redline | 64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2023, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

modest-menu.exe
Size

3.0MB
MD5

77b6db60ce150f9d850805f3b344358a
SHA1

32113c537704c76d6a254bec0a6f0953b61b1414
SHA256

64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254
SHA512

d2c04e48caf0b5b029e5be8ada02fa78b6a7d134d7781add74021a9a42caa2233b9a4f262d168d08491f78905540fe66a5a8da0792a63a1ecda40de3cfbac046
SSDEEP

24576:E/xjSOtfDDdS4SSZc0hrbUMritLd8BfoxLf4iV:E/xRfDD3JbAqexEiV

Score

10^/10

redline infostealer persistence spyware

Malware Config

Extracted

Family

redline

193.233.20.13:11552

Attributes

auth_value
9abfd72e5d4e9a093a3f555a36719c53

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4504	update.exe
1680	SystemUpdate.exe
3732	dllhost.exe
2656	runtime.exe
1016	runtime.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	SystemUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	SystemUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	SystemUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 212	748	modest-menu.exe	86

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4612	schtasks.exe
2968	schtasks.exe
2696	schtasks.exe
4340	schtasks.exe
4788	schtasks.exe
616	schtasks.exe
2840	schtasks.exe
4936	schtasks.exe
436	schtasks.exe
2140	schtasks.exe
3016	schtasks.exe
5036	schtasks.exe
4664	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	MSBuild.exe
212	MSBuild.exe
4504	update.exe
3396	powershell.exe
3844	powershell.exe
3396	powershell.exe
3844	powershell.exe
768	powershell.exe
768	powershell.exe
2364	powershell.exe
2364	powershell.exe
2188	powershell.exe
2188	powershell.exe
3732	dllhost.exe
3732	dllhost.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe
3732	dllhost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	modest-menu.exe
Token: SeDebugPrivilege	212	MSBuild.exe
Token: SeDebugPrivilege	4504	update.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3732	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 748 wrote to memory of 212	748	modest-menu.exe	86
PID 212 wrote to memory of 4504	212	MSBuild.exe	87
PID 212 wrote to memory of 4504	212	MSBuild.exe	87
PID 212 wrote to memory of 4504	212	MSBuild.exe	87
PID 4504 wrote to memory of 3320	4504	update.exe	88
PID 4504 wrote to memory of 3320	4504	update.exe	88
PID 4504 wrote to memory of 3320	4504	update.exe	88
PID 3320 wrote to memory of 1352	3320	cmd.exe	90
PID 3320 wrote to memory of 1352	3320	cmd.exe	90
PID 3320 wrote to memory of 1352	3320	cmd.exe	90
PID 3320 wrote to memory of 3396	3320	cmd.exe	91
PID 3320 wrote to memory of 3396	3320	cmd.exe	91
PID 3320 wrote to memory of 3396	3320	cmd.exe	91
PID 212 wrote to memory of 1680	212	MSBuild.exe	92
PID 212 wrote to memory of 1680	212	MSBuild.exe	92
PID 1680 wrote to memory of 3844	1680	SystemUpdate.exe	93
PID 1680 wrote to memory of 3844	1680	SystemUpdate.exe	93
PID 3844 wrote to memory of 3016	3844	powershell.exe	95
PID 3844 wrote to memory of 3016	3844	powershell.exe	95
PID 1680 wrote to memory of 768	1680	SystemUpdate.exe	96
PID 1680 wrote to memory of 768	1680	SystemUpdate.exe	96
PID 768 wrote to memory of 616	768	powershell.exe	98
PID 768 wrote to memory of 616	768	powershell.exe	98
PID 1680 wrote to memory of 2364	1680	SystemUpdate.exe	99
PID 1680 wrote to memory of 2364	1680	SystemUpdate.exe	99
PID 2364 wrote to memory of 5036	2364	powershell.exe	101
PID 2364 wrote to memory of 5036	2364	powershell.exe	101
PID 1680 wrote to memory of 3464	1680	SystemUpdate.exe	102
PID 1680 wrote to memory of 3464	1680	SystemUpdate.exe	102
PID 3464 wrote to memory of 3332	3464	cmd.exe	104
PID 3464 wrote to memory of 3332	3464	cmd.exe	104
PID 3320 wrote to memory of 2188	3320	cmd.exe	105
PID 3320 wrote to memory of 2188	3320	cmd.exe	105
PID 3320 wrote to memory of 2188	3320	cmd.exe	105
PID 4504 wrote to memory of 3732	4504	update.exe	106
PID 4504 wrote to memory of 3732	4504	update.exe	106
PID 4504 wrote to memory of 3732	4504	update.exe	106
PID 3320 wrote to memory of 4860	3320	cmd.exe	107
PID 3320 wrote to memory of 4860	3320	cmd.exe	107
PID 3320 wrote to memory of 4860	3320	cmd.exe	107
PID 3732 wrote to memory of 748	3732	dllhost.exe	108
PID 3732 wrote to memory of 748	3732	dllhost.exe	108
PID 3732 wrote to memory of 748	3732	dllhost.exe	108
PID 3732 wrote to memory of 780	3732	dllhost.exe	110
PID 3732 wrote to memory of 780	3732	dllhost.exe	110
PID 3732 wrote to memory of 780	3732	dllhost.exe	110
PID 3732 wrote to memory of 4320	3732	dllhost.exe	111
PID 3732 wrote to memory of 4320	3732	dllhost.exe	111
PID 3732 wrote to memory of 4320	3732	dllhost.exe	111
PID 3732 wrote to memory of 4424	3732	dllhost.exe	131
PID 3732 wrote to memory of 4424	3732	dllhost.exe	131
PID 3732 wrote to memory of 4424	3732	dllhost.exe	131
PID 3732 wrote to memory of 4356	3732	dllhost.exe	130
PID 3732 wrote to memory of 4356	3732	dllhost.exe	130
PID 3732 wrote to memory of 4356	3732	dllhost.exe	130
PID 3732 wrote to memory of 4104	3732	dllhost.exe	115
PID 3732 wrote to memory of 4104	3732	dllhost.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:748
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4320
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4104
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2028" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1980
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2028" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9408" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1556
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9408" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7537" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:452
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7537" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4077" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:2408
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4077" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:1988
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:8
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4356
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:4424
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:5032
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:64
- - C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:2656
- C:\Windows\system32\cmd.exe
  cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:3428

