redline | ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8

Analysis

max time kernel
115s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe
Size

722KB
MD5

e1824df5b0aedb9e35731922fe532a59
SHA1

07449aac8104549bb8bf5abe9070d4d73ce8553d
SHA256

ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8
SHA512

c19fd0d11403ffd96fbdf17fa2e928b1df5bf5a8370de1defc5022adb81c0a49130dbcd2340d8c54177dfedbdbbb4e44c457f11ce7a2d6ee850a151fd5cbe40b
SSDEEP

12288:kMrSy90z+SlC4CcLowljju9qzjHgwER7/I5kmOQKoxeKFw6HFecqR79pLtSQ:myeVQL7Md81w5kmO0QKFw6AhEQ

Score

10^/10

redline maxi sheron evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 22 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exeAppLaunch.exenik200.exea7193142.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7193142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nik200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4532181.exemetado.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	d4532181.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 14 IoCs

Processes:

v6704263.exev3972561.exev0844233.exea7193142.exeb6961532.exec5379934.exed4532181.exemetado.exee8941901.exeson100.exenik200.exegam400.exemetado.exemetado.exe

pid	process
1040	v6704263.exe
652	v3972561.exe
3204	v0844233.exe
4736	a7193142.exe
3852	b6961532.exe
1636	c5379934.exe
1008	d4532181.exe
4768	metado.exe
4540	e8941901.exe
3316	son100.exe
4960	nik200.exe
348	gam400.exe
4952	metado.exe
4772	metado.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1908 rundll32.exe

pid	process
1908	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a7193142.exenik200.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7193142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	nik200.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v3972561.exev0844233.exece2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exev6704263.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3972561.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0844233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0844233.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6704263.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6704263.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3972561.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b6961532.exee8941901.exegam400.exe

description	pid	process	target process
PID 3852 set thread context of 4544	3852	b6961532.exe	AppLaunch.exe
PID 4540 set thread context of 3644	4540	e8941901.exe	AppLaunch.exe
PID 348 set thread context of 3492	348	gam400.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4828	3852	WerFault.exe	b6961532.exe
1576	1636	WerFault.exe	c5379934.exe
812	4540	WerFault.exe	e8941901.exe
3852	348	WerFault.exe	gam400.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2372 schtasks.exe

pid	process
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

a7193142.exeAppLaunch.exeAppLaunch.exenik200.exeAppLaunch.exe

pid	process
4736	a7193142.exe
4736	a7193142.exe
4544	AppLaunch.exe
4544	AppLaunch.exe
3644	AppLaunch.exe
3644	AppLaunch.exe
4960	nik200.exe
4960	nik200.exe
3492	AppLaunch.exe
3492	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a7193142.exeAppLaunch.exeAppLaunch.exenik200.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4736	a7193142.exe
Token: SeDebugPrivilege	4544	AppLaunch.exe
Token: SeDebugPrivilege	3644	AppLaunch.exe
Token: SeDebugPrivilege	4960	nik200.exe
Token: SeDebugPrivilege	3492	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d4532181.exe

pid process

1008 d4532181.exe

pid	process
1008	d4532181.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exev6704263.exev3972561.exev0844233.exeb6961532.exed4532181.exemetado.execmd.exee8941901.exeAppLaunch.exe

