Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-01-2023 04:34
General
-
Target
tmp.exe
-
Size
235KB
-
MD5
77e0a0a90e0231493bd421f4cdab0668
-
SHA1
b09f8951b42a2993b637df9e41f6a25be106c2cb
-
SHA256
75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
-
SHA512
d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
SSDEEP
6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga
Malware Config
Extracted
amadey
3.66
62.204.41.27/9djZdj09/index.php
Extracted
redline
Dzokey1111111
82.115.223.9:15486
-
auth_value
a46fd18e8e0de86d363c12c2307db5e9
Extracted
redline
1
librchichelpai.shop:81
rniwondunuifac.shop:81
-
auth_value
b6c86adb7106e9ee7247628f59e06830
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x94,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5660 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x274,0x278,0x27c,0x234,0x280,0x7ff786055460,0x7ff786055470,0x7ff7860554806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8128 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2875666147334976605,3741833945717137558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb746f8,0x7ffbdcb74708,0x7ffbdcb747185⤵
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",5⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2bBOps.cPl",7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5472 -s 6805⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 5472 -ip 54721⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d46ac3d95ec929266535e7263b2d696a
SHA12c5130116c7a9f2ab5fa5b46a845dd1c637cc0dc
SHA256759dcb44adb9e6623d48b354451ada4d1069c0de091f86b7b7183cd9b5043dbd
SHA512776f36684418238f92cdadf435a614deeda4e65d5fa357d0322be3ab8663aea31f6b4bb1e549e54f0c5aea3c81617adff7f32943831839129b498576641ad828
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
112KB
MD530e375798049100677ea16b7c578a4ee
SHA1bcab7401a5f34ac0e6f795ece8d3ed12944ae99f
SHA256ea5c90cfc97f429a2f9e0b1e9b16778b5b19bd8e83a896a30002de70af84e1ce
SHA512f8ae930e26ecfe06dc30d4f39858b0eec6b4a81a8139883712505b5c6b58504d463d986ef58c7151a247fe157c6013b570b9d39e1d4a860061e37e0419900582
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exeFilesize
175KB
MD5a46b9ecaf0fb91387054988c47fbf8c1
SHA1f1781c22b41e5984c4815f39f4975cac709a0742
SHA256fa9ae97004ea80cb0e0e345438fad97bdcb266fdf5d6252bb359357e5408a13a
SHA5123d44acd9ea65bc5a13bf59956219580911e0b29affe6398db999fda2b4ea5850409babe101f136b8a4142611b8d9cae8401a4385c44c81a4e47bb7926235facf
-
C:\Users\Admin\AppData\Local\Temp\1000016001\live1.exeFilesize
175KB
MD5a46b9ecaf0fb91387054988c47fbf8c1
SHA1f1781c22b41e5984c4815f39f4975cac709a0742
SHA256fa9ae97004ea80cb0e0e345438fad97bdcb266fdf5d6252bb359357e5408a13a
SHA5123d44acd9ea65bc5a13bf59956219580911e0b29affe6398db999fda2b4ea5850409babe101f136b8a4142611b8d9cae8401a4385c44c81a4e47bb7926235facf
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exeFilesize
175KB
MD5b10dadf011b7913109bb31b2cc50fdc6
SHA1b9a6bb3ea75fd43fc50fb3883cb5cba9d69dbe2c
SHA256d05045317e40a873374ffddd6c16a61dfc2211b0f91a44b21b7c8a88ff44351f
SHA5124f76550bd531e8547e02fb525363f95d08c1c659df0f7350ed05197468e3cbf48d9413b153c6f1e2a0c74d233768e7afe5785172683253ec8201c39b2fdc5c5b
-
C:\Users\Admin\AppData\Local\Temp\1000018001\drown.exeFilesize
175KB
MD5b10dadf011b7913109bb31b2cc50fdc6
SHA1b9a6bb3ea75fd43fc50fb3883cb5cba9d69dbe2c
SHA256d05045317e40a873374ffddd6c16a61dfc2211b0f91a44b21b7c8a88ff44351f
SHA5124f76550bd531e8547e02fb525363f95d08c1c659df0f7350ed05197468e3cbf48d9413b153c6f1e2a0c74d233768e7afe5785172683253ec8201c39b2fdc5c5b
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exeFilesize
3.7MB
