redline | a76d0ca31629666d6fde15d21f0d225c1580d875ab7bb6d6a608f38e40190e8b

Analysis

max time kernel
97s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AuroraV2.exe
Size

770KB
MD5

4354532285d1fee0e9e1f757e2fefd03
SHA1

ed4661c574ac9b67c6c87f0b672af3dd5439f004
SHA256

a76d0ca31629666d6fde15d21f0d225c1580d875ab7bb6d6a608f38e40190e8b
SHA512

66e2896f320db3f96319f5063dd7616e811cc4114b994a4582e990f8941408e5d281d5f51f629012a818081de5acf885a9cb40047040db98a2cacd7de777cc48
SSDEEP

24576:6bRO13jhaFVNLwBzlSaOaLp6RB3qrbRYItaXrc:w6CDLyz+MEBqvSIUc

Score

10^/10

redline @dxrkl0rd discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

45.15.156.142:33597

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4432-27-0x0000000000600000-0x0000000000652000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Cottages.pif

description pid process target process

PID 2348 created 3316 2348 Cottages.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Cottages.pifRegAsm.exe

pid process

2348 Cottages.pif
4432 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2348 created 3316	2348	Cottages.pif	Explorer.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4180 tasklist.exe
2152 tasklist.exe

pid	process
4180	tasklist.exe
2152	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552962046233917"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2488 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1588 vlc.exe

pid	process
2488	PING.EXE

pid	process
1588	vlc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Cottages.pifRegAsm.exechrome.exe

pid	process
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
5036	chrome.exe
5036	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1588 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5036 chrome.exe
5036 chrome.exe
5036 chrome.exe

pid	process
1588	vlc.exe

pid	process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exe7zFM.exefirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4180	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	4432	RegAsm.exe
Token: SeRestorePrivilege	4740	7zFM.exe
Token: 35	4740	7zFM.exe
Token: SeDebugPrivilege	648	firefox.exe
Token: SeDebugPrivilege	648	firefox.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

Cottages.pifvlc.exe7zFM.exefirefox.exechrome.exe

pid	process
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
4740	7zFM.exe
648	firefox.exe
648	firefox.exe
648	firefox.exe
648	firefox.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

Cottages.pifvlc.exefirefox.exechrome.exe

pid	process
2348	Cottages.pif
2348	Cottages.pif
2348	Cottages.pif
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
1588	vlc.exe
648	firefox.exe
648	firefox.exe
648	firefox.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vlc.exefirefox.exe

pid process

1588 vlc.exe
648 firefox.exe

pid	process
1588	vlc.exe
648	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AuroraV2.execmd.exeCottages.piffirefox.exefirefox.exe

description	pid	process	target process
PID 3004 wrote to memory of 3596	3004	AuroraV2.exe	cmd.exe
PID 3004 wrote to memory of 3596	3004	AuroraV2.exe	cmd.exe
PID 3004 wrote to memory of 3596	3004	AuroraV2.exe	cmd.exe
PID 3596 wrote to memory of 4180	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 4180	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 4180	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 3868	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 3868	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 3868	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 2152	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 2152	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 2152	3596	cmd.exe	tasklist.exe
PID 3596 wrote to memory of 4140	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 4140	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 4140	3596	cmd.exe	findstr.exe
PID 3596 wrote to memory of 636	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 636	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 636	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 1868	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 1868	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 1868	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 2756	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 2756	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 2756	3596	cmd.exe	cmd.exe
PID 3596 wrote to memory of 2348	3596	cmd.exe	Cottages.pif
PID 3596 wrote to memory of 2348	3596	cmd.exe	Cottages.pif
PID 3596 wrote to memory of 2348	3596	cmd.exe	Cottages.pif
PID 3596 wrote to memory of 2488	3596	cmd.exe	PING.EXE
PID 3596 wrote to memory of 2488	3596	cmd.exe	PING.EXE
PID 3596 wrote to memory of 2488	3596	cmd.exe	PING.EXE
PID 2348 wrote to memory of 4432	2348	Cottages.pif	RegAsm.exe
PID 2348 wrote to memory of 4432	2348	Cottages.pif	RegAsm.exe
PID 2348 wrote to memory of 4432	2348	Cottages.pif	RegAsm.exe
PID 2348 wrote to memory of 4432	2348	Cottages.pif	RegAsm.exe
PID 2348 wrote to memory of 4432	2348	Cottages.pif	RegAsm.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 4896 wrote to memory of 648	4896	firefox.exe	firefox.exe
PID 648 wrote to memory of 1156	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 1156	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe
PID 648 wrote to memory of 2872	648	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\AuroraV2.exe
"C:\Users\Admin\AppData\Local\Temp\AuroraV2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Characterization Characterization.bat & Characterization.bat & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3868

