redline | hxxps://github[.]com/ManuelCastellino/cool-goanimate-assets-aka-vyond/releases/download/rggg/4K[.]Video[.]Downloader[.]zip

Analysis

max time kernel
319s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2023 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ManuelCastellino/cool-goanimate-assets-aka-vyond/releases/download/rggg/4K.Video.Downloader.zip

Score

10^/10

redline yt discovery infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

65.109.161.165:6997

Attributes

auth_value
c85b149d6d3359b3fe4dd1dfcc5864e8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4K Video Downloader.exebin do.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	4K Video Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	bin do.exe

Executes dropped EXE 3 IoCs

Processes:

4K Video Downloader.exebin do.exebin.exe

pid process

2088 4K Video Downloader.exe
3268 bin do.exe
4920 bin.exe
Loads dropped DLL 4 IoCs

Processes:

bin.exe

pid process

4920 bin.exe
4920 bin.exe
4920 bin.exe
4920 bin.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

4K Video Downloader.exe

description pid process target process

PID 2088 set thread context of 3256 2088 4K Video Downloader.exe vbc.exe

pid	process
2088	4K Video Downloader.exe
3268	bin do.exe
4920	bin.exe

pid	process
4920	bin.exe
4920	bin.exe
4920	bin.exe
4920	bin.exe

description	pid	process	target process
PID 2088 set thread context of 3256	2088	4K Video Downloader.exe	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\libcrypto-1_1.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\CommonStyleHelper.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\GroupBox.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\ScrollView.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\TreeView.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\Models.2\plugins.qmltypes	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\WorkerScript.2\plugins.qmltypes	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\el.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\ta.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\CalendarStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\GaugeStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\StackViewTransition.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt\labs\platform\plugins.qmltypes	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt\labs\platform\qmldir	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_resources.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Private\SourceProxy.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\TextAreaStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Window.2\plugins.qmltypes	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\swresample-3.dll	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\pl.pak	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_devtools_resources.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\ru.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Private\Control.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\StateMachine\plugins.qmltypes	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\images\leftanglearrow.png	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\images\scrollbar-handle-horizontal.png	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Private\EditMenu_base.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\qmlplugin.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\GroupBox.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Desktop\TextAreaStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick.2\qtquick2plugin.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\platforms\qwindows.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\ar.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Desktop\TabViewStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Desktop\ToolButtonStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt5Svg.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\Models.2	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\images\slider-handle.png	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Private\BasicButton.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\BusyIndicator.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\ToolButtonStyle.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt5WebEngineCore.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_resources_200p.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\sv.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\MenuBarStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Desktop\ToolBarStyle.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick.2\qtquick2plugin.dll	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\bn.pak	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\BusyIndicator.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\StateMachine\plugins.qmltypes	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt5WinExtras.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\ca.pak	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\TabViewStyle.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Layouts	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\libssl-1_1.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\Qt5Multimedia.dll	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\TreeViewStyle.qml	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\plugins.qmltypes	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQml\StateMachine\qmldir	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\qtwebengine_locales\da.pak	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Styles\Base\images\header.png	bin.exe
File created	C:\Program Files (x86)\4KDownload\4kvideodownloader\lgpl-2.1.txt	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\SplitView.qml	bin.exe
File opened for modification	C:\Program Files (x86)\4KDownload\4kvideodownloader\QtQuick\Controls\Private\StackViewSlideDelegate.qml	bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9731bf4db045d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "912524852"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039839"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{48EE1059-30F0-462B-98A4-33236CDB7DE0}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393800774"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31039839"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "912524852"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6063FEEF-0D52-11EE-BDA1-FA48AF8140A7} = "0"	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

3256 vbc.exe
3256 vbc.exe

pid	process
3256	vbc.exe
3256	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exevbc.exebin.exe

description	pid	process
Token: SeRestorePrivilege	3456	7zG.exe
Token: 35	3456	7zG.exe
Token: SeSecurityPrivilege	3456	7zG.exe
Token: SeSecurityPrivilege	3456	7zG.exe
Token: SeDebugPrivilege	3256	vbc.exe
Token: SeSecurityPrivilege	4920	bin.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exefirefox.exe7zG.exe

pid process

1132 iexplore.exe
1948 firefox.exe
1948 firefox.exe
1948 firefox.exe
1132 iexplore.exe
1948 firefox.exe
3456 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1948 firefox.exe
1948 firefox.exe
1948 firefox.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exe

pid process

1132 iexplore.exe
1132 iexplore.exe
448 IEXPLORE.EXE
448 IEXPLORE.EXE
1948 firefox.exe

pid	process
1132	iexplore.exe
1948	firefox.exe
1948	firefox.exe
1948	firefox.exe
1132	iexplore.exe
1948	firefox.exe
3456	7zG.exe

