AppLaunch.exe
PID 112 wrote to memory of 93960	112	6D43.exe	AppLaunch.exe
PID 2596 wrote to memory of 94100	2596		explorer.exe
PID 2596 wrote to memory of 94100	2596		explorer.exe
PID 2596 wrote to memory of 94100	2596		explorer.exe
PID 2596 wrote to memory of 94156	2596		explorer.exe
PID 2596 wrote to memory of 94156	2596		explorer.exe
PID 2596 wrote to memory of 94156	2596		explorer.exe
PID 2596 wrote to memory of 94156	2596		explorer.exe
PID 90908 wrote to memory of 93972	90908	audwvfv	powershell.exe
PID 90908 wrote to memory of 93972	90908	audwvfv	powershell.exe
PID 90908 wrote to memory of 93972	90908	audwvfv	powershell.exe
PID 3692 wrote to memory of 5096	3692	6C09.exe	powershell.exe
PID 3692 wrote to memory of 5096	3692	6C09.exe	powershell.exe
PID 90908 wrote to memory of 1016	90908	audwvfv	audwvfv

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66A9.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\system32\net.exe
NET FILE
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
3⤵
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:4060

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\6C09.exe
C:\Users\Admin\AppData\Local\Temp\6C09.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Users\Admin\AppData\Local\Temp\6D43.exe
C:\Users\Admin\AppData\Local\Temp\6D43.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:93960

C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe
"C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe"
3⤵
- Executes dropped EXE
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 90904
2⤵
- Program crash
PID:93980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:28756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:68840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:90900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 112 -ip 112
1⤵
PID:94048

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:94100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:94156

C:\Users\Admin\AppData\Roaming\audwvfv
C:\Users\Admin\AppData\Roaming\audwvfv
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:90908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:93972

C:\Users\Admin\AppData\Roaming\audwvfv
C:\Users\Admin\AppData\Roaming\audwvfv
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
b882cc4f035925510f093b6a3b3f614d

SHA1
5a4d6ad03debb729ca19e8387171bcef2431bb1f

SHA256
5ae0f4bcb95f445a0a22d221d719a7367198c2bae4fbad9d88f786794c64fa1b

SHA512
4ada351452e93904b5830710c57c630cf2698c2daa390c4d254f30788a12bcc7d10d385ebcf7f8b83a5173ccdcda798fd7ba1e22189fe2494ad26a021160a81d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0208e34f0f36e5a40edc6df26f4e9e93

SHA1
321999b2c3825e1ad1866037c392dee574be4d63

SHA256
6d2eddedbe8cdff54131f5466e43f938343ca527bb0d627292fecc5825b31b99

SHA512
4c2e398f92cf982f0aa8031fa1b618724da6a20c30227ca09ca2eeccee2382f4cf7ae9b5ea228ba0866818a103fd3be59867adedc7bd456dc252bf2d3b8221dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0208e34f0f36e5a40edc6df26f4e9e93

SHA1
321999b2c3825e1ad1866037c392dee574be4d63

SHA256
6d2eddedbe8cdff54131f5466e43f938343ca527bb0d627292fecc5825b31b99

SHA512
4c2e398f92cf982f0aa8031fa1b618724da6a20c30227ca09ca2eeccee2382f4cf7ae9b5ea228ba0866818a103fd3be59867adedc7bd456dc252bf2d3b8221dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\66A9.bat
Filesize
1KB

MD5
6635d0393df7b999cc8512d85fd6933e

SHA1
c97312147433601d3731e06af3040f8feb1e2026

SHA256
ad7c3766cb9d8ea560959807bfdc4aedc4ed869bffbf18a913df70368ec8cb66

SHA512
5452e5c230abbca713327c6428f4b609bf307fad914fcdd016947f755fca2a70387f2c6bfa2d9b4d519134f94959f7f196298cfd9c1a7ea002adbd1298afd182

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C09.exe
Filesize
4.3MB

MD5
f9629415f18641cfdd137fe68ef7a2e7

SHA1
2830137035f25aef8f6938127c18135f67a1be7c

SHA256
d920ffcb8456910450840d048bed8994f6d8754bcd0bc785b221fc5fdd5e3569

SHA512
36e795539bc7718a44e8f9ad70c6c47fdc2c25838f4440d13f0f0965f6cf1ba92a725e66669d2a32fb2228b28b5a4bc4eae4240e49a263be987452f746031ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C09.exe
Filesize
4.3MB

MD5
f9629415f18641cfdd137fe68ef7a2e7

SHA1
2830137035f25aef8f6938127c18135f67a1be7c

SHA256
d920ffcb8456910450840d048bed8994f6d8754bcd0bc785b221fc5fdd5e3569

SHA512
36e795539bc7718a44e8f9ad70c6c47fdc2c25838f4440d13f0f0965f6cf1ba92a725e66669d2a32fb2228b28b5a4bc4eae4240e49a263be987452f746031ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D43.exe
Filesize
349KB