description	pid	process	target process
PID 4268 wrote to memory of 1040	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	v6704263.exe
PID 4268 wrote to memory of 1040	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	v6704263.exe
PID 4268 wrote to memory of 1040	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	v6704263.exe
PID 1040 wrote to memory of 652	1040	v6704263.exe	v3972561.exe
PID 1040 wrote to memory of 652	1040	v6704263.exe	v3972561.exe
PID 1040 wrote to memory of 652	1040	v6704263.exe	v3972561.exe
PID 652 wrote to memory of 3204	652	v3972561.exe	v0844233.exe
PID 652 wrote to memory of 3204	652	v3972561.exe	v0844233.exe
PID 652 wrote to memory of 3204	652	v3972561.exe	v0844233.exe
PID 3204 wrote to memory of 4736	3204	v0844233.exe	a7193142.exe
PID 3204 wrote to memory of 4736	3204	v0844233.exe	a7193142.exe
PID 3204 wrote to memory of 3852	3204	v0844233.exe	b6961532.exe
PID 3204 wrote to memory of 3852	3204	v0844233.exe	b6961532.exe
PID 3204 wrote to memory of 3852	3204	v0844233.exe	b6961532.exe
PID 3852 wrote to memory of 4544	3852	b6961532.exe	AppLaunch.exe
PID 3852 wrote to memory of 4544	3852	b6961532.exe	AppLaunch.exe
PID 3852 wrote to memory of 4544	3852	b6961532.exe	AppLaunch.exe
PID 3852 wrote to memory of 4544	3852	b6961532.exe	AppLaunch.exe
PID 3852 wrote to memory of 4544	3852	b6961532.exe	AppLaunch.exe
PID 652 wrote to memory of 1636	652	v3972561.exe	c5379934.exe
PID 652 wrote to memory of 1636	652	v3972561.exe	c5379934.exe
PID 652 wrote to memory of 1636	652	v3972561.exe	c5379934.exe
PID 1040 wrote to memory of 1008	1040	v6704263.exe	d4532181.exe
PID 1040 wrote to memory of 1008	1040	v6704263.exe	d4532181.exe
PID 1040 wrote to memory of 1008	1040	v6704263.exe	d4532181.exe
PID 1008 wrote to memory of 4768	1008	d4532181.exe	metado.exe
PID 1008 wrote to memory of 4768	1008	d4532181.exe	metado.exe
PID 1008 wrote to memory of 4768	1008	d4532181.exe	metado.exe
PID 4268 wrote to memory of 4540	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	e8941901.exe
PID 4268 wrote to memory of 4540	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	e8941901.exe
PID 4268 wrote to memory of 4540	4268	ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe	e8941901.exe
PID 4768 wrote to memory of 2372	4768	metado.exe	schtasks.exe
PID 4768 wrote to memory of 2372	4768	metado.exe	schtasks.exe
PID 4768 wrote to memory of 2372	4768	metado.exe	schtasks.exe
PID 4768 wrote to memory of 760	4768	metado.exe	cmd.exe
PID 4768 wrote to memory of 760	4768	metado.exe	cmd.exe
PID 4768 wrote to memory of 760	4768	metado.exe	cmd.exe
PID 760 wrote to memory of 4108	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4108	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4108	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4136	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4136	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4136	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2020	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2020	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2020	760	cmd.exe	cacls.exe
PID 4540 wrote to memory of 3644	4540	e8941901.exe	AppLaunch.exe
PID 4540 wrote to memory of 3644	4540	e8941901.exe	AppLaunch.exe
PID 4540 wrote to memory of 3644	4540	e8941901.exe	AppLaunch.exe
PID 4540 wrote to memory of 3644	4540	e8941901.exe	AppLaunch.exe
PID 760 wrote to memory of 3276	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 3276	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 3276	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4928	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4928	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4928	760	cmd.exe	cacls.exe
PID 4540 wrote to memory of 3644	4540	e8941901.exe	AppLaunch.exe
PID 760 wrote to memory of 2116	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2116	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2116	760	cmd.exe	cacls.exe
PID 3644 wrote to memory of 3316	3644	AppLaunch.exe	son100.exe
PID 3644 wrote to memory of 3316	3644	AppLaunch.exe	son100.exe
PID 3644 wrote to memory of 3316	3644	AppLaunch.exe	son100.exe
PID 3644 wrote to memory of 4960	3644	AppLaunch.exe	nik200.exe

C:\Users\Admin\AppData\Local\Temp\ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe
"C:\Users\Admin\AppData\Local\Temp\ce2502939ab7d298ac91310ab203cf1a25d78553582f02c2c34aa3839f85b8a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6704263.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6704263.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3972561.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3972561.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0844233.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0844233.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7193142.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7193142.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6961532.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6961532.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 148
6⤵
- Program crash
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5379934.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5379934.exe
4⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 928
5⤵
- Program crash
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4532181.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4532181.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
5⤵
- Creates scheduled task(s)
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4108

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:N"
6⤵
PID:4136

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:R" /E
6⤵
PID:2020

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3276

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8941901.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8941901.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\son100.exe
"C:\Users\Admin\AppData\Local\Temp\son100.exe"
4⤵
- Executes dropped EXE
PID:3316

C:\Users\Admin\AppData\Local\Temp\nik200.exe
"C:\Users\Admin\AppData\Local\Temp\nik200.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Local\Temp\gam400.exe
"C:\Users\Admin\AppData\Local\Temp\gam400.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 140
5⤵
- Program crash
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 140
3⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3852 -ip 3852
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1636 -ip 1636
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4540 -ip 4540
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 348 -ip 348
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8941901.exe
Filesize
261KB