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
cmd /c md 4
4⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Strongly + Elder + Appeals + Designer + Construction 4\Cottages.pif
4⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Yamaha + Pets + Adapters 4\O
4⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\4\Cottages.pif
4\Cottages.pif 4\O
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2488

C:\Users\Admin\AppData\Local\Temp\4\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\4\RegAsm.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InvokeWatch.mov"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AddReset.7z"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.0.1862736938\917300827" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2633f88-cac7-4175-9fa1-a31b2f35768f} 648 "\\.\pipe\gecko-crash-server-pipe.648" 1728 1c7be9dca58 gpu
4⤵
PID:1156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.1.1508137490\861490354" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2200 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62ad6d7e-fcff-46d2-a371-93316051be77} 648 "\\.\pipe\gecko-crash-server-pipe.648" 2244 1c7be8fa258 socket
4⤵
- Checks processor information in registry
PID:2872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.2.190178256\512521948" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 2960 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a405c766-4923-488b-b8c6-4212ee3da6a7} 648 "\\.\pipe\gecko-crash-server-pipe.648" 3160 1c7c3ea2158 tab
4⤵
PID:4652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.3.2138108949\1624020591" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdb8e56a-de90-407a-a9e8-030cf8174732} 648 "\\.\pipe\gecko-crash-server-pipe.648" 3540 1c7c2818c58 tab
4⤵
PID:4860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.4.1996190574\774450297" -childID 3 -isForBrowser -prefsHandle 4540 -prefMapHandle 4528 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24f894f5-8e81-4e0f-b3a1-6088624a5233} 648 "\\.\pipe\gecko-crash-server-pipe.648" 4548 1c7c5a5e158 tab
4⤵
PID:4644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.5.265050099\1309049730" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4916 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea6816ee-76e1-48f2-9e8e-f4100f4c4a58} 648 "\\.\pipe\gecko-crash-server-pipe.648" 4912 1c7c5a60b58 tab
4⤵
PID:1212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.6.808281515\1295782699" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc0f9e2-4641-4ccb-9b37-75a036799dbe} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5192 1c7c5fd3e58 tab
4⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.7.438962626\1925529335" -childID 6 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a339cd-cab8-416f-91be-dedf50e02261} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5384 1c7c5fd2658 tab
4⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="217.65.2.14:3333"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0e149758,0x7fff0e149768,0x7fff0e149778
3⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:2
3⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=2124 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:1
3⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:1
3⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:1
3⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=3848 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=4712 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=5092 --field-trial-handle=1812,i,16152432563026652068,14646117510123498902,131072 /prefetch:8
3⤵
PID:4800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4\Cottages.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4\O
Filesize
668KB

MD5
f4c99459a82e20502c22ab55bfb2da28

SHA1
41ecc106f3920d4405f3370cfca6c7ce3b04bd70

SHA256
61dd27cff7582ad3b0e185e39accdfc1ffa617f027ef478889058cb3cbf872a2

SHA512
5436aa25e5f99b5f84182e99964903d48b6c38256e9cb1b0838fb336c96d8ddd865c659d1f47ed6a15f16e4f0c2f9e3dfb746e8881745415b22554b4b8de302e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4\RegAsm.exe
Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adapters
Filesize
179KB

MD5
b05211f89c3e471627978ceaadbece85

SHA1
3cb7685dc8dd9104e597da099412e7f96569c40e

SHA256
bcdf18a812ac1388024fc636d2556a408460ff73b5e17d8af94f56ab43e20ec7

SHA512
c3ea3ab452b403f03eb53356f88b7408bc8a5a1e919d2dcb5415ec5f3eaaf64f55f33b2561fecc0d6fc959304c0f3b325b9a208988850c00f749b4ca0ade3750