MD5f75ca2b1d2dfdc1394518565fdeea79c
SHA1d46c59044fcbd7622f369ed9ef4adcadd6d83f1c
SHA25690a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
SHA512dd20f1497a703aa6089bf239fe422f46ff14babeeedcdde0b88a0c63f1ce22e3ec518a138ec068cbd3e2eacd7ccc2bb28b7c7bfe2d9adacc182a287fd41ffa74
-
C:\Users\Admin\AppData\Local\Temp\1000020001\drown1.exeFilesize
3.7MB
MD5f75ca2b1d2dfdc1394518565fdeea79c
SHA1d46c59044fcbd7622f369ed9ef4adcadd6d83f1c
SHA25690a61538166854064428335c2b2beecf44fca5979e8fee4db712fc0b09f4729a
SHA512dd20f1497a703aa6089bf239fe422f46ff14babeeedcdde0b88a0c63f1ce22e3ec518a138ec068cbd3e2eacd7ccc2bb28b7c7bfe2d9adacc182a287fd41ffa74
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exeFilesize
1.3MB
MD5392935e64d5906f0226d55fbaa65b909
SHA186c1906bfaa0e4658ac7d6839285e6c0d8cb7c65
SHA25683246beebfe344d72bb10448e348921432a8a163fb52e72c1c2d815bfebeb8b1
SHA5123c86db7da4cf8ba9e95e3c77a685e9406f0409725816981f56633fb0b75b62135b383139d453fbadcc5eab8bdfec3c45ce928632099aa6f072ba6198ed4f375e
-
C:\Users\Admin\AppData\Local\Temp\1000023001\rumba8.exeFilesize
1.3MB
MD5392935e64d5906f0226d55fbaa65b909
SHA186c1906bfaa0e4658ac7d6839285e6c0d8cb7c65
SHA25683246beebfe344d72bb10448e348921432a8a163fb52e72c1c2d815bfebeb8b1
SHA5123c86db7da4cf8ba9e95e3c77a685e9406f0409725816981f56633fb0b75b62135b383139d453fbadcc5eab8bdfec3c45ce928632099aa6f072ba6198ed4f375e
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cPlFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cplFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\2bBOps.cplFilesize
1.6MB
MD58bf1cc0e0ee5199fcae2d67befe1a453
SHA1a6446fa0529a72894b4935a0279634b07dc9faba
SHA256c2932f4a784fc74a6b82f9226aefaae25538e3b109b55e52e59403ce712c8dca
SHA51294459eb5bda2be00f4cd779aad30af48e87c711d43553ef823c36c9c1477806f49eae214c2821939972c70d9bb12ca36901ef9fd7f37a5bf30945298372c90bc
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD577e0a0a90e0231493bd421f4cdab0668
SHA1b09f8951b42a2993b637df9e41f6a25be106c2cb
SHA25675520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000
SHA512d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD51c79ebc079aaa45b861e584094dbeaf8
SHA1968615f24e34042148ec79fde65225f072fa46d9
SHA256262ba206fcb32a991500d7969ade188f9d8f765b4ead3a4a7c0df8bf726c3788
SHA512103774df0c92da9320d25b29d3246fe2deee333cf8e7e5db1ee5bb2e61cfd6c540e135543088f0ce3050659a7c8812fab6692973aa8cb3d48e851c9201daa3e8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.0MB
MD5648156e11228956e243bfcc41607d2e5
SHA163c80eee09b512e46b850b43faa90e7824bc9e0d
SHA256edd2a8910c99b4b0c943563f1e27426330349b4db7ae911e276f3fe7880ee29b
SHA5124fdecae1b71660f33df6a44648374596c91fe2008d210cf7c6a3c23d749ba76ea992b01776236708be6d2b5caf8457a32ebbab47e66a4d550f6c1f1bbb94c086
-
\??\pipe\LOCAL\crashpad_4220_NWIPZGVROLCWDHBUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-142-0x0000000000000000-mapping.dmp
-
memory/404-183-0x0000000000000000-mapping.dmp
-
memory/544-181-0x0000000000000000-mapping.dmp
-
memory/724-170-0x0000000000000000-mapping.dmp
-
memory/1268-139-0x0000000000000000-mapping.dmp
-
memory/1556-165-0x0000000000000000-mapping.dmp
-
memory/1680-140-0x0000000000000000-mapping.dmp
-
memory/1680-210-0x0000000000000000-mapping.dmp
-
memory/1712-147-0x0000000005D00000-0x0000000006318000-memory.dmpFilesize
6.1MB
-
memory/1712-143-0x0000000000000000-mapping.dmp
-
memory/1712-149-0x0000000005790000-0x00000000057A2000-memory.dmpFilesize
72KB
-
memory/1712-146-0x0000000000DD0000-0x0000000000E02000-memory.dmpFilesize
200KB
-
memory/1712-186-0x0000000005B00000-0x0000000005B66000-memory.dmpFilesize
408KB
-
memory/1712-152-0x0000000005810000-0x000000000584C000-memory.dmpFilesize