MD5
b7f6f24cf9659ea37d5418d0aad14674

SHA1
30176a0f33d275eb8d0bb040e26925c38962e947

SHA256
cef942727b1fd69b224d45371b5ddc20b998a3f55c3d393b2516f2d59cbdd924

SHA512
fadf7ac8e288af7a0147d6a647b920b59d954145ca2e0777b1366735b11f4ebc4174e606ff3a4a4541430806779bff7e166457a4511546b13ccdd33cf44ec44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8941901.exe
Filesize
261KB

MD5
b7f6f24cf9659ea37d5418d0aad14674

SHA1
30176a0f33d275eb8d0bb040e26925c38962e947

SHA256
cef942727b1fd69b224d45371b5ddc20b998a3f55c3d393b2516f2d59cbdd924

SHA512
fadf7ac8e288af7a0147d6a647b920b59d954145ca2e0777b1366735b11f4ebc4174e606ff3a4a4541430806779bff7e166457a4511546b13ccdd33cf44ec44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6704263.exe
Filesize
524KB

MD5
4c5888c5c58ec8a93019d8fe941c39c8

SHA1
3a5cdf1ba70753a1a3d1885a81a1e6098aaf7439

SHA256
49708f8edd297318f125231c87ba2a0ad935a9ec26f300d86caab9337ee1e386

SHA512
fee748c99c347ce435ea7232c75370e0f0d8c48a382794b33085cfcb58f80560744d02b8a7a5fd157ded58fc49d0c7476edfb22a3ddceafadd556534f407a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6704263.exe
Filesize
524KB

MD5
4c5888c5c58ec8a93019d8fe941c39c8

SHA1
3a5cdf1ba70753a1a3d1885a81a1e6098aaf7439

SHA256
49708f8edd297318f125231c87ba2a0ad935a9ec26f300d86caab9337ee1e386

SHA512
fee748c99c347ce435ea7232c75370e0f0d8c48a382794b33085cfcb58f80560744d02b8a7a5fd157ded58fc49d0c7476edfb22a3ddceafadd556534f407a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4532181.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4532181.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3972561.exe
Filesize
352KB

MD5
b12a04db1660ff95bb988a03f30ff059

SHA1
f8091bff09944e7c7d3a0efaa7a96d9aa44a201b

SHA256
77280c666bb3aa7256a83a4514a4bd70838def3b7dbf87763258eec34223c39b

SHA512
97cb7def6f012480b8345f705a27807a3ace8912e42d5b8361d98ff6f811a74b7ebb331949c4fc11c5ee9be74d5107b5c9504465d0267a3c0dc02f33589c2b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3972561.exe
Filesize
352KB

MD5
b12a04db1660ff95bb988a03f30ff059

SHA1
f8091bff09944e7c7d3a0efaa7a96d9aa44a201b

SHA256
77280c666bb3aa7256a83a4514a4bd70838def3b7dbf87763258eec34223c39b

SHA512
97cb7def6f012480b8345f705a27807a3ace8912e42d5b8361d98ff6f811a74b7ebb331949c4fc11c5ee9be74d5107b5c9504465d0267a3c0dc02f33589c2b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5379934.exe
Filesize
172KB

MD5
eece95b597cd854f3714244f2755322d

SHA1
4f9bf11c9e3476280c93c4e61e843958ab3a2f0e

SHA256
7e6f13cadb1fedb7483746fedb879a68ee897d9eddd6c5c163b7d907daf8dfc7

SHA512
c25766629c5e6aa10a6b068b7d63a51a2e266674eca097f13491c4c6b7c93557e5239036c6e77f0221ca3d920b983d4b3d1e22176faf30619dbe6ac11521737e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5379934.exe
Filesize
172KB

MD5
eece95b597cd854f3714244f2755322d

SHA1
4f9bf11c9e3476280c93c4e61e843958ab3a2f0e

SHA256
7e6f13cadb1fedb7483746fedb879a68ee897d9eddd6c5c163b7d907daf8dfc7

SHA512
c25766629c5e6aa10a6b068b7d63a51a2e266674eca097f13491c4c6b7c93557e5239036c6e77f0221ca3d920b983d4b3d1e22176faf30619dbe6ac11521737e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0844233.exe
Filesize
197KB