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appeals
Filesize
197KB

MD5
9848974aacb0b13c0c6532a5fed69662

SHA1
7bb229cea9fd8008e526a9d1a529f5104eb515c0

SHA256
e645141706a7f1220384053729b30c3e25164dda4d9d6a1b8714c87209b4f3d5

SHA512
e07480490f8d42888e0c8577687f204ff6b287ec184a02dfddf055ecf9f013f70e326eddfbdd616c2d960dbff62de9e21d6e642d64f77ea5ff5caaef68fa61c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Characterization
Filesize
12KB

MD5
6d42e125318abf40c3e01b55e50545f7

SHA1
827980b79228e6ceb741733aad46a9033b261049

SHA256
76db08aa2202ac2cb27af4246f6a00957d15b96c2b3cee95443fbd708a39e57b

SHA512
875fa1ce29c8c4b08a0838366c34e5f35684e8532600a68b6a8050f517ae499f473b931de7c3f08f1d0ed7924c814e860b8b3c2481bead54ad8daa59a4f069f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Construction
Filesize
35KB

MD5
629dcdb5e964a46336b660452b9ee0ac

SHA1
1dd73d8d84c6ef575756f5b0e095f86a24da73c6

SHA256
d02e10a10f3743f4994e43c33c0e7648fcfa076396d525935f62b88ca308845e

SHA512
341fbbd2d9400cea6e6f476107fe65c2f739d5d9d5e36e75cd1a212fe1db79ebc60fcdfd85219fe4c11ce09da1a8cf0605fa840bf8d2237459eb121384b8d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Designer
Filesize
279KB

MD5
e981cf4342c3cb2587880ffeacd43179

SHA1
ce15fa590a16d7ab918cb1e8074d1f49f6c64541

SHA256
12a7fc7dc3e1c2a1d44aa4b881fad1b83984ebdf96fb4f08f097117a535b11bf

SHA512
8cfdbc085721653144b544d8158f1c3e535429aef16a51c7be9e3672d359c0d7c9fe5f926e5c9b546cb32f1307f93ec67e0e8732c992e23aaa9dca90a2aa52ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elder
Filesize
155KB

MD5
f9f6a09d5817d513e984dd5d0cfc1d17

SHA1
5f968f4bf9c82b4104d40bd7d0d3229592f6561d

SHA256
4cf83f6e610eeb0ac7cbcd9c71e0bbda99cb465c1303a5e9ea6fcf59fc248ea6

SHA512
d5fc501a123e8c915ad510b7c6e79af185252065e53d6300c2ce7e9b63a74e2330a09296c333e6b56633c5182ca028f93feb4c8ba7211d75b9c80d48964b89f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pets
Filesize
260KB

MD5
f6fb13732dc8c23095a35161fc8d2ecb

SHA1
e433eb58dfa69f3239988f6cec758d6f76ea12b8

SHA256
3973fbec123a1063743e3a2bd70c5cf0cdfabf20040673cad5060477cce2bd32

SHA512
84898b2794463bfcfc1edde01192370b8fb4613f3c66d93b9943688b7ef09da55d92168267fd40a572407f5c705b119204451dc4fd741af27b9c7166d2623431

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strongly
Filesize
206KB

MD5
35f17b8bf9805bbe8b3befaf5244779b

SHA1
4cc81d66c0b6bb84d029cde9659dadd1152808ac

SHA256
2f35af3beabb1f0266efa6feb2903a117a14fb206c4c09fff96787bb313e7dd3

SHA512
2edf05aa46b9aef7e2aa77ae0a9385d09e8a18349549fc743bafee0f538227877dd47c17f90e7a558a9958a2f6083ace6b0a13f26006a2320968abe0825d2bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCFA4.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yamaha
Filesize
229KB

MD5
8f2fbb0145076f576facc399174772f4

SHA1
1c4de51cf28843fb4ee97002ec126bd604836bc7

SHA256
5bbd83d4f4b38239cb22257c2d327afbf9aab99d97ab7045a71fa1083b61218f

SHA512
9eb7257d39914559ae729b5fada1519fb9e2003328ecb9f8b0b2c2075224bf141f122db2237b7b97a751dc76a5bc18d3447870be9d6b593062255592fdf350a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
af4f6068af75edfdb43c6a0063610bc7