pid	process
1948	firefox.exe
1948	firefox.exe
1948	firefox.exe

pid	process
1132	iexplore.exe
1132	iexplore.exe
448	IEXPLORE.EXE
448	IEXPLORE.EXE
1948	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1132 wrote to memory of 448	1132	iexplore.exe	IEXPLORE.EXE
PID 1132 wrote to memory of 448	1132	iexplore.exe	IEXPLORE.EXE
PID 1132 wrote to memory of 448	1132	iexplore.exe	IEXPLORE.EXE
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 4948 wrote to memory of 1948	4948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 2724	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 2724	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe
PID 1948 wrote to memory of 1364	1948	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/ManuelCastellino/cool-goanimate-assets-aka-vyond/releases/download/rggg/4K.Video.Downloader.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1948.0.1321303047\2013426020" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e85c2ed9-c040-4f74-8754-aefbe5e1d6ba} 1948 "\\.\pipe\gecko-crash-server-pipe.1948" 1956 20eceaedf58 gpu
3⤵
PID:2724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1948.1.1276698361\1820897407" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b3d5bbb-85b3-48fb-8159-84bb7c69060d} 1948 "\\.\pipe\gecko-crash-server-pipe.1948" 2332 20ec1b72858 socket
3⤵
- Checks processor information in registry
PID:1364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1948.2.1880937803\444042073" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2920 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d49cff-524f-4364-a89c-4e68f5923643} 1948 "\\.\pipe\gecko-crash-server-pipe.1948" 3048 20ecea6b058 tab
3⤵
PID:2088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1948.3.279451118\2127349741" -childID 2 -isForBrowser -prefsHandle 1660 -prefMapHandle 2700 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8d953b6-3ee0-4bf5-a9e6-5ec8f7236a70} 1948 "\\.\pipe\gecko-crash-server-pipe.1948" 1656 20ec1b5e858 tab
3⤵
PID:2752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1948.4.1468773829\771403159" -childID 3 -isForBrowser -prefsHandle 4072 -prefMapHandle 4076 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc3e2a5-d7d8-4b57-985d-8670cd4d89a5} 1948 "\\.\pipe\gecko-crash-server-pipe.1948" 4092 20ec1b6e558 tab
3⤵
PID:1704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\" -spe -an -ai#7zMap23951:188:7zEvent8090
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3456

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\4K Video Downloader.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\4K Video Downloader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Users\Admin\AppData\Local\Temp\bin do.exe
"C:\Users\Admin\AppData\Local\Temp\bin do.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3268

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\bin.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\bin.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\4KDownload\4kvideodownloader\4kvideodownloader.exe
Filesize
62.0MB

MD5
286c83f92f2f2bcfd819f487d87b04c0

SHA1
1a2eefc75055d6155434e029aba0a0b266cf01d8

SHA256
f2309a5bd7c386c7844bca6920c2aa44d6155207b77b834dacff022565999e19

SHA512
9d534f1da31d91eb98a81c3fb6aeb3c2270c88c42602c37335ec9fd6ecdded3d944c22dbceda5a93283c17df81db63e0d8e38b1a00f6e6415e73368af672718d

Download Submit
C:\Program Files (x86)\4KDownload\4kvideodownloader\Uninstall.exe
Filesize
329KB

MD5
7256b63567ec888c7560430bf3962440

SHA1
d7977908a66bfaac7c077cc708f43f780a4443be

SHA256
9706a71f74c0321603f7e5532118322e1a97396a42c5e789eda18277ca338362

SHA512
94d246451225daaaded0621afa98935a256fd95d9b9da816dfada4be0c6a42a10b911a5d496faf6065ec8ab7a021f2b2fd10d359ae0ff4e62d0c1095f6093d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\4K.Video.Downloader[1].zip
Filesize
68.7MB

MD5
f18284a39594586e5cbdd7ada8b66c50

SHA1
aba86e65267b35f41ef5b16b1ac0ea73433a4626

SHA256
cb0e67e3cf47e631a07df2327da4c739f50a93868069e025911bf43d81e82821

SHA512
65cbbb27220c07f2e860d476e056e5fabc009fcc3dcf3c6b535a1bd4126fc2f2b6bc600258b9269f2280548b0026606b980d270c63427e870048e4daa2471930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader.zip.bf293fp.partial
Filesize
68.7MB

MD5
f18284a39594586e5cbdd7ada8b66c50

SHA1
aba86e65267b35f41ef5b16b1ac0ea73433a4626

SHA256
cb0e67e3cf47e631a07df2327da4c739f50a93868069e025911bf43d81e82821

SHA512
65cbbb27220c07f2e860d476e056e5fabc009fcc3dcf3c6b535a1bd4126fc2f2b6bc600258b9269f2280548b0026606b980d270c63427e870048e4daa2471930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\4K Video Downloader.exe
Filesize
1103.4MB

MD5
fab44ac998df415234640b2e8ef2a373

SHA1
6ab4667352564367c22cd9d997e426932e7a6eac

SHA256
c61b3ad7a4898de2cc0e7822bb0137e5c30cafcb0cabec1fd150075ddcc412cc

SHA512
6660d71bcd50ab904cdcb237de136f47fbd82a2e649d700fbc6d7ed30a79c3933052be9244cc61bc5954b9b1703b7977c4d7fd3d4aebb3190fb3092e9dbf5b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\4K Video Downloader.exe
Filesize
1103.4MB