MD5
20c6257efb12abd9ada06a2348f4c018

SHA1
ed07906fd935a941d2b7eaa1754c07b7c17037a5

SHA256
49c0ced4ea12e9410b2661e8769d86cbd2593c905200a3972ccb68a434724021

SHA512
d54f753eab7914f905c24cb0c57427696fd813c2839c5cc7ade3a91ea42469b8d425a27473fd5e860e301dac060c558ae9ac3059ba87599db0ef96a7558af0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0844233.exe
Filesize
197KB

MD5
20c6257efb12abd9ada06a2348f4c018

SHA1
ed07906fd935a941d2b7eaa1754c07b7c17037a5

SHA256
49c0ced4ea12e9410b2661e8769d86cbd2593c905200a3972ccb68a434724021

SHA512
d54f753eab7914f905c24cb0c57427696fd813c2839c5cc7ade3a91ea42469b8d425a27473fd5e860e301dac060c558ae9ac3059ba87599db0ef96a7558af0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7193142.exe
Filesize
11KB

MD5
fe2d320eaa2c3a81365d16b0bd48bb08

SHA1
bdd82503642efb6f34a377f68429544a03a1e0b6

SHA256
e85e79e86e6afcb3990d66257f7a6e9df043573d0d9d67ebc9c1f506287e0ca0

SHA512
31a86cb4ada00ab76b46db20f69d4e63c0ebabf8326d356fa14c76a72f21fba5cdd65c00c09b62cc787a7eaf453152dffb8ef108b711f2b78a2fa70a55e1bdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7193142.exe
Filesize
11KB

MD5
fe2d320eaa2c3a81365d16b0bd48bb08

SHA1
bdd82503642efb6f34a377f68429544a03a1e0b6

SHA256
e85e79e86e6afcb3990d66257f7a6e9df043573d0d9d67ebc9c1f506287e0ca0

SHA512
31a86cb4ada00ab76b46db20f69d4e63c0ebabf8326d356fa14c76a72f21fba5cdd65c00c09b62cc787a7eaf453152dffb8ef108b711f2b78a2fa70a55e1bdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6961532.exe
Filesize
100KB

MD5
8e360647cd8d93ee20273621659dde0c

SHA1
bbda8a1690d0290955df2e3e74586ca1f241f4c6

SHA256
003cd9f54982c292e48ee8937dc0512332193b27eb183283d3c4e338b00ab527

SHA512
e7223eef6564112d11d30cb07f2466bf59d68435a9d17e93a602dec8230cd066d72f3f32f14733e09197a8c95829b79cbe377cda123c19914f3df0638e577df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6961532.exe
Filesize
100KB

MD5
8e360647cd8d93ee20273621659dde0c

SHA1
bbda8a1690d0290955df2e3e74586ca1f241f4c6

SHA256
003cd9f54982c292e48ee8937dc0512332193b27eb183283d3c4e338b00ab527

SHA512
e7223eef6564112d11d30cb07f2466bf59d68435a9d17e93a602dec8230cd066d72f3f32f14733e09197a8c95829b79cbe377cda123c19914f3df0638e577df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
def3a7f2772c5e714bf4b2d0846cb7bc

SHA1
5a40f27d686159f725c669557e7beda23caa13ef

SHA256
99c4298ccea670086dd1a2137054b052776e5176a95eff9505a9598d89647561

SHA512
d2b8918233c8fdf95ce8f3a030d59013364065d26745a0fe5305c8a934abbbaebf14145a1a514c65f1333e3dbd19235f974654536746005679322ee96175c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe
Filesize
100KB

MD5
c3da568325adf22d16bb5b143f34e910

SHA1
50b1afd5638fa4e327549b60c14d6142cbb5043e

SHA256
39d3b6b6240b7e04f946dcdbf14137eb2901cb05ad4d14283fe6d3d580aeab44

SHA512
2cde57aa5f1e740f2b357cbd167cd1c7d2708227dd6982fc325c5bbbf8b2c423de35e20622e986824039d348b4180c918e63a6500d6eddfa34fa201eab868ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe
Filesize
100KB

