Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
Resource
win10-en-20210920
General
-
Target
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe
-
Size
3.0MB
-
MD5
8a060daac1e73524a227875e5da6eb3d
-
SHA1
9cd8730422dc2553e028828feb370341da702061
-
SHA256
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2
-
SHA512
9fee328d96c2c2df6bd9a37c835dd7272215f0952479d56f09d0371375bc758388c96a598319e6e11a3673e270738794177ef0ca9b8b817274b3d5d65eab0d87
Malware Config
Extracted
njrat
0.7d
HacKed
lightcf.ddns.net:1177
f20acdfb6b0a6c02ffcee135dec9d57c
-
reg_key
f20acdfb6b0a6c02ffcee135dec9d57c
-
splitter
|'|'|
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Server.exejf_crazycf_1_4.exepid process 2196 Server.exe 1868 jf_crazycf_1_4.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
jf_crazycf_1_4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jf_crazycf_1_4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jf_crazycf_1_4.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jf_crazycf_1_4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation jf_crazycf_1_4.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
jf_crazycf_1_4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine jf_crazycf_1_4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f20acdfb6b0a6c02ffcee135dec9d57c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
jf_crazycf_1_4.exepid process 1868 jf_crazycf_1_4.exe -
Drops file in Windows directory 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "t8u9ftp" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "339236644" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004a708560e4f547a12c914e1b873b00402ac88a02387e3c2e1948a3017f26ab3253d7ce51cfe0e18144709e1ccebd5511d9e19bd3d5514a9d936d13f242d5cdeb2e6bedb0b744f03faae4b4e086dacd2b55559ce55c213d2e9bdc MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 10b8fe803cb1d701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "339270741" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jf_crazycf_1_4.exepid process 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe 1868 jf_crazycf_1_4.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1316 MicrosoftEdgeCP.exe 1316 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
jf_crazycf_1_4.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeServer.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 1868 jf_crazycf_1_4.exe Token: SeDebugPrivilege 1868 jf_crazycf_1_4.exe Token: SeDebugPrivilege 4508 MicrosoftEdge.exe Token: SeDebugPrivilege 4508 MicrosoftEdge.exe Token: SeDebugPrivilege 4508 MicrosoftEdge.exe Token: SeDebugPrivilege 4508 MicrosoftEdge.exe Token: SeDebugPrivilege 1716 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1716 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1716 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1716 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: SeDebugPrivilege 4812 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4812 MicrosoftEdgeCP.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe Token: 33 2196 Server.exe Token: SeIncBasePriorityPrivilege 2196 Server.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exepid process 4508 MicrosoftEdge.exe 1316 MicrosoftEdgeCP.exe 1316 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exeServer.exeMicrosoftEdgeCP.exedescription pid process target process PID 3688 wrote to memory of 2196 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 3688 wrote to memory of 2196 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 3688 wrote to memory of 2196 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe Server.exe PID 3688 wrote to memory of 1868 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 3688 wrote to memory of 1868 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 3688 wrote to memory of 1868 3688 461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe jf_crazycf_1_4.exe PID 2196 wrote to memory of 4412 2196 Server.exe netsh.exe PID 2196 wrote to memory of 4412 2196 Server.exe netsh.exe PID 2196 wrote to memory of 4412 2196 Server.exe netsh.exe PID 1316 wrote to memory of 4220 1316 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1316 wrote to memory of 4220 1316 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1316 wrote to memory of 4220 1316 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1316 wrote to memory of 4220 1316 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"C:\Users\Admin\AppData\Local\Temp\461f9398938a1c24fc0cfc2b350b8f2f707f228f3970181940a028663acb8da2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeC:\Users\Admin\AppData\Local\Temp/jf_crazycf_1_4.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.priMD5
0db264b38ac3c5f6c140ba120a7fe72f
SHA151aa2330c597e84ed3b0d64bf6b73bf6b15f9d74
SHA2562f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d
SHA5123534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a0d11518eee518a2d24ba47c2b6e8770
SHA1ab07ca56c9304ecb7fc81f7f8a366c71a0d47293
SHA256a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c
SHA512d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
a0d11518eee518a2d24ba47c2b6e8770
SHA1ab07ca56c9304ecb7fc81f7f8a366c71a0d47293
SHA256a53ae4524bcf01097019dce7a4b31c970d9734da90bf6c7de65420b30e9c849c
SHA512d30d8a66e294df7da207c1fc8970b56900e62d8592254a5f3e7a06c62054f78008b8d20e6944abd219f4a97b44f66172eab92f99b2228502157728431f5cdcf4
-
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeMD5
46191543960191df082176d7ee9e1466
SHA13c40d877d92ee5b44f5ed1df2d383db19c929380
SHA2567978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220
SHA5124d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084
-
C:\Users\Admin\AppData\Local\Temp\jf_crazycf_1_4.exeMD5
46191543960191df082176d7ee9e1466
SHA13c40d877d92ee5b44f5ed1df2d383db19c929380
SHA2567978aafb1f8aae0906ca62ff938226711e08dcccc8727f718e49d13aaf6ce220
SHA5124d677f20f5da2f06d31afa71f47a8594508cef6ba7fb5ba8c80a59e33ba06bfc4e6a2a0a193840ee83919074bd2c54db23350de2ffef20114928be5d37cb2084
-
memory/1868-129-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/1868-133-0x00000000070C0000-0x0000000007145000-memory.dmpFilesize
532KB
-
memory/1868-122-0x0000000007160000-0x00000000071E6000-memory.dmpFilesize
536KB
-
memory/1868-124-0x0000000000400000-0x00000000008A6000-memory.dmpFilesize
4.6MB
-
memory/1868-123-0x0000000077A00000-0x0000000077B8E000-memory.dmpFilesize
1.6MB
-
memory/1868-125-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1868-126-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/1868-127-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/1868-128-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/1868-118-0x0000000000000000-mapping.dmp
-
memory/1868-130-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1868-131-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1868-132-0x0000000007150000-0x0000000007151000-memory.dmpFilesize
4KB
-
memory/1868-143-0x0000000007158000-0x000000000715A000-memory.dmpFilesize
8KB
-
memory/1868-134-0x0000000007152000-0x0000000007153000-memory.dmpFilesize
4KB
-
memory/1868-135-0x0000000007153000-0x0000000007154000-memory.dmpFilesize
4KB
-
memory/1868-136-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/1868-137-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/1868-139-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/1868-138-0x0000000007154000-0x0000000007156000-memory.dmpFilesize
8KB
-
memory/1868-140-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/1868-142-0x0000000008770000-0x00000000087CE000-memory.dmpFilesize
376KB
-
memory/2196-121-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/2196-115-0x0000000000000000-mapping.dmp
-
memory/4412-141-0x0000000000000000-mapping.dmp