SHA1
85e15c9a01e27c8e7cc4c2d93a8bdb485084c60e

SHA256
73042342c88f251294ea1253ee1719edab3fccdb7cbfc8077fb666dadb5dddd4

SHA512
b070cb77d9d360307ab065c530169ea82d74ff284d089f74367b5e08d7d003f17b29f1ba9a835a7ca137b3224cd433bd8a9d797d8fac5e7b534986a9a93807d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\pending_pings\23808cd8-fac3-4ce6-81bc-3dd648b84b93
Filesize
10KB

MD5
ff002fe3bde92d2254708e45118d29b6

SHA1
f73a52911b1268366bcdae24b1aa3b6232f65514

SHA256
cfde46c512fdc28558de44c76a2995263b411e7f23c16197e95af8d1510071a9

SHA512
4bf146a0b9ca2e67445d9c464fe73a4890d7b110f848633a60de02b82299065b4587af19de73659ff3142f91e642ccd6ee838eca14740ebbe1af5572fc4a1fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\pending_pings\558774f5-fa4c-45c2-b845-ad06baa12f90
Filesize
746B

MD5
3e052059bb66d05fb138f378760c38c3

SHA1
a25b6a5da51eb4f1c23183135b78cd2d00322cbb

SHA256
2c7e460d028034baf42f7f31ba0b1d9983719c21e87620617a71934abe3ac197

SHA512
c1cc4d1c94ef34d49f2ff130078739334f70a88af388ed3344f57a06875d635351548fef5a056b05c22c7505df2f5ff92d88e299ef7c8c721b93ca14447ca9fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs-1.js
Filesize
6KB

MD5
f2bcf0e1af73c6eb9039657acb3f5026

SHA1
7518c4a8affbe55d651a0353bfdd24a97e49e6a8

SHA256
0a8329b484dcbf9745701293d32683f09b8795a1f1e11601c82e7dcfc22861a0

SHA512
c505d9438aebe0b3bd7c9262eda96bd45b6350d204a5ce9205696f9d6fa3a5784f28aba47d4c0009e4f8c7d76044adcf874955930f2241f46f728734842662da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\sessionstore.jsonlz4
Filesize
879B

MD5
e85621cb3c5e7404961272e99ba00436

SHA1
ee7fb6575b35e6dedc379992d98baef3f972016b

SHA256
be58d142f3d3d8e094c47aa5639862ce42f7af0136633aaaf3086420a4583f84

SHA512
f557ab36650bfda65d6ab7d002294f1e01baf489af165d8d4ced507bbf141cf55a495bbb8ee0f5978a416101f64dadcd298b19ae96623d683e98c7c99acc273d

Download Submit
\??\pipe\crashpad_5036_LIFSRFYPSMJEXMRY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1588-81-0x00007FFF0E020000-0x00007FFF0E041000-memory.dmp