MD5
f16a2dcf1fc9ae5b34fb3bb92e867bce

SHA1
5420d3fa47bec8d65000502a0ac9bbc11fcb5d1a

SHA256
ab2d690f1f00d8403b2c5f077e4566e018b582d66b9b4b9c0fa3a220fa1f973c

SHA512
0f3d3a951e8aebc83ca50b15012457721d51e5e609d4380275f1868ffce0d95b1bf84ed8ee0e1ad53057ba232a96daae1e877a256b42a38ed18eec526b86cd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D43.exe
Filesize
349KB

MD5
f16a2dcf1fc9ae5b34fb3bb92e867bce

SHA1
5420d3fa47bec8d65000502a0ac9bbc11fcb5d1a

SHA256
ab2d690f1f00d8403b2c5f077e4566e018b582d66b9b4b9c0fa3a220fa1f973c

SHA512
0f3d3a951e8aebc83ca50b15012457721d51e5e609d4380275f1868ffce0d95b1bf84ed8ee0e1ad53057ba232a96daae1e877a256b42a38ed18eec526b86cd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe
Filesize
4.3MB

MD5
45f84c5361ccb62fa77c19fa2bd65563

SHA1
3c5452beaf0cebb865a5079541c0eefc1e438fc6

SHA256
02c638ae63888638c4046f11173b4d98112b009be116cb7aa5390aa7c073d19f

SHA512
c72571450db392d94e58cd8c2218eff4a00555f7eae6f4dc895a6c527f4956c93299038ffaab343535828f65099c1dc23f5fee2409fca92b8a29dd57a55edb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Servan_v0.9_Servan_windows_64.exe
Filesize
4.3MB

MD5
45f84c5361ccb62fa77c19fa2bd65563

SHA1
3c5452beaf0cebb865a5079541c0eefc1e438fc6

SHA256
02c638ae63888638c4046f11173b4d98112b009be116cb7aa5390aa7c073d19f

SHA512
c72571450db392d94e58cd8c2218eff4a00555f7eae6f4dc895a6c527f4956c93299038ffaab343535828f65099c1dc23f5fee2409fca92b8a29dd57a55edb1b

Download Submit
C:\Users\Admin\AppData\Roaming\audwvfv
Filesize
8.6MB

MD5
03437bed2c1be98cc70efda4e1028565

SHA1
f7980b42bf62b9bdac3e2d033d43cba7f78801a1

SHA256
114ea9b07c8ace69fd226de16f2555c3fcb038696919f4941c4f07d4d800ebf5

SHA512
7fd362dceb4a3ac58e4a13191ec6835bbbf178c5b0bd02c130386f5bd51f7141c23f6154b9b44db6242e04c107085ad45e907a5d0a017a3049de04f4fea01a93

Download Submit
C:\Users\Admin\AppData\Roaming\audwvfv
Filesize
8.6MB

MD5
03437bed2c1be98cc70efda4e1028565

SHA1
f7980b42bf62b9bdac3e2d033d43cba7f78801a1

SHA256
114ea9b07c8ace69fd226de16f2555c3fcb038696919f4941c4f07d4d800ebf5

SHA512
7fd362dceb4a3ac58e4a13191ec6835bbbf178c5b0bd02c130386f5bd51f7141c23f6154b9b44db6242e04c107085ad45e907a5d0a017a3049de04f4fea01a93

Download Submit
C:\Users\Admin\AppData\Roaming\audwvfv
Filesize
8.6MB

MD5
03437bed2c1be98cc70efda4e1028565

SHA1
f7980b42bf62b9bdac3e2d033d43cba7f78801a1

SHA256
114ea9b07c8ace69fd226de16f2555c3fcb038696919f4941c4f07d4d800ebf5

SHA512
7fd362dceb4a3ac58e4a13191ec6835bbbf178c5b0bd02c130386f5bd51f7141c23f6154b9b44db6242e04c107085ad45e907a5d0a017a3049de04f4fea01a93

Download Submit
memory/112-158-0x0000000000000000-mapping.dmp

Download
memory/1016-212-0x0000000000000000-mapping.dmp

Download
memory/1016-215-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1016-221-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-143-0x0000000000000000-mapping.dmp

Download
memory/2024-142-0x0000000000000000-mapping.dmp

Download
memory/2112-149-0x0000000000000000-mapping.dmp

Download
memory/2156-135-0x00000000031D0000-0x0000000003206000-memory.dmp

Filesize
216KB

Download
memory/2156-136-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/2156-141-0x0000000006C80000-0x0000000006C9A000-memory.dmp

Filesize
104KB

Download
memory/2156-134-0x0000000000000000-mapping.dmp

Download
memory/2156-140-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/2156-138-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/2156-137-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/2156-139-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/2256-152-0x0000000000000000-mapping.dmp

