Analysis
-
max time kernel
470s -
max time network
486s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
12-09-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
Val0ader.CL.1.5-F.exe
Resource
win10-20220812-en
General
-
Target
Val0ader.CL.1.5-F.exe
-
Size
36.8MB
-
MD5
4cf5e4a30cbb2664083e38ff54761c84
-
SHA1
fbd57eca4462966c1216df382c3be6b9e8754a2f
-
SHA256
cdd2cab3b753dd1a2f583f14dae86457593c6114d9e69e0e41533fcc3af450fc
-
SHA512
b1f4d82663d6289aaf8bcbd419295614c2f7c47f12ebcd3a1d7ad04a1f85049f02788a9e312ee5264aab7dc38252bf9cfd3843b6161e088b1eb53bfa8a31bfdc
-
SSDEEP
393216:PudOqgHWtfcf5DAh9m0LRiHrzSbGpmdXnfbm4vgOEKXDmfU4kpf/ZrYsK1/QYCvz:Pie2YxA1gUuUh/ZrYf6I3tjUP2jO
Malware Config
Extracted
C:\Program Files\7-Zip\History.txt
Extracted
mercurialgrabber
https://discord.com/api/webhooks/998600095366918235/cbWfFYMCBIAPEQhltUMcv31Z8CeEMlvhVHZOkZOwvyZcZiILj3vj60uL_Wa0pDVyeRTw
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
output.exe7z2107-x64.exepid process 488 output.exe 2224 7z2107-x64.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2107-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2107-x64.exe -
Loads dropped DLL 2 IoCs
Processes:
Val0ader.CL.1.5-F.exepid process 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 3532 takeown.exe 3848 takeown.exe 1820 takeown.exe 984 takeown.exe 2652 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 286 ip4.seeip.org 287 ip4.seeip.org 288 ip-api.com -
Drops file in Program Files directory 64 IoCs
Processes:
7z2107-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2107-x64.exe File created C:\Program Files\7-Zip\7-zip.dll.tmp 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll.tmp 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2107-x64.exe File created C:\Program Files\7-Zip\7-zip.dll 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2107-x64.exe File created C:\Program Files\7-Zip\Lang\sw.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2107-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2107-x64.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeoutput.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4632 tasklist.exe 2748 tasklist.exe -
Modifies registry class 22 IoCs
Processes:
7z2107-x64.exetaskmgr.exefirefox.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2107-x64.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2107-x64.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2107-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2107-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2107-x64.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\output.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\7z2107-x64.exe:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1884 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeVal0ader.CL.1.5-F.exetaskmgr.exepid process 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe 3768 Val0ader.CL.1.5-F.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exetaskmgr.exepid process 1884 vlc.exe 1016 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exetasklist.exetasklist.exetaskmgr.exefirefox.exeoutput.exedescription pid process Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 2748 tasklist.exe Token: SeDebugPrivilege 4632 tasklist.exe Token: SeDebugPrivilege 1016 taskmgr.exe Token: SeSystemProfilePrivilege 1016 taskmgr.exe Token: SeCreateGlobalPrivilege 1016 taskmgr.exe Token: SeDebugPrivilege 2052 firefox.exe Token: SeDebugPrivilege 2052 firefox.exe Token: SeDebugPrivilege 2052 firefox.exe Token: SeDebugPrivilege 2052 firefox.exe Token: SeDebugPrivilege 488 output.exe Token: 33 1016 taskmgr.exe Token: SeIncBasePriorityPrivilege 1016 taskmgr.exe Token: SeDebugPrivilege 2052 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
vlc.exetaskmgr.exefirefox.exepid process 1884 vlc.exe 1884 vlc.exe 1884 vlc.exe 1884 vlc.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 1016 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
vlc.exetaskmgr.exefirefox.exepid process 1884 vlc.exe 1884 vlc.exe 1884 vlc.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 1016 taskmgr.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 1016 taskmgr.exe 1016 taskmgr.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
vlc.exefirefox.exe7z2107-x64.exepid process 1884 vlc.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2052 firefox.exe 2224 7z2107-x64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Val0ader.CL.1.5-F.execmd.exepowershell.execsc.execmd.execmd.exefirefox.exefirefox.exedescription pid process target process PID 3768 wrote to memory of 4764 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 3768 wrote to memory of 4764 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 4764 wrote to memory of 4768 4764 cmd.exe cmd.exe PID 4764 wrote to memory of 4768 4764 cmd.exe cmd.exe PID 4764 wrote to memory of 4784 4764 cmd.exe powershell.exe PID 4764 wrote to memory of 4784 4764 cmd.exe powershell.exe PID 4784 wrote to memory of 4136 4784 powershell.exe csc.exe PID 4784 wrote to memory of 4136 4784 powershell.exe csc.exe PID 4136 wrote to memory of 4304 4136 csc.exe cvtres.exe PID 4136 wrote to memory of 4304 4136 csc.exe cvtres.exe PID 3768 wrote to memory of 3608 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 3768 wrote to memory of 3608 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 3608 wrote to memory of 2748 3608 cmd.exe tasklist.exe PID 3608 wrote to memory of 2748 3608 cmd.exe tasklist.exe PID 3768 wrote to memory of 3060 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 3768 wrote to memory of 3060 3768 Val0ader.CL.1.5-F.exe cmd.exe PID 3060 wrote to memory of 4632 3060 cmd.exe tasklist.exe PID 3060 wrote to memory of 4632 3060 cmd.exe tasklist.