redline | ad425b0ff0675acf79c211e6cdaff9d36fcb0ecae7b51f685ffbe6b146a3bd24

Analysis

max time kernel
94s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56d0a5371d72cfcf23cc8969c0e27d15.exe
Size

724KB
MD5

56d0a5371d72cfcf23cc8969c0e27d15
SHA1

f3dfb71b3f17d050bb0f3cd386e11dd764639ce7
SHA256

ad425b0ff0675acf79c211e6cdaff9d36fcb0ecae7b51f685ffbe6b146a3bd24
SHA512

3d8ff26284488bd62b4c6ce9a5eab7926ab7774af6a3d2f1b584fa6dd6264580b8f58ab27d6781d4e3c1ce3c7ddd2193707337cb1da87ace26a5da328d621fd5
SSDEEP

12288:wMr1y90IC1dS1eYaTX/bHakC9FdORcAD6zORJb9SnREkiPtJDH7cmepYwF3iHa1Z:VyxkdS8XOkYFAr5RJbGEbPtJ77YpYwFj

Score

10^/10

redline doxa shore discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

doxa

83.97.73.129:19068

Attributes

auth_value
8cf5ba009458c73b014353d79d8422c6

Extracted

Family

redline

Botnet

shore

83.97.73.129:19068

Attributes

auth_value
3be47ce95ac58176e4771019f5179f79

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 22 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9626351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	nik200.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	l7613365.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	son100.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	metado.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	m9695933.exe

Executes dropped EXE 14 IoCs

pid	Process
1252	y0912256.exe
4388	y5464176.exe
3840	y3950690.exe
2040	j5713478.exe
4716	k9626351.exe
1692	l7613365.exe
852	son100.exe
4556	nik200.exe
4164	m9695933.exe
3812	metado.exe
3312	metado.exe
1680	n2324834.exe
4496	gam400.exe
1780	metado.exe

