redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22-05-2024 04:29

240522-e39m3aca78 10

11-05-2024 11:09

11-05-2024 10:59

09-05-2024 13:02

04-05-2024 06:42

02-05-2024 14:21

Analysis

max time kernel
190s
max time network
196s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline rajab discovery infostealer motw phishing spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2452-247-0x0000000000F50000-0x0000000000FA2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Infected.pif

description pid process target process

PID 1620 created 3332 1620 Infected.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Setup.exeRegAsm.exe

pid process

2200 Setup.exe
2452 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

7 https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4508 tasklist.exe
3344 tasklist.exe

description	pid	process	target process
PID 1620 created 3332	1620	Infected.pif	Explorer.EXE

pid	process
2200	Setup.exe
2452	RegAsm.exe

flow	ioc
7	https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI

pid	process
4508	tasklist.exe
3344	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608257664149366"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1136 PING.EXE

pid	process
1136	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

chrome.exechrome.exeInfected.pifRegAsm.exe

pid	process
2900	chrome.exe
2900	chrome.exe
2428	chrome.exe
2428	chrome.exe
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe
2452	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2900 chrome.exe
2900 chrome.exe
2900 chrome.exe
2900 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe
Token: SeShutdownPrivilege	2900	chrome.exe
Token: SeCreatePagefilePrivilege	2900	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeInfected.pif

pid	process
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
1620	Infected.pif
1620	Infected.pif
1620	Infected.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2900 wrote to memory of 4924	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4924	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4948	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 3632	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 3632	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 5068	2900	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8e5bd9758,0x7ff8e5bd9768,0x7ff8e5bd9778
3⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:2
3⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:1
3⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:1
3⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4784 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:1
3⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4376 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:1
3⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:8
3⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1556,i,4963695911131561850,4573324527198471403,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\" -spe -an -ai#7zMap14082:188:7zEvent31675
2⤵
PID:5080

C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe
"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe"
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Inch Inch.cmd & Inch.cmd & exit
3⤵
PID:4060

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:4508

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:932

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3344

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c md 4163474
4⤵
PID:2324

C:\Windows\SysWOW64\findstr.exe
findstr /V "TemplatesJunkFinancialBlocking" Innovation
4⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Locks + Marble + Irs + Ray 4163474\X
4⤵
PID:4400

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4163474\Infected.pif
4163474\Infected.pif 4163474\X
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1620

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:1136

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4163474\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4163474\RegAsm.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d0f1cbd02fec2610c223b245d34f69c4

SHA1
099720621c4798a9191403ed55b6c59c9c18a7d8

SHA256
11fd0ae633d6218829d39a5efa2992139601e25d5b7f2ba590f1d2197511aece

SHA512
b28ac0dbae7deacf6a34ac2fdb446cce329e2655d750a5b86e2640c94a30df18f869bbd565d937d88a9f2527b4dc1433562a06f387991d96a6a51aba8e6a45c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
99055a278837477e84762b596b4537d8

SHA1
1b043c736ee2eb7f8d1e9b33cb09cc7d71883033

SHA256
7de48caef680090b00ba47df77906cda4b4e69dda1480d9db801ca5e8ee2b252

SHA512
1b2567e93f43d5f70196293842e479b10cde8dc3d53b6167d39e7fb57efb6696606a7963702b5958ac7272ddc10c1093c5e409817a658c1c336f62052479ec95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
896b774f6353a47a93e4c385a2b2c0b2

SHA1
b5705c3460678f42ee08241e44722b6239e77715

SHA256
3da750ec19a2592ed641508297a139eba517047177d388b6e00a973a2fbc11a9

SHA512
611c5ac4b2633dcf9d529dbecf5f763a1bbd4f6b0f78df20db395f624f63c3cacabc6242a869ddb1d07112247d07226b2865993baed4c9144dbb8468b23f7df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
a97b40a087dd4b30779a0c040122a0db

SHA1
0fd876b0518a13247fdf9f34f8d0012951b0ef21

SHA256
79773b8e3ae170388ffc9f2e8acc2f089ae5b5a10a044027256b8e17e11ab44b

SHA512
f143d54e93567928fb352a8274b74805902eee29765fd4ee8ce0d8c079636e2c1f17f87af512f2ea6ffe0ea77a7ec710dcf40884f0c01d5188741c407df0aebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
ca67032e03f8f016dca8aaff99e68f1d

SHA1
b7b16554e3a96755ad1cfec98df83efd3264586b

SHA256
4723da1f1d77608120c1022ae2105785e7018be2595162e4bda3d1e6251b1ea2

SHA512
2eb402a2cdd816aff0b792dd33e74e605ab610e54a446ba3c708cc904893d11dbf7f4a0e7957b06ab077128ca013c9052791ccfe823cbb3d9133bf04a4fd3cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c6ef865ccaa44c9dedacab9637f0cf99