Filesize
132KB

Download
memory/1588-106-0x00007FFEFB200000-0x00007FFEFB25C000-memory.dmp

Filesize
368KB

Download
memory/1588-114-0x00007FFEFAD30000-0x00007FFEFAD41000-memory.dmp

Filesize
68KB

Download
memory/1588-115-0x00007FFEFACC0000-0x00007FFEFAD21000-memory.dmp

Filesize
388KB

Download
memory/1588-116-0x00007FFEFACA0000-0x00007FFEFACB1000-memory.dmp

Filesize
68KB

Download
memory/1588-123-0x00007FFEFAA50000-0x00007FFEFAA61000-memory.dmp

Filesize
68KB

Download
memory/1588-124-0x00007FFEFAA30000-0x00007FFEFAA41000-memory.dmp

Filesize
68KB

Download
memory/1588-125-0x00007FFEFAA10000-0x00007FFEFAA22000-memory.dmp

Filesize
72KB

Download
memory/1588-126-0x00007FFEFA9F0000-0x00007FFEFAA08000-memory.dmp

Filesize
96KB

Download
memory/1588-128-0x00007FFEFA9A0000-0x00007FFEFA9C9000-memory.dmp

Filesize
164KB

Download
memory/1588-129-0x00007FFEFA980000-0x00007FFEFA992000-memory.dmp

Filesize
72KB

Download
memory/1588-130-0x00007FFEFA960000-0x00007FFEFA971000-memory.dmp

Filesize
68KB

Download
memory/1588-127-0x00007FFEFA9D0000-0x00007FFEFA9E6000-memory.dmp

Filesize
88KB

Download
memory/1588-117-0x00007FFEFAC80000-0x00007FFEFAC92000-memory.dmp

Filesize
72KB

Download
memory/1588-68-0x00007FF6D80D0000-0x00007FF6D81C8000-memory.dmp

Filesize
992KB

Download
memory/1588-69-0x00007FFF11F00000-0x00007FFF11F34000-memory.dmp

Filesize
208KB

Download
memory/1588-70-0x00007FFEFCEB0000-0x00007FFEFD164000-memory.dmp

Filesize
2.7MB

Download
memory/1588-72-0x00007FFF0ED10000-0x00007FFF0ED27000-memory.dmp

Filesize
92KB

Download
memory/1588-73-0x00007FFF0E110000-0x00007FFF0E121000-memory.dmp

Filesize
68KB

Download
memory/1588-71-0x00007FFF12010000-0x00007FFF12028000-memory.dmp

Filesize
96KB

Download
memory/1588-74-0x00007FFF0E0F0000-0x00007FFF0E107000-memory.dmp

Filesize
92KB

Download
memory/1588-75-0x00007FFF0E0D0000-0x00007FFF0E0E1000-memory.dmp

Filesize
68KB

Download
memory/1588-76-0x00007FFF0E0B0000-0x00007FFF0E0CD000-memory.dmp

Filesize
116KB

Download
memory/1588-77-0x00007FFF0E090000-0x00007FFF0E0A1000-memory.dmp

Filesize
68KB

Download
memory/1588-78-0x00007FFF0DD50000-0x00007FFF0DF50000-memory.dmp

Filesize
2.0MB

Download
memory/1588-79-0x00007FFEFB640000-0x00007FFEFC6EB000-memory.dmp

Filesize
16.7MB

Download
memory/1588-80-0x00007FFF0E050000-0x00007FFF0E08F000-memory.dmp

Filesize
252KB

Download
memory/1588-88-0x00007FFF0DCB0000-0x00007FFF0DCC8000-memory.dmp

Filesize
96KB

Download
memory/1588-86-0x00007FFF0DCF0000-0x00007FFF0DD0B000-memory.dmp

Filesize
108KB

Download
memory/1588-89-0x00007FFF0D9C0000-0x00007FFF0D9F0000-memory.dmp

Filesize
192KB

Download
memory/1588-94-0x00007FFF02D30000-0x00007FFF02D58000-memory.dmp

Filesize
160KB

Download
memory/1588-97-0x00007FFF01B00000-0x00007FFF01B23000-memory.dmp

Filesize
140KB

Download
memory/1588-96-0x00007FFF0CF50000-0x00007FFF0CF67000-memory.dmp

Filesize
92KB

Download
memory/1588-95-0x00007FFF02C90000-0x00007FFF02CB4000-memory.dmp

Filesize
144KB

Download
memory/1588-100-0x00007FFEFB5B0000-0x00007FFEFB5D1000-memory.dmp

Filesize
132KB

Download
memory/1588-99-0x00007FFEFD260000-0x00007FFEFD272000-memory.dmp

Filesize
72KB

Download
memory/1588-101-0x00007FFEFD240000-0x00007FFEFD253000-memory.dmp

Filesize
76KB

Download
memory/1588-102-0x00007FFEFB590000-0x00007FFEFB5A2000-memory.dmp

Filesize
72KB

Download
memory/1588-98-0x00007FFF02C70000-0x00007FFF02C81000-memory.dmp

Filesize
68KB

Download
memory/1588-103-0x00007FFEFB450000-0x00007FFEFB58B000-memory.dmp

Filesize
1.2MB

Download
memory/1588-107-0x00007FFEFB1E0000-0x00007FFEFB1F1000-memory.dmp

Filesize
68KB

Download