Loads dropped DLL 1 IoCs

pid	Process
1912	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9626351.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y3950690.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56d0a5371d72cfcf23cc8969c0e27d15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56d0a5371d72cfcf23cc8969c0e27d15.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0912256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0912256.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5464176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5464176.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3950690.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 3112	2040	j5713478.exe	89
PID 1680 set thread context of 4692	1680	n2324834.exe	112
PID 4496 set thread context of 4984	4496	gam400.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4184	2040	WerFault.exe	87
740	1680	WerFault.exe	105
4092	4496	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3112	AppLaunch.exe
3112	AppLaunch.exe
4716	k9626351.exe
4716	k9626351.exe
1692	l7613365.exe
1692	l7613365.exe
4556	nik200.exe
4556	nik200.exe
4692	AppLaunch.exe
4692	AppLaunch.exe
4984	AppLaunch.exe
4984	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	AppLaunch.exe
Token: SeDebugPrivilege	4716	k9626351.exe
Token: SeDebugPrivilege	1692	l7613365.exe
Token: SeDebugPrivilege	4556	nik200.exe
Token: SeDebugPrivilege	4692	AppLaunch.exe
Token: SeDebugPrivilege	4984	AppLaunch.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4164	m9695933.exe
852	son100.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1252	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	84
PID 1488 wrote to memory of 1252	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	84
PID 1488 wrote to memory of 1252	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	84
PID 1252 wrote to memory of 4388	1252	y0912256.exe	85
PID 1252 wrote to memory of 4388	1252	y0912256.exe	85
PID 1252 wrote to memory of 4388	1252	y0912256.exe	85
PID 4388 wrote to memory of 3840	4388	y5464176.exe	86
PID 4388 wrote to memory of 3840	4388	y5464176.exe	86
PID 4388 wrote to memory of 3840	4388	y5464176.exe	86
PID 3840 wrote to memory of 2040	3840	y3950690.exe	87
PID 3840 wrote to memory of 2040	3840	y3950690.exe	87
PID 3840 wrote to memory of 2040	3840	y3950690.exe	87
PID 2040 wrote to memory of 3112	2040	j5713478.exe	89
PID 2040 wrote to memory of 3112	2040	j5713478.exe	89
PID 2040 wrote to memory of 3112	2040	j5713478.exe	89
PID 2040 wrote to memory of 3112	2040	j5713478.exe	89
PID 2040 wrote to memory of 3112	2040	j5713478.exe	89
PID 3840 wrote to memory of 4716	3840	y3950690.exe	92
PID 3840 wrote to memory of 4716	3840	y3950690.exe	92
PID 4388 wrote to memory of 1692	4388	y5464176.exe	93
PID 4388 wrote to memory of 1692	4388	y5464176.exe	93
PID 4388 wrote to memory of 1692	4388	y5464176.exe	93
PID 1692 wrote to memory of 852	1692	l7613365.exe	95
PID 1692 wrote to memory of 852	1692	l7613365.exe	95
PID 1692 wrote to memory of 852	1692	l7613365.exe	95
PID 1692 wrote to memory of 4556	1692	l7613365.exe	96
PID 1692 wrote to memory of 4556	1692	l7613365.exe	96
PID 1252 wrote to memory of 4164	1252	y0912256.exe	97
PID 1252 wrote to memory of 4164	1252	y0912256.exe	97
PID 1252 wrote to memory of 4164	1252	y0912256.exe	97
PID 852 wrote to memory of 3812	852	son100.exe	98
PID 852 wrote to memory of 3812	852	son100.exe	98
PID 852 wrote to memory of 3812	852	son100.exe	98
PID 3812 wrote to memory of 4136	3812	metado.exe	99
PID 3812 wrote to memory of 4136	3812	metado.exe	99
PID 3812 wrote to memory of 4136	3812	metado.exe	99
PID 3812 wrote to memory of 2108	3812	metado.exe	101
PID 3812 wrote to memory of 2108	3812	metado.exe	101
PID 3812 wrote to memory of 2108	3812	metado.exe	101
PID 2108 wrote to memory of 3924	2108	cmd.exe	103
PID 2108 wrote to memory of 3924	2108	cmd.exe	103
PID 2108 wrote to memory of 3924	2108	cmd.exe	103
PID 4164 wrote to memory of 3312	4164	m9695933.exe	104
PID 4164 wrote to memory of 3312	4164	m9695933.exe	104
PID 4164 wrote to memory of 3312	4164	m9695933.exe	104
PID 1488 wrote to memory of 1680	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	105
PID 1488 wrote to memory of 1680	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	105
PID 1488 wrote to memory of 1680	1488	56d0a5371d72cfcf23cc8969c0e27d15.exe	105
PID 2108 wrote to memory of 2816	2108	cmd.exe	107
PID 2108 wrote to memory of 2816	2108	cmd.exe	107
PID 2108 wrote to memory of 2816	2108	cmd.exe	107
PID 2108 wrote to memory of 3000	2108	cmd.exe	108
PID 2108 wrote to memory of 3000	2108	cmd.exe	108
PID 2108 wrote to memory of 3000	2108	cmd.exe	108
PID 2108 wrote to memory of 2808	2108	cmd.exe	109
PID 2108 wrote to memory of 2808	2108	cmd.exe	109
PID 2108 wrote to memory of 2808	2108	cmd.exe	109
PID 2108 wrote to memory of 2172	2108	cmd.exe	110
PID 2108 wrote to memory of 2172	2108	cmd.exe	110
PID 2108 wrote to memory of 2172	2108	cmd.exe	110
PID 2108 wrote to memory of 4712	2108	cmd.exe	111
PID 2108 wrote to memory of 4712	2108	cmd.exe	111
PID 2108 wrote to memory of 4712	2108	cmd.exe	111
PID 1680 wrote to memory of 4692	1680	n2324834.exe	112

C:\Users\Admin\AppData\Local\Temp\56d0a5371d72cfcf23cc8969c0e27d15.exe
"C:\Users\Admin\AppData\Local\Temp\56d0a5371d72cfcf23cc8969c0e27d15.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0912256.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0912256.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5464176.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5464176.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3950690.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3950690.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5713478.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5713478.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 148
        6⤵
        Program crash
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9626351.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9626351.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7613365.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7613365.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\son100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\son100.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metado.exe" /P "Admin:N"
        8⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metado.exe" /P "Admin:R" /E
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:N"
        8⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:R" /E
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\nik200.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nik200.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9695933.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9695933.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
      "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
      4⤵
      Executes dropped EXE
      PID:3312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2324834.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2324834.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\gam400.exe
      "C:\Users\Admin\AppData\Local\Temp\gam400.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 152
        5⤵
        Program crash
        
        PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 140
    3⤵
    - Program crash
    PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2040 -ip 2040
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1680 -ip 1680
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4496 -ip 4496
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2324834.exe