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2248 wrote to memory of 2052 2248 firefox.exe firefox.exe PID 2052 wrote to memory of 2636 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 2636 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe PID 2052 wrote to memory of 4896 2052 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe"C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmp" "c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMP"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CheckpointHide.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.0.1704711340\813273425" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1644 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.3.2063232443\915437027" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2228 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1796 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.13.1310599383\976329756" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 3332 tab3⤵
-
C:\Users\Admin\Downloads\output.exe"C:\Users\Admin\Downloads\output.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\7z2107-x64.exe"C:\Users\Admin\Downloads\7z2107-x64.exe"1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\takeown.exetakeown /fC:\Windows\System322⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /C:\Windows\System322⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /C:\Windows\System322⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown C:\Windows\System322⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /fC:\Windows\System322⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmpFilesize
1KB
MD5665758f5fb601b808293e8069043d360
SHA1561fb12e55a91f24efd0efbe008267412e094308
SHA256250754cd6af41d80fae854d7bd78b7ebcc6151c7f3c45d5927ee3dbd40b3daec
SHA5129c017f7c1999fa38a2160bc66742b69c6123d5f683d39a15052a11ae77888786f38788c2b408ef36c958059f3d800e028828eeeb1cd669558a425f4b136fff2d
-
C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.dllFilesize
3KB
MD508b13cdf0f3c6a9ca451e45c58b32b5d
SHA107c27ff4028634d0f51f39e1d4619e6af67d2add
SHA25601feecb6b35b51bf14f11701dfbb68eed7df2ff9909abd3375d18b8c1a61edbe
SHA5129f7ed8457fff6e4676f53d846f9cf27812a70edae67a97e2d298e9b7500482ff815a81813fc494afe983f5ae98c97a3c1d0079c156371325efae96e4551ce5d8
-
C:\Users\Admin\AppData\Local\Temp\temp.ps1Filesize
419B
MD5bf77c98084bde13aa379a5527a0f5850
SHA18a4d1307c3952d00ab3279baee4a03f899de7f1c
SHA256c88eb353b4e1fe7f02529f9e8b48b21cee2c813674b32843136861f885053e3f
SHA5128237fb209695c2568f4d3ada3181eb9a65ad16140896a5f8013ae267048ecd6994cddb25fc7ca0849bb0c484ba7be7a738a3ca0cad6e85d75587c4a2c37c60ef
-
C:\Users\Admin\Downloads\7z2107-x64.exeFilesize
1.5MB
MD549839f0c227b5f9399b59f6ae94a7c7b
SHA1332620e2e360d471736d714f3f5781354702d9a1
SHA2560b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1
SHA5124d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b
-
C:\Users\Admin\Downloads\output.exeFilesize
41KB
MD5348036564062061947766020f527c1c7
SHA114bcddc513e71261a275573d896acf7adfdd13fb
SHA256cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee
SHA51247fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa
-
C:\Users\Admin\Downloads\output.exeFilesize
41KB
MD5348036564062061947766020f527c1c7
SHA114bcddc513e71261a275573d896acf7adfdd13fb
SHA256cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee
SHA51247fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa
-
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMPFilesize
652B
MD574aebc95a015a1b143ac329d1d3d7b49
SHA1a2914b1085334db022f66cbe85c0aa250bd3ec85
SHA256054dbe7547d34da6fdfa9627a5541d03445b3cc69144dfe9e95091aab5d05d54
SHA5127c40c1b676c70f9e30254e8b121e0108817e1a6e6593c859a54bb75ef750ccacc0a20a79d3751d299e3621615cf40f5fdff3b8fa795f5ea33137391b2f0a7943
-
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.0.csFilesize
331B
MD5290cee718da5975e051415a46af47a4a
SHA18099250c47bb93d821def350b467521e7cf8d5de
SHA25626d220f0926af717fb195e1ec05f2ecccee3fbd37fa92148774bb5604557c9c9
SHA512306d86ec0c4bc64594b4ca336822030926eaea0873ccdbcf989a721d307b19831761a15b3a222f6ec0dcc44ba0fbacac6ffbe7da0f7a447d5d34d76f3f029510
-
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdlineFilesize
369B
MD5139ae8dfca87bfc0128f456e2d4c25f3
SHA1de13500d63c2b7777bc70780019d05b029c33458
SHA2564bd5d43d99a0632659f2554aee3bf607749bc2d0d2f96b0edbd52753f4fb1b16
SHA512a2fdb366a4f2cba0efb4fe55d5130ec209cde4cbbe2f72a526070d334349492063794f67c7dcddb404b3e48a5103b85823da37711f3782bdf156457fe7cec670