240KB
-
memory/1712-189-0x00000000066C0000-0x0000000006752000-memory.dmpFilesize
584KB
-
memory/1712-190-0x0000000006D10000-0x00000000072B4000-memory.dmpFilesize
5.6MB
-
memory/1712-148-0x0000000005860000-0x000000000596A000-memory.dmpFilesize
1.0MB
-
memory/1788-188-0x0000000000000000-mapping.dmp
-
memory/2232-135-0x0000000000000000-mapping.dmp
-
memory/2288-192-0x0000000000000000-mapping.dmp
-
memory/2484-206-0x0000000000000000-mapping.dmp
-
memory/2716-161-0x0000000000000000-mapping.dmp
-
memory/2716-166-0x0000000000FA0000-0x0000000001544000-memory.dmpFilesize
5.6MB
-
memory/3056-141-0x0000000000000000-mapping.dmp
-
memory/3116-177-0x0000000000000000-mapping.dmp
-
memory/3320-198-0x0000000000000000-mapping.dmp
-
memory/3376-150-0x0000000000000000-mapping.dmp
-
memory/3468-269-0x0000000000000000-mapping.dmp
-
memory/3572-136-0x0000000000000000-mapping.dmp
-
memory/3784-216-0x0000000000000000-mapping.dmp
-
memory/3808-154-0x0000000000000000-mapping.dmp
-
memory/3808-157-0x00000000001F0000-0x0000000000222000-memory.dmpFilesize
200KB
-
memory/3808-195-0x00000000074B0000-0x00000000079DC000-memory.dmpFilesize
5.2MB
-
memory/3808-194-0x0000000006DB0000-0x0000000006F72000-memory.dmpFilesize
1.8MB
-
memory/3908-185-0x0000000000000000-mapping.dmp
-
memory/4112-202-0x0000000000000000-mapping.dmp
-
memory/4220-164-0x0000000000000000-mapping.dmp
-
memory/4356-158-0x0000000000000000-mapping.dmp
-
memory/4508-178-0x0000000000000000-mapping.dmp
-
memory/4524-208-0x0000000000000000-mapping.dmp
-
memory/4528-199-0x0000000000000000-mapping.dmp
-
memory/4556-204-0x0000000000000000-mapping.dmp
-
memory/4560-212-0x0000000000000000-mapping.dmp
-
memory/4568-138-0x0000000000000000-mapping.dmp
-
memory/4584-132-0x0000000000000000-mapping.dmp
-
memory/4720-193-0x0000000000000000-mapping.dmp
-
memory/4872-169-0x0000000000000000-mapping.dmp
-
memory/4988-213-0x0000000000000000-mapping.dmp
-
memory/5024-137-0x0000000000000000-mapping.dmp
-
memory/5176-217-0x0000000000000000-mapping.dmp
-
memory/5248-236-0x0000000002CE0000-0x0000000002DA6000-memory.dmpFilesize
792KB
-
memory/5248-233-0x0000000002C00000-0x0000000002CDD000-memory.dmpFilesize
884KB
-
memory/5248-235-0x0000000002CE0000-0x0000000002DA6000-memory.dmpFilesize
792KB
-
memory/5248-218-0x0000000000000000-mapping.dmp
-
memory/5248-221-0x0000000000400000-0x000000000059B000-memory.dmpFilesize
1.6MB
-
memory/5248-224-0x0000000002590000-0x0000000002596000-memory.dmpFilesize
24KB
-
memory/5428-225-0x0000000000000000-mapping.dmp
-
memory/5432-257-0x0000000000000000-mapping.dmp
-
memory/5444-226-0x0000000000000000-mapping.dmp
-
memory/5468-259-0x0000000000000000-mapping.dmp
-
memory/5472-263-0x0000000000000000-mapping.dmp
-
memory/5500-229-0x0000000000000000-mapping.dmp
-
memory/5512-272-0x0000000000000000-mapping.dmp
-
memory/5520-231-0x0000000000000000-mapping.dmp
-
memory/5600-232-0x0000000000000000-mapping.dmp
-
memory/5624-234-0x0000000000000000-mapping.dmp
-
memory/5664-266-0x0000000000000000-mapping.dmp
-
memory/5696-238-0x0000000000000000-mapping.dmp
-
memory/5716-254-0x00000000034F0000-0x00000000035B6000-memory.dmpFilesize
792KB
-
memory/5716-250-0x0000000003410000-0x00000000034ED000-memory.dmpFilesize
884KB
-
memory/5716-244-0x00000000013D0000-0x00000000013D6000-memory.dmpFilesize
24KB
-
memory/5716-239-0x0000000000000000-mapping.dmp
-
memory/5988-270-0x0000000000000000-mapping.dmp
-
memory/6028-245-0x0000000000000000-mapping.dmp
-
memory/6044-246-0x0000000000000000-mapping.dmp
-
memory/6100-249-0x0000000000000000-mapping.dmp
-
memory/6132-252-0x0000000000000000-mapping.dmp