MD5
fab44ac998df415234640b2e8ef2a373

SHA1
6ab4667352564367c22cd9d997e426932e7a6eac

SHA256
c61b3ad7a4898de2cc0e7822bb0137e5c30cafcb0cabec1fd150075ddcc412cc

SHA512
6660d71bcd50ab904cdcb237de136f47fbd82a2e649d700fbc6d7ed30a79c3933052be9244cc61bc5954b9b1703b7977c4d7fd3d4aebb3190fb3092e9dbf5b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\bin.dll
Filesize
63.5MB

MD5
b26258d2d71732f1953432209db51a94

SHA1
015ab8afe275ce4a5b9d68f440ef65a126b93668

SHA256
24ad3527b3e277897632f66e0147a00c9a63aa094d2adc1f784fa571cbaa5df1

SHA512
f883e745fe983e0a06480096688043342adfe2703190b9eb16b5e9228dad5b10597597f2ed36ac0ef3ac714133325c056352d359fdc5215c4285b34284fae99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\4K.Video.Downloader\4K Video Downloader\bin.exe
Filesize
63.5MB

MD5
b26258d2d71732f1953432209db51a94

SHA1
015ab8afe275ce4a5b9d68f440ef65a126b93668

SHA256
24ad3527b3e277897632f66e0147a00c9a63aa094d2adc1f784fa571cbaa5df1

SHA512
f883e745fe983e0a06480096688043342adfe2703190b9eb16b5e9228dad5b10597597f2ed36ac0ef3ac714133325c056352d359fdc5215c4285b34284fae99a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
Filesize
151KB

MD5
22b6f6bd94acb59c864c5d2e48cf2256

SHA1
31264456e1d4f5df870c20de01f36b90919dea58

SHA256
3e9fff02e6ad9f1c55b6cb01c16a77b19aaafe1640cb32416fe89a47f4e62fb2

SHA512
202ad356e960caa7137c291fcb5bee242cc1da0c965d983611dc5e0cb999284cdfa6d2b590872239e93a09b3bab89ff61016a404dc5928bbd1800506a8c99406

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin do.exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin do.exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin do.exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5088.tmp\LangDLL.dll
Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5088.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5088.tmp\nsDialogs.dll
Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5088.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
0a465d20a67bfa29e9faff0930befce2

SHA1
ddd29aca37ce4907b2602b6d08a326a0d0ecc86c

SHA256
e8b62f018acc1d7b052714180b6187e4363541d05e1dc1c8e122a8449195a7f6

SHA512
5ca35a89e90418f0c8889c5d369466b49f0547c6c4d1094d0a3a05e18ea0259c0d5a17b2824396cf1bb0900e08f05151373eabc5a2bcade1aad8e9506ce6d06e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
de1818874d8ffe80f8cbc3ff4cb31ed2

SHA1
6d279004b0f76125eebe03f50b20cbe44f61cddb

SHA256
9c6c9365ff2795a7d218d92ac9dd9195e940e6bf028a3b9e867930552f4c2844

SHA512
1f0c86a64e5b58a71ad765891c02e6607bcaa75d911ce3f6d0ca30efb715a7ba86959c5af692f7099758e23f48a75b838c4fff31b21797b4623d2a559dc3c905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore.jsonlz4
Filesize
446B

MD5
fd4ce228fcfdee2fc9beda952b8f8b04

SHA1
5a283a51af17d2648a9a39070db43c6f9a34a2fc

SHA256
938824461844086a7632865245d03ff7f14e520e33c957252f96d1058af9ea8e

SHA512
961bcb0e5af501023b8351777d48e50dc19222394dabc02d66709004378d92128818846fc40d3ac2a1f3f3515df80f30d71c3a1ba011767720f2fc6876663b17

Download Submit
memory/2088-288-0x0000000000CE0000-0x0000000000D72000-memory.dmp

Filesize
584KB

Download
memory/2088-289-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/3256-297-0x0000000005480000-0x00000000054BC000-memory.dmp

Filesize
240KB

Download
memory/3256-323-0x00000000067C0000-0x0000000006810000-memory.dmp

Filesize
320KB

Download
memory/3256-312-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3256-313-0x0000000006C20000-0x00000000071C4000-memory.dmp

Filesize
5.6MB

Download
memory/3256-314-0x0000000006A10000-0x0000000006BD2000-memory.dmp

Filesize
1.8MB

Download
memory/3256-315-0x0000000008DF0000-0x000000000931C000-memory.dmp

Filesize
5.2MB

Download
memory/3256-311-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3256-310-0x00000000058E0000-0x0000000005956000-memory.dmp

Filesize
472KB

Download
memory/3256-316-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3256-295-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3256-294-0x0000000001AB0000-0x0000000001AC2000-memory.dmp

Filesize
72KB

Download
memory/3256-293-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/3256-292-0x0000000005B60000-0x0000000006178000-memory.dmp

Filesize
6.1MB

Download
memory/3256-290-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3268-308-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download