Download
memory/2460-165-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2460-164-0x0000000000B70000-0x0000000000B75000-memory.dmp

Filesize
20KB

Download
memory/2460-197-0x0000000000B70000-0x0000000000B75000-memory.dmp

Filesize
20KB

Download
memory/2460-161-0x0000000000000000-mapping.dmp

Download
memory/2820-133-0x0000000005EE0000-0x0000000005F02000-memory.dmp

Filesize
136KB

Download
memory/2820-132-0x0000000000D80000-0x0000000001228000-memory.dmp

Filesize
4.7MB

Download
memory/3384-151-0x0000000000000000-mapping.dmp

Download
memory/3692-210-0x0000000000D10000-0x0000000001B2D000-memory.dmp

Filesize
14.1MB

Download
memory/3692-196-0x0000000000D10000-0x0000000001B2D000-memory.dmp

Filesize
14.1MB

Download
memory/3692-155-0x0000000000000000-mapping.dmp

Download
memory/3692-160-0x0000000000D10000-0x0000000001B2D000-memory.dmp

Filesize
14.1MB

Download
memory/4032-219-0x00000000001A0000-0x0000000000FBD000-memory.dmp

Filesize
14.1MB

Download
memory/4032-216-0x0000000000000000-mapping.dmp

Download
memory/4032-228-0x00000000001A0000-0x0000000000FBD000-memory.dmp

Filesize
14.1MB

Download
memory/4032-222-0x00000000001A0000-0x0000000000FBD000-memory.dmp

Filesize
14.1MB

Download
memory/4060-153-0x0000000000000000-mapping.dmp

Download
memory/4080-150-0x0000000000000000-mapping.dmp

Download
memory/4108-154-0x0000000000000000-mapping.dmp

Download
memory/4336-147-0x0000000000000000-mapping.dmp

Download
memory/4996-223-0x0000000000000000-mapping.dmp

Download
memory/4996-226-0x00007FFFDE5F0000-0x00007FFFDF0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-227-0x00007FFFDE5F0000-0x00007FFFDF0B1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-208-0x00000261B00C0000-0x00000261B00E2000-memory.dmp

Filesize
136KB

Download
memory/5096-207-0x0000000000000000-mapping.dmp

Download
memory/5096-220-0x00007FFFDE5F0000-0x00007FFFDF0B1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-209-0x00007FFFDE5F0000-0x00007FFFDF0B1000-memory.dmp

Filesize
10.8MB

Download
memory/28756-166-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/28756-200-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/28756-163-0x0000000000000000-mapping.dmp

Download
memory/28756-168-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/68840-201-0x00000000006E0000-0x0000000000702000-memory.dmp

Filesize
136KB

Download
memory/68840-167-0x0000000000000000-mapping.dmp

Download
memory/68840-169-0x00000000006E0000-0x0000000000702000-memory.dmp

Filesize
136KB

Download
memory/68840-170-0x00000000006B0000-0x00000000006D7000-memory.dmp

Filesize
156KB

Download
memory/90900-171-0x0000000000000000-mapping.dmp

Download
memory/90900-178-0x0000000000D20000-0x0000000000D26000-memory.dmp

Filesize
24KB

Download
memory/90900-202-0x0000000000D20000-0x0000000000D26000-memory.dmp

Filesize
24KB

Download
memory/90900-179-0x0000000000D10000-0x0000000000D1B000-memory.dmp

Filesize
44KB

Download
memory/93960-182-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/93960-184-0x0000000004F70000-0x0000000004FAC000-memory.dmp

Filesize
240KB

Download
memory/93960-205-0x0000000007690000-0x0000000007852000-memory.dmp

Filesize
1.8MB

Download
memory/93960-172-0x0000000000000000-mapping.dmp

Download
memory/93960-173-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/93960-199-0x0000000005E90000-0x0000000005F22000-memory.dmp

Filesize
584KB

Download
memory/93960-198-0x0000000006360000-0x0000000006904000-memory.dmp

Filesize
5.6MB

Download
memory/93960-181-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/93960-183-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/93960-206-0x0000000007D90000-0x00000000082BC000-memory.dmp

Filesize
5.2MB

Download
memory/93972-192-0x0000000000000000-mapping.dmp

Download
memory/94100-185-0x00000000007F0000-0x00000000007F7000-memory.dmp

Filesize
28KB

Download
memory/94100-186-0x00000000007E0000-0x00000000007ED000-memory.dmp

Filesize
52KB

Download
memory/94100-180-0x0000000000000000-mapping.dmp

Download
memory/94100-203-0x00000000007F0000-0x00000000007F7000-memory.dmp

Filesize
28KB

Download
memory/94156-187-0x0000000000000000-mapping.dmp

Download
memory/94156-189-0x0000000000CB0000-0x0000000000CBB000-memory.dmp

Filesize
44KB

Download
memory/94156-188-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/94156-204-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download