MD5
c3da568325adf22d16bb5b143f34e910

SHA1
50b1afd5638fa4e327549b60c14d6142cbb5043e

SHA256
39d3b6b6240b7e04f946dcdbf14137eb2901cb05ad4d14283fe6d3d580aeab44

SHA512
2cde57aa5f1e740f2b357cbd167cd1c7d2708227dd6982fc325c5bbbf8b2c423de35e20622e986824039d348b4180c918e63a6500d6eddfa34fa201eab868ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gam400.exe
Filesize
100KB

MD5
c3da568325adf22d16bb5b143f34e910

SHA1
50b1afd5638fa4e327549b60c14d6142cbb5043e

SHA256
39d3b6b6240b7e04f946dcdbf14137eb2901cb05ad4d14283fe6d3d580aeab44

SHA512
2cde57aa5f1e740f2b357cbd167cd1c7d2708227dd6982fc325c5bbbf8b2c423de35e20622e986824039d348b4180c918e63a6500d6eddfa34fa201eab868ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe
Filesize
11KB

MD5
5ab03e3b5394d268b0b5050e00ee7dd7

SHA1
4f8a5a02ce795fd916eac5ef09b118f4260535e4

SHA256
f6207c55d9132027b40d2199b6908e935b68aada63ffffb3bfd86d6ba3d97f7f

SHA512
82dd88533ac9415ceda6a0123470d1596a15be0200d665c234685335ca0a184d3871200f4bb360d0dbc9190dd3bb2c9b74045f3d8064bc14a2047641c3e1379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe
Filesize
11KB

MD5
5ab03e3b5394d268b0b5050e00ee7dd7

SHA1
4f8a5a02ce795fd916eac5ef09b118f4260535e4

SHA256
f6207c55d9132027b40d2199b6908e935b68aada63ffffb3bfd86d6ba3d97f7f

SHA512
82dd88533ac9415ceda6a0123470d1596a15be0200d665c234685335ca0a184d3871200f4bb360d0dbc9190dd3bb2c9b74045f3d8064bc14a2047641c3e1379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nik200.exe
Filesize
11KB

MD5
5ab03e3b5394d268b0b5050e00ee7dd7

SHA1
4f8a5a02ce795fd916eac5ef09b118f4260535e4

SHA256
f6207c55d9132027b40d2199b6908e935b68aada63ffffb3bfd86d6ba3d97f7f

SHA512
82dd88533ac9415ceda6a0123470d1596a15be0200d665c234685335ca0a184d3871200f4bb360d0dbc9190dd3bb2c9b74045f3d8064bc14a2047641c3e1379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\son100.exe
Filesize
205KB

MD5
63e85498635fb2174ebab9ae43c962ed

SHA1
917b3fb97abfd4b0b0b65f0b0d3eb29f3b0b04d0

SHA256
530f8a39f824ec20bfea9e5000bd093d9b1c5412d7af41726e2efa5c6cdb0549

SHA512
588bb6570706855e2ae01581fd5e65245949fa99d3d86283a8ab78b19036a77db8f6b2048c8efb05a000f3b7ee25e2dc7e02135612ebc2eccd18f4dd75b94896

Download Submit
C:\Users\Admin\AppData\Local\Temp\son100.exe
Filesize
205KB

MD5
63e85498635fb2174ebab9ae43c962ed

SHA1
917b3fb97abfd4b0b0b65f0b0d3eb29f3b0b04d0

SHA256
530f8a39f824ec20bfea9e5000bd093d9b1c5412d7af41726e2efa5c6cdb0549

SHA512
588bb6570706855e2ae01581fd5e65245949fa99d3d86283a8ab78b19036a77db8f6b2048c8efb05a000f3b7ee25e2dc7e02135612ebc2eccd18f4dd75b94896

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1636-175-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/3644-200-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

Filesize
72KB

Download
memory/3644-198-0x00000000058D0000-0x0000000005EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3644-204-0x0000000005590000-0x0000000005606000-memory.dmp

Filesize
472KB

Download
memory/3644-202-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/3644-201-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3644-206-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3644-199-0x00000000053C0000-0x00000000054CA000-memory.dmp

Filesize
1.0MB

Download
memory/3644-205-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/3644-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3644-211-0x0000000008B60000-0x000000000908C000-memory.dmp

Filesize
5.2MB

Download
memory/3644-207-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download
memory/3644-210-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/3644-209-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3644-208-0x0000000006430000-0x0000000006480000-memory.dmp

Filesize
320KB

Download
memory/4544-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4736-161-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download