memory/1588-122-0x00007FFEFAA70000-0x00007FFEFAA81000-memory.dmp

Filesize
68KB

Download
memory/1588-109-0x00007FFEFB120000-0x00007FFEFB132000-memory.dmp

Filesize
72KB

Download
memory/1588-108-0x00007FFEFB140000-0x00007FFEFB1D7000-memory.dmp

Filesize
604KB

Download
memory/1588-105-0x00007FFEFB260000-0x00007FFEFB412000-memory.dmp

Filesize
1.7MB

Download
memory/1588-110-0x00007FFEFAEE0000-0x00007FFEFB111000-memory.dmp

Filesize
2.2MB

Download
memory/1588-111-0x00007FFEFADC0000-0x00007FFEFAED2000-memory.dmp

Filesize
1.1MB

Download
memory/1588-104-0x00007FFEFB420000-0x00007FFEFB44C000-memory.dmp

Filesize
176KB

Download
memory/1588-112-0x00007FFEFAD80000-0x00007FFEFADB5000-memory.dmp

Filesize
212KB

Download
memory/1588-93-0x00007FFEFB5E0000-0x00007FFEFB636000-memory.dmp

Filesize
344KB

Download
memory/1588-92-0x00007FFF0D9A0000-0x00007FFF0D9B1000-memory.dmp

Filesize
68KB

Download
memory/1588-91-0x00007FFF02BB0000-0x00007FFF02C1F000-memory.dmp

Filesize
444KB

Download
memory/1588-90-0x00007FFF03DB0000-0x00007FFF03E17000-memory.dmp

Filesize
412KB

Download
memory/1588-87-0x00007FFF0DCD0000-0x00007FFF0DCE1000-memory.dmp

Filesize
68KB

Download
memory/1588-85-0x00007FFF0DD10000-0x00007FFF0DD21000-memory.dmp

Filesize
68KB

Download
memory/1588-84-0x00007FFF0DD30000-0x00007FFF0DD41000-memory.dmp

Filesize
68KB

Download
memory/1588-83-0x00007FFF0DFE0000-0x00007FFF0DFF1000-memory.dmp

Filesize
68KB

Download
memory/1588-82-0x00007FFF0E000000-0x00007FFF0E018000-memory.dmp

Filesize
96KB

Download
memory/1588-120-0x00007FFEFABA0000-0x00007FFEFABB1000-memory.dmp

Filesize
68KB

Download
memory/1588-113-0x00007FFEFAD50000-0x00007FFEFAD75000-memory.dmp

Filesize
148KB

Download
memory/1588-119-0x00007FFEFABC0000-0x00007FFEFAC5F000-memory.dmp

Filesize
636KB

Download
memory/1588-118-0x00007FFEFAC60000-0x00007FFEFAC73000-memory.dmp

Filesize
76KB

Download
memory/1588-121-0x00007FFEFAA90000-0x00007FFEFAB92000-memory.dmp

Filesize
1.0MB

Download
memory/2348-25-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2348-23-0x0000000076F71000-0x0000000077093000-memory.dmp

Filesize
1.1MB

Download
memory/4432-54-0x00000000062B0000-0x00000000063BA000-memory.dmp

Filesize
1.0MB

Download
memory/4432-55-0x00000000061F0000-0x0000000006202000-memory.dmp

Filesize
72KB

Download
memory/4432-63-0x00000000079F0000-0x0000000007F1C000-memory.dmp

Filesize
5.2MB

Download
memory/4432-62-0x00000000070F0000-0x00000000072B2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-61-0x0000000006ED0000-0x0000000006F20000-memory.dmp

Filesize
320KB

Download
memory/4432-58-0x0000000006500000-0x0000000006566000-memory.dmp

Filesize
408KB

Download
memory/4432-57-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/4432-56-0x0000000006250000-0x000000000628C000-memory.dmp

Filesize
240KB

Download
memory/4432-34-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/4432-64-0x0000000073740000-0x0000000073EF1000-memory.dmp

Filesize
7.7MB

Download
memory/4432-53-0x0000000006760000-0x0000000006D78000-memory.dmp

Filesize
6.1MB

Download
memory/4432-50-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/4432-33-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4432-32-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/4432-31-0x0000000005250000-0x00000000057F6000-memory.dmp

Filesize
5.6MB

Download
memory/4432-30-0x0000000073740000-0x0000000073EF1000-memory.dmp

Filesize
7.7MB

Download
memory/4432-27-0x0000000000600000-0x0000000000652000-memory.dmp

Filesize
328KB

Download
memory/4432-65-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4432-49-0x0000000005880000-0x00000000058F6000-memory.dmp

Filesize
472KB

Download