Filesize
262KB

MD5
023328f2f78e7e38a318e35f292bc964

SHA1
0de8f7d62741f46074d6c4f38c5b2541637081a4

SHA256
2585a968caaef766c1289bdccc28a634fc32788aa594c8aa446c7a72e3d82782

SHA512
c044a61aff3b3c993e103158b7245cff661302f8270d339998720650a07f0ae4967f19f32979c54e61599f9c8cf0dfa82f70daac0499e73e9fa5b5f16271049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2324834.exe

Filesize
262KB

MD5
023328f2f78e7e38a318e35f292bc964

SHA1
0de8f7d62741f46074d6c4f38c5b2541637081a4

SHA256
2585a968caaef766c1289bdccc28a634fc32788aa594c8aa446c7a72e3d82782

SHA512
c044a61aff3b3c993e103158b7245cff661302f8270d339998720650a07f0ae4967f19f32979c54e61599f9c8cf0dfa82f70daac0499e73e9fa5b5f16271049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0912256.exe

Filesize
524KB

MD5
e00a09183f102bd876650fbf1e1c01bd

SHA1
6286909350894b22dd795f4e96b4576463a0576b

SHA256
2ccb20c01bd8cbd314d45e16949555ea800a08ae1b7a6f213d0d82f410456551

SHA512
35a52381f1e0b555e560b636638442149cfce3477295e7c46328ac6d8685258548d4668206f7ee83c6a67ff406f01db21700f0468309572b7074440c7b905198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0912256.exe

Filesize
524KB

MD5
e00a09183f102bd876650fbf1e1c01bd

SHA1
6286909350894b22dd795f4e96b4576463a0576b

SHA256
2ccb20c01bd8cbd314d45e16949555ea800a08ae1b7a6f213d0d82f410456551

SHA512
35a52381f1e0b555e560b636638442149cfce3477295e7c46328ac6d8685258548d4668206f7ee83c6a67ff406f01db21700f0468309572b7074440c7b905198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9695933.exe

Filesize
205KB

MD5
34733e89c43677c748b6cd7f7d240c9a

SHA1
ae27a621ccc4c8ef515158316ffe37b629338644

SHA256
cd9c2607e2d9b44f5f699fd6e05d6f503d07e57956d8338bab8af361a2e163af

SHA512
215fafb03b851b6bfc9051d5cc40347aeebcd236d9d20ac7fe4529c9b613d0341fbac3941d17b5b453f5f53fcc84346e28ffa6fd97ab25b2de32fa28cb3bfc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9695933.exe

Filesize
205KB

MD5
34733e89c43677c748b6cd7f7d240c9a

SHA1
ae27a621ccc4c8ef515158316ffe37b629338644

SHA256
cd9c2607e2d9b44f5f699fd6e05d6f503d07e57956d8338bab8af361a2e163af

SHA512
215fafb03b851b6bfc9051d5cc40347aeebcd236d9d20ac7fe4529c9b613d0341fbac3941d17b5b453f5f53fcc84346e28ffa6fd97ab25b2de32fa28cb3bfc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5464176.exe

Filesize
352KB

MD5
a3730be8d8aad92e9091c7f9676e4d41

SHA1
fcd2c91c3fd55442e55219edc701d8b700c283c2

SHA256
5308ad2d9c17bd13746b7476543984a19366190d00dc67a21495821d55e64bc5

SHA512
671629c9ed82b2bf433c65ae1c2ab07f5bd270bf7a9e599fcec81c43c29cdabafe27fb1ff5d476ea2f27e43c56dca6e37d2edf3f1b6a018d5cea1d8b4dba37f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5464176.exe

Filesize
352KB

MD5
a3730be8d8aad92e9091c7f9676e4d41

SHA1
fcd2c91c3fd55442e55219edc701d8b700c283c2

SHA256
5308ad2d9c17bd13746b7476543984a19366190d00dc67a21495821d55e64bc5

SHA512
671629c9ed82b2bf433c65ae1c2ab07f5bd270bf7a9e599fcec81c43c29cdabafe27fb1ff5d476ea2f27e43c56dca6e37d2edf3f1b6a018d5cea1d8b4dba37f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7613365.exe

Filesize
172KB

MD5
831526f80b3c6470de380197e6769102

SHA1
d4026f4e9a991f20b3a67b5af38cf30c1ec13341

SHA256
870b9d125d13f0f0a50a268194bf16612da6c8456caba3b9c354ed9f94461189

SHA512
101c932ab0b793956431ace0d89803d363906a421a192887a18b9e51e3da269a383f9aa87b426a7c1f64bfcd5ef1881cab86cfbbda78c72daa8f121f92aa6753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7613365.exe