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:4604

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:1016
- C:\Windows\system32\cmd.exe
  cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
24KB

MD5
acf4152befc5768daaf11c92fd3899b0

SHA1
f8a210a2a00876f15008f275063988e5cf534722

SHA256
64c80419e5ca81a5bfee32e223b5676aac6d47c4aa8168ceae6247f766c291d6

SHA512
15bdde54be38e7ed0828f238bd2f0bcdc1a73671118225b731760fe4beb568a72570bad9b1a97a237291b394f1d3155aa6fcac209f6ae0a3db6608e0036c56d1

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
44b6503a45dc94c8c9af93fbeeab1cec

SHA1
2bf63cb40380b0eebf05de7bcf2711e525dcae6f

SHA256
b74643cc427f37f508790ab1a93d3b491c082314e2595d6bd6df96e8d1a2cc7b

SHA512
3d7a87006467d65b82d814fc0c2f7d8d0c5ea43fbec3fb88368b82e9d25d01c892cd2faafbd69b194e73ab9b515d386d9dcd9b6cc6ea0bd5ab56079a355bd0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92583222c44d8a2a6c09631b4888faa2

SHA1
bd0b21f58b3321df1481134db76147825fcf8893

SHA256
2757b12660965dbefdd2d92f20a38f5d5e7bf350a06cfdf558167fc9dd5684a6

SHA512
16ae637ddbf47b33694d0ba41440f777408801c7dd92fb6e44b7c999a1ca2fd8fd31a23080bf42295dbda2e707d9f18d4835fa951b513e69ca954a14619961fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92583222c44d8a2a6c09631b4888faa2

SHA1
bd0b21f58b3321df1481134db76147825fcf8893

SHA256
2757b12660965dbefdd2d92f20a38f5d5e7bf350a06cfdf558167fc9dd5684a6

SHA512
16ae637ddbf47b33694d0ba41440f777408801c7dd92fb6e44b7c999a1ca2fd8fd31a23080bf42295dbda2e707d9f18d4835fa951b513e69ca954a14619961fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e89edddc99cfbc9d2acf1ece9609b802

SHA1
2bd8e4ca936a2f049490a3418aecc46a98802f0a

SHA256
da3fde6166a539058a6ee35af64c9c876a5722f1b20e393f1fa8c7ac9933a7ba

SHA512
3c3835b72e335d91d530c0260203a3a3c46b2166400d3615d8b15352a35e287f1de576537d9989fdc391be75e61a29e221712920211debcf4a92cb33d03465b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
55.4MB

MD5
832f17f93c542157771dc27260536fdc

SHA1
0bf442587858197af6d93b522e4f8d9c25319566

SHA256
fd3472696c48da61463783b3e8805b3f89b7e1ffe5056b60c870d8fb73ee3e6d

SHA512
1a76c6a3489ab4ff901c46f1f1dd10f50551b0daf67f0554e5dd98cb8b13bbd693711030c41c29079091e93b2f3e3af8685ea5793fe54cebcbb5d450b5e16626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
54.9MB

MD5
d481b9469ea2704180fad99e5fc7c1c9

SHA1
29440cac056837a82cb9d467dd527711f0786e73

SHA256
ead6a9a74e1977af657fd67b540907b79edb08aa41b538f30f8be9fd358fb7c5

SHA512
9b372fa76a6a136cc7ad1fcdfc3500e751f31ed1412dab3559c8163f01c3023126a815e4e60072309ed7ce7d7ba840db60b1a3ba04790b4db5127366db3b71a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfompybo.j4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
63KB