SHA1
bba2d0bba8e2de1f601d12db37505e14f9d85354

SHA256
d440043fd6223acc44dec08d6d80124c8f6fba26bb30827671b7f20b7f0b4bfc

SHA512
2a5e96ad9e58d9df60d5bcc6da1d245d54ec982af3f65cc5805e0ce080729d39840ba486e9b6f01bf2e87eef93ed691e1d3796723a5ce6538af040bfbb3075c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3510e60e8144eced3f8c8278064de36e

SHA1
a35e9067ace3f243f5bd274453b255506a4a0015

SHA256
bac6d3d949c15b2c1e00c073adbab2e51d6d5e4851c93428cc252a6f811b435e

SHA512
114a35350f641fa7b08899c0d18dbd8aa053daa5662584de95c7752f9e71a3b150f560704a9c50995b1f9096367c17cd1e001ce49c2b14db76f27cff7c3754b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee5113aaae402f5ba3e5591358692ee4

SHA1
52c0ef32bcc816b9d44e4639587405c22680b579

SHA256
38fd49e3c94882d05267d75fc14c7d820dbb2f20aefeeb8ae47bdaa23f4b79b3

SHA512
04d2a24f94ecc0f6f7d7d0ee1b248295c4e1865839be146abb1bb845c090aa9176ae9797a3aaaecf71e859959dce99ad09246dd80b9435a0d6db00e87baca8c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
4abb015593b00ba6ce29a273358777df

SHA1
ee5a31ee4aa0d8aff24e07e0cd9f7a0b47afc817

SHA256
374b950c4df0ec0551329de883031c225a16453f25c92052c839fbfb0a28cb06

SHA512
44ab68f957fdece45d109a43967365698314f7b8eb8a58466d9d42768077490f80e4086a52d6abf5423b46c340af9efc5ed87af75a68c84b841f719f98351fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
fd9cec96c8fa329b6f51d425c17dc918

SHA1
47e2d4f1ac7ddceefa4b364510699098a6ea27df

SHA256
f238b71174eb563cf6e17b32b896937639b3b26e6241ccef11f446e87927f3b2

SHA512
ce8c780641c1d9c4fffa4d940966f2c9270adec02c33f1c3e2f45cd8ae7c47bc478308d60c0270a2353098a010ead5591457ba669d62c8a4342a7d05a676925a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
3d6b36314f2317aebfe06e5c34ed7055

SHA1
0c796fd5044460a0c23ca2655e4d6f127fafc0a5

SHA256
7f2264ced528c3d3c38e7ecfdefd6287fdb4a2cc587b15df27b23e893cb8e758

SHA512
28336e25fca0645740a9bcaf21b76569db3991ef06da08d8cd35d1265e2a9298ba8022c45781a8a1607429e656074a2b782726357c89fe25a81d85d6ae747b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
e742b7a15e31c2ed05eda328422bffa7

SHA1
89ab832963bddaaa7fc37920f6592a1fd4007f9d

SHA256
f1f73905c64645f3b9494cbf44838c8350d073b68612684ef72f7c175614936c

SHA512
6a6197cd2f536d3cb9bc9d562c58c00b098dafbdaf01cfced3a1740057c965cc5e6d7f6b7063b1db77f0370f7287882f9d6594211dc5ec3e80ea52fe2144dd30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585213.TMP

Filesize
93KB

MD5
b80a56a840bf6ed61a509986c1145bc5

SHA1
d0f92ca2b5a93160858ff2765008d5f3a5cc2980

SHA256
496f91d69a4e2909bc6536277ad2cc975a6c915ac059e295ebb28dbd02aa9ea4

SHA512
403ad0057a87bd778a92bfc57a463c9e2c586698efedc7add951476080c134d6ce12db1bc5e9ee52d6993afd3183c5989d8645fbb115dfe90db1571644c1ac84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4163474\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4163474\X

Filesize
384KB

MD5
564fcef4278786869d9e7f8606d17f47

SHA1
d36470b9a08322aa27014fc9ae97a69829ae4d54

SHA256
7ecd3748e97c574c643cad0722725983ac377a780f8e5442c383ce7a3b2205bc

SHA512
983ebba8851235fbfe515aa9b4156eca079914bb9c126d5f31c592bcb0025d26c54e2fd50b9f153b9eb687b0cae4361aedee61634004296680d5d454ad0022e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Innovation