-
\??\c:\users\admin\downloads\7z2107-x64.exeFilesize
1.5MB
MD549839f0c227b5f9399b59f6ae94a7c7b
SHA1332620e2e360d471736d714f3f5781354702d9a1
SHA2560b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1
SHA5124d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b
-
\Users\Admin\AppData\Local\Temp\pkg\53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282\better-sqlite3\build\Release\better_sqlite3.nodeFilesize
2.6MB
MD54b25dfb983845ff57360c720a429eef4
SHA151a9cad777b37f1c521c6d50b6f49379fb6d0a06
SHA25653b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282
SHA512b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77
-
\Users\Admin\AppData\Local\Temp\pkg\81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2\win-dpapi\build\Release\node-dpapi.nodeFilesize
141KB
MD5dc92b8e77d869866a6af82409fae0af2
SHA1a0edf2ddf35304854a134eac14637239fe319292
SHA25681aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2
SHA512dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb
-
memory/488-254-0x0000000000730000-0x0000000000740000-memory.dmpFilesize
64KB
-
memory/984-311-0x0000000000000000-mapping.dmp
-
memory/1820-310-0x0000000000000000-mapping.dmp
-
memory/2224-291-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-279-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-307-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-306-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-305-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-304-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-303-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-302-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-301-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-300-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-256-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-257-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-299-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-258-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-260-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-261-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-262-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-263-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-264-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-265-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-266-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-267-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-268-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-270-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-269-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-271-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-272-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-273-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-274-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-275-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-276-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-277-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-278-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-298-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-280-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-281-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-282-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-283-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-284-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-285-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-286-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-287-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-288-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-289-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-290-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-297-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-292-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-293-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-294-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-295-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2224-296-0x0000000077550000-0x00000000776DE000-memory.dmpFilesize
1.6MB
-
memory/2652-312-0x0000000000000000-mapping.dmp
-
memory/2748-249-0x0000000000000000-mapping.dmp
-
memory/3060-250-0x0000000000000000-mapping.dmp
-
memory/3532-308-0x0000000000000000-mapping.dmp
-
memory/3608-248-0x0000000000000000-mapping.dmp
-
memory/3848-309-0x0000000000000000-mapping.dmp
-
memory/4136-216-0x0000000000000000-mapping.dmp
-
memory/4304-219-0x0000000000000000-mapping.dmp
-
memory/4632-251-0x0000000000000000-mapping.dmp
-
memory/4764-118-0x0000000000000000-mapping.dmp
-
memory/4768-119-0x0000000000000000-mapping.dmp
-
memory/4784-157-0x00000233452C0000-0x0000023345336000-memory.dmpFilesize
472KB
-
memory/4784-146-0x0000023344D20000-0x0000023344D5C000-memory.dmpFilesize
240KB
-
memory/4784-127-0x00000233442F0000-0x0000023344312000-memory.dmpFilesize
136KB
-
memory/4784-120-0x0000000000000000-mapping.dmp
-
memory/4784-223-0x0000023344320000-0x0000023344328000-memory.dmpFilesize
32KB