Filesize
172KB

MD5
831526f80b3c6470de380197e6769102

SHA1
d4026f4e9a991f20b3a67b5af38cf30c1ec13341

SHA256
870b9d125d13f0f0a50a268194bf16612da6c8456caba3b9c354ed9f94461189

SHA512
101c932ab0b793956431ace0d89803d363906a421a192887a18b9e51e3da269a383f9aa87b426a7c1f64bfcd5ef1881cab86cfbbda78c72daa8f121f92aa6753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3950690.exe

Filesize
196KB

MD5
b9f03e51b9d9caf54d31fdb5735ab2d3

SHA1
ef0b8742db5beefb8f95c764c224bd1332e19196

SHA256
1b8144aaedc550d71495e59db08e110b68737d1215ee1d120ab9f2e044a1ec61

SHA512
8089d1b3f9a558552a595f59bb40b2bca1e587fa5f45fe0c6e1426ac18a32ac2c464a9d5cf863204a8e067b80f3e545e61187c8a3552531f43bdf9fefa26cd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3950690.exe

Filesize
196KB

MD5
b9f03e51b9d9caf54d31fdb5735ab2d3

SHA1
ef0b8742db5beefb8f95c764c224bd1332e19196

SHA256
1b8144aaedc550d71495e59db08e110b68737d1215ee1d120ab9f2e044a1ec61

SHA512
8089d1b3f9a558552a595f59bb40b2bca1e587fa5f45fe0c6e1426ac18a32ac2c464a9d5cf863204a8e067b80f3e545e61187c8a3552531f43bdf9fefa26cd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5713478.exe

Filesize
101KB

MD5
163c94d7552697b78ebefc908fe7d20f

SHA1
29d47f8589ec56789f9f9624ae5875dc7187207b

SHA256
457a299a31aec218f6a392bdf3fe4911de004ecec4d17bd2260575808bae79e8

SHA512
b350251de7bba361e5b0f4a9b7bb2dbdf297a46097c8d1612d103f1faec08310d384146ee36925e7308e5277fd1f01a645821645b3581f130314aa20206c1365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5713478.exe

Filesize
101KB

MD5
163c94d7552697b78ebefc908fe7d20f

SHA1
29d47f8589ec56789f9f9624ae5875dc7187207b

SHA256
457a299a31aec218f6a392bdf3fe4911de004ecec4d17bd2260575808bae79e8

SHA512
b350251de7bba361e5b0f4a9b7bb2dbdf297a46097c8d1612d103f1faec08310d384146ee36925e7308e5277fd1f01a645821645b3581f130314aa20206c1365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9626351.exe

Filesize
11KB

MD5
77c06d90742d8a47aaa9a0de251e354c

SHA1
7093e1dfd6707015b4d55e0cae3bd895de53ef97

SHA256
d26e443a261981f9b6d556f0ffa0afea82e397b727b99910706252cb1b3bd012

SHA512
3e10d699112f347f9e1706339222a3ae1776b8540480466f065d208be9283bd52492387c80e713ec2dca576093c24e889a63150683853798b46535dbd509268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9626351.exe

Filesize
11KB

MD5
77c06d90742d8a47aaa9a0de251e354c

SHA1
7093e1dfd6707015b4d55e0cae3bd895de53ef97

SHA256
d26e443a261981f9b6d556f0ffa0afea82e397b727b99910706252cb1b3bd012

SHA512
3e10d699112f347f9e1706339222a3ae1776b8540480466f065d208be9283bd52492387c80e713ec2dca576093c24e889a63150683853798b46535dbd509268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe

Filesize
100KB

MD5
6ed539d36aac972e19a6b69f107e7a6c

SHA1
f4720474deed063ca6e8355ce5e648cda3a5b237

SHA256
e720b4b4fda916c7da80601632172362f697e262defe627232597a392f8e9265

SHA512
3dc1eeb7f1e80dc91b8ccdb353517aade69bb3507b0077a1e780a005d11bbb398b6be08b825d4ddf06b3b032603b796b61f4eab789faebcb46c6b0631552e1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe

Filesize
100KB

MD5
6ed539d36aac972e19a6b69f107e7a6c

SHA1
f4720474deed063ca6e8355ce5e648cda3a5b237

SHA256
e720b4b4fda916c7da80601632172362f697e262defe627232597a392f8e9265

SHA512
3dc1eeb7f1e80dc91b8ccdb353517aade69bb3507b0077a1e780a005d11bbb398b6be08b825d4ddf06b3b032603b796b61f4eab789faebcb46c6b0631552e1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe

Filesize
100KB

MD5
6ed539d36aac972e19a6b69f107e7a6c

SHA1
f4720474deed063ca6e8355ce5e648cda3a5b237

SHA256
e720b4b4fda916c7da80601632172362f697e262defe627232597a392f8e9265

SHA512
3dc1eeb7f1e80dc91b8ccdb353517aade69bb3507b0077a1e780a005d11bbb398b6be08b825d4ddf06b3b032603b796b61f4eab789faebcb46c6b0631552e1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe

Filesize
11KB

MD5
d0d6fc81142671b82b5052b72791bb1f

SHA1
48238c5108a450dac95785cd3373a608778fbab2

SHA256
422920b6ea226d36fe947e48170b2afe1f7b43d766f3a5d30b53b4ec13d41468

SHA512
a5d2703393c8c38fcfd88fd078ae3a89eaaabb270fc17dd8f81496987703b8469e837186288278b5fb2e6b8ee4c59a755574740863afef99ccb3ae820256aee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe

Filesize
11KB

MD5
d0d6fc81142671b82b5052b72791bb1f

SHA1
48238c5108a450dac95785cd3373a608778fbab2

SHA256
422920b6ea226d36fe947e48170b2afe1f7b43d766f3a5d30b53b4ec13d41468

SHA512
a5d2703393c8c38fcfd88fd078ae3a89eaaabb270fc17dd8f81496987703b8469e837186288278b5fb2e6b8ee4c59a755574740863afef99ccb3ae820256aee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe

Filesize
11KB

MD5
d0d6fc81142671b82b5052b72791bb1f

SHA1
48238c5108a450dac95785cd3373a608778fbab2

SHA256
422920b6ea226d36fe947e48170b2afe1f7b43d766f3a5d30b53b4ec13d41468

SHA512
a5d2703393c8c38fcfd88fd078ae3a89eaaabb270fc17dd8f81496987703b8469e837186288278b5fb2e6b8ee4c59a755574740863afef99ccb3ae820256aee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\son100.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\son100.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\son100.exe

Filesize
205KB

MD5
1ad343effbd079f01591f822b0aea634

SHA1
6042db0b39e6790ffacf5a4e0a83eef3e6db4560

SHA256
5610b6ba831f1a81ac5b9c6c021c43a9dff2ed164b45076956f238c4a2221b3f

SHA512
0e7cb4e0554bdcf754ee0d12394a41197049fbed50ab3cf66f877f2dfb4ed012eee0e7dcd38fa053baa4fab683a38ada9892afef134638e7258f0bf5b8da8ac0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1692-183-0x000000000A8F0000-0x000000000A982000-memory.dmp

Filesize
584KB

Download
memory/1692-180-0x000000000A4C0000-0x000000000A4FC000-memory.dmp

Filesize
240KB

Download
memory/1692-189-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1692-188-0x000000000C500000-0x000000000CA2C000-memory.dmp

Filesize
5.2MB

Download
memory/1692-187-0x000000000BE00000-0x000000000BFC2000-memory.dmp

Filesize
1.8MB

Download
memory/1692-186-0x000000000B520000-0x000000000B570000-memory.dmp

Filesize
320KB

Download
memory/1692-185-0x000000000B0D0000-0x000000000B136000-memory.dmp

Filesize
408KB

Download
memory/1692-176-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/1692-184-0x000000000B580000-0x000000000BB24000-memory.dmp

Filesize
5.6MB

Download
memory/1692-177-0x000000000A9B0000-0x000000000AFC8000-memory.dmp

Filesize
6.1MB

Download
memory/1692-178-0x000000000A520000-0x000000000A62A000-memory.dmp

Filesize
1.0MB

Download
memory/1692-182-0x000000000A7D0000-0x000000000A846000-memory.dmp

Filesize
472KB

Download
memory/1692-181-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1692-179-0x000000000A460000-0x000000000A472000-memory.dmp

Filesize
72KB

Download
memory/3112-162-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4692-234-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4692-228-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/4716-170-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download