Filesize
204B

MD5
a159d27c920ba255b699838eaffccddd

SHA1
07e71d8b5084395931df7acd1771b2e9609e4ebd

SHA256
105b7b26ab1b62e5d3f32bfb07fbb8f91ad3e434a41ebc55c9d4d3befa82528d

SHA512
7bb0119fa06d4b6cc214015b2f87e05e9c1f1d139d7c85089c28a3ed36254d41dfb4ab8b19e471424f6d487159e497f5488bd8607d005402ed0820fbbdc0225d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Irs

Filesize
56KB

MD5
cdbf87ed2611759361edcf2d1c36cb8d

SHA1
fde07776b66674be84f7e112b080c4b20a6972cb

SHA256
4a2afbcbf160bf24e04c3b9aa72267ffe589a7126aedad36e8fd22126fb79ffd

SHA512
e1b1faec18c602f5d89c64488c148ba943dbfb014e4e2f030a00830d032c58ba95f79d135c39a4cf7346dd815f1996a8f863642f96f37ec9745dd46f42b6e32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Locks

Filesize
144KB

MD5
1659a7eb3dba9d9143f98def92dbbb88

SHA1
3338d23d47256b6c4bd475bd953dcb7b6de13f87

SHA256
8271297087605f98d4351eff05198533a63924f7b666754b85894392aa9327dc

SHA512
c473fc5b74a1877e29f2e904955bd1bb270932cb40148c25c49d5dd7f6d1932a1e70692083176c00eea82adc73e3bac860847bce7bab5d1ce1ed259415fd795f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Marble

Filesize
176KB

MD5
955750a52c9c524e3b1df558e4e598e1

SHA1
6362a9a195fc6446cedb85ecc8df0ba82a9a40b9

SHA256
f233ec33624377ac70388bd8738bab20538b7f8cae46dd1e8bfaf3c87014580f

SHA512
1d7e2fa136a618deffa215fec63b24ca1918c0d2f467c28572a6907e1cedc2c9356536ee111f9d9e0f917d5e38f3322cfcbb0d590c94a526fd9a98e3057b188a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ray

Filesize
8KB

MD5
15b3c47ee4220a1317285551dc46df3b

SHA1
ecccbd8d0bc7616f30548bcee6179da004f64553

SHA256
9be2db11436373cbd4dabb4664297a0814ffa18be3a9637de1b583adb863ba79

SHA512
9859bda25d9eed059d9ac27d091dffcb63a1ea7a37c2dc3b7a7c8006d65e64414367021c97b4c27f1de2dd021f125d7e6451dcd07a497a05c0e0150c6f56d4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7A04.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\Setup.exe

Filesize
910KB

MD5
94e7e5e1cee055f9ac963b7650d5d8bd

SHA1
f18a89aa7fa97135b1214e31f2c79877d2a04284

SHA256
94fa692514c48c66ade5a1a90d07b4114272faf810801efa472b803c49231ad3

SHA512
13f1eeb4788bf868e126e840645f7096c613d748318958116eb3cbfc44dd5876b024b85f8dfa0283921181e1ca3424c721780607480fb7a621ac4650ff6b9e99

Download Submit
C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05182024-278753659075324982\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
\??\pipe\crashpad_2900_CKMSHPKMCAMXHPPL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2452-270-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/2452-272-0x00000000071A0000-0x00000000077A6000-memory.dmp

Filesize
6.0MB

Download
memory/2452-251-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/2452-252-0x0000000003200000-0x000000000320A000-memory.dmp

Filesize
40KB

Download
memory/2452-247-0x0000000000F50000-0x0000000000FA2000-memory.dmp

Filesize
328KB

Download
memory/2452-269-0x0000000006400000-0x0000000006476000-memory.dmp

Filesize
472KB

Download
memory/2452-283-0x00000000082D0000-0x00000000087FC000-memory.dmp

Filesize
5.2MB

Download
memory/2452-250-0x0000000005C80000-0x000000000617E000-memory.dmp

Filesize
5.0MB

Download
memory/2452-273-0x0000000006D10000-0x0000000006E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2452-274-0x0000000006C40000-0x0000000006C52000-memory.dmp

Filesize
72KB

Download
memory/2452-275-0x0000000006CA0000-0x0000000006CDE000-memory.dmp

Filesize
248KB

Download
memory/2452-276-0x0000000006E20000-0x0000000006E6B000-memory.dmp

Filesize
300KB

Download
memory/2452-277-0x0000000006F50000-0x0000000006FB6000-memory.dmp

Filesize
408KB

Download
memory/2452-278-0x00000000078B0000-0x0000000007900000-memory.dmp

Filesize
320KB

Download
memory/2452-282-0x0000000007BD0000-0x0000000007D92000-memory.dmp

Filesize
1.8MB

Download
memory/4060-244-0x0000000003100000-0x00000000031AE000-memory.dmp

Filesize
696KB

Download