MD5
b7bc649a51698f067fe352cc825acf03

SHA1
6d66412367f01490a50b05168ce3f6e26fdb4a19

SHA256
758a1e1543f527cd1991894f49a4e9f66f550035875158ec34d3b3478040197e

SHA512
4df89530eb1c8b5b9e9a733f0c4baec710d562b55dae2a4bc31277f2f199b118224f1a87a803cf56260f8e4a6e22609ad9dea8c914723b008862d02e480430f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
56.2MB

MD5
b906a9f36fe28acf8e542cf43c55f533

SHA1
725b4b1973c8c9b42693cfccf2757e9677d246d4

SHA256
95ebeb9f7f03b2d4b4a6b2425ebca12a1799fc0bca40e34958380587eb5d289f

SHA512
7cd4a57437803e0eabf845035c7aa5689c88e2100368c803672cbc4dc461a63781689fbcb7cd931f7a0ec21116332a5c1bba4de6fb86cb62cb012f8df1458bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
54.4MB

MD5
75faf7527d9fb14fb5039759eb822bf4

SHA1
95d217452358511e4ba148d03345afcb8fe2d78d

SHA256
4e1799a0c32c466f5afe7628c02d606b0e77a493e4bc2b1e79ab3e00c645aaa9

SHA512
61c9c44d4768aab12c80310d436f2b563d55bef8cd801e89998f8a4a3d52e149a023e8f928b294a1112cd65ecb10a4f1f4605d0c4a2aa2759e26546f79909439

Download Submit
memory/212-141-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/212-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/212-148-0x0000000008740000-0x0000000008C6C000-memory.dmp

Filesize
5.2MB

Download
memory/212-140-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/212-146-0x0000000005200000-0x0000000005276000-memory.dmp

Filesize
472KB

Download
memory/212-144-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/212-143-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/212-142-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/212-149-0x0000000006300000-0x0000000006350000-memory.dmp

Filesize
320KB

Download
memory/212-150-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/212-147-0x00000000063C0000-0x0000000006582000-memory.dmp

Filesize
1.8MB

Download
memory/748-138-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/748-133-0x0000000000CD0000-0x0000000000FE2000-memory.dmp

Filesize
3.1MB

Download
memory/748-139-0x00000000069F0000-0x0000000006A82000-memory.dmp

Filesize
584KB

Download
memory/748-136-0x0000000005F90000-0x0000000005FA0000-memory.dmp

Filesize
64KB

Download
memory/748-135-0x0000000005F90000-0x0000000005FA0000-memory.dmp

Filesize
64KB

Download
memory/748-134-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/768-209-0x000001FC63C20000-0x000001FC63C30000-memory.dmp

Filesize
64KB

Download
memory/768-210-0x000001FC63C20000-0x000001FC63C30000-memory.dmp

Filesize
64KB

Download
memory/2188-268-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2188-280-0x0000000070020000-0x000000007006C000-memory.dmp

Filesize
304KB

Download
memory/2188-291-0x000000007F040000-0x000000007F050000-memory.dmp

Filesize
64KB

Download
memory/2188-290-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2364-239-0x0000014A8C3A0000-0x0000014A8C3B0000-memory.dmp

Filesize
64KB

Download
memory/2364-241-0x0000014A8C3A0000-0x0000014A8C3B0000-memory.dmp

Filesize
64KB

Download
memory/2364-240-0x0000014A8C3A0000-0x0000014A8C3B0000-memory.dmp

Filesize
64KB

Download
memory/3396-260-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/3396-201-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/3396-256-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/3396-257-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/3396-238-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3396-258-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/3396-261-0x0000000007220000-0x000000000722E000-memory.dmp

Filesize
56KB

Download
memory/3396-262-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/3396-263-0x0000000007260000-0x0000000007268000-memory.dmp

Filesize
32KB

Download
memory/3396-255-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/3396-166-0x0000000002700000-0x0000000002736000-memory.dmp

Filesize
216KB

Download
memory/3396-177-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3396-176-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3396-175-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/3396-254-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/3396-243-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/3396-242-0x0000000006E80000-0x0000000006EB2000-memory.dmp

Filesize
200KB

Download
memory/3396-181-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/3396-180-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/3732-295-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/3732-326-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3732-308-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3844-202-0x000001F2CC0A0000-0x000001F2CC0B0000-memory.dmp

Filesize
64KB

Download
memory/3844-191-0x000001F2E6B80000-0x000001F2E6BA2000-memory.dmp

Filesize
136KB

Download
memory/3844-203-0x000001F2CC0A0000-0x000001F2CC0B0000-memory.dmp

Filesize
64KB

Download
memory/4504-279-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4504-164-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4504-163-0x000000000A570000-0x000000000A57A000-memory.dmp

Filesize
40KB

Download
memory/4504-162-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/4860-302-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4860-310-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4860-311-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

Filesize
304KB

Download
memory/4860-307-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4860-323-0x000000007F470000-0x000000007F480000-memory.dmp

Filesize
64KB

Download