Analysis
-
max time kernel
131s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 10:07
Static task
static1
General
-
Target
797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe
-
Size
1.3MB
-
MD5
9760f75761d6eeedd9e5fe0366741a76
-
SHA1
eb5c2ddc83b31a1ce420e52a71f05446660242a6
-
SHA256
797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5
-
SHA512
74060161db8b592ac80acd48f36b3260cb8d15240bb0d283adc49333a701ac3dc5d0626d802b562c6b770275b73cfcc68e0c7edde7bf78981223834fe2f08f6c
-
SSDEEP
24576:7yRmwmpt6jzLqjrazvht/+XcnU1JwMYbtyuWxAOR5OgIswXSImHa:uUzp0LqjrOvKRDJ2OLOjswUH
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Extracted
redline
funka
193.233.20.20:4134
-
auth_value
cdb395608d7ec633dce3d2f0c7fb0741
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Signatures
-
Processes:
iDz87KI.exemQq74YO.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iDz87KI.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mQq74YO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mQq74YO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mQq74YO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iDz87KI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iDz87KI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iDz87KI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iDz87KI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iDz87KI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mQq74YO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mQq74YO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mQq74YO.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-177-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-178-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-180-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-182-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-184-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-186-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-188-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-190-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-192-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-195-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-197-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-199-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-201-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-203-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-205-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-207-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-209-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-211-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-213-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-215-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-217-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-219-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-221-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-223-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-225-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-227-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-229-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-231-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-233-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-235-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-237-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-239-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/2868-241-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/1800-2059-0x0000000004C60000-0x0000000004C70000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rSm55if.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation rSm55if.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 13 IoCs
Processes:
sqm53qB19.exesMV74Hb74.exesSp89Pw47.exespq60yw60.exeiDz87KI.exekpP84Jw.exemQq74YO.exenuF94Mg79.exeoyd61If.exerSm55if.exemnolyk.exemnolyk.exemnolyk.exepid process 464 sqm53qB19.exe 624 sMV74Hb74.exe 1956 sSp89Pw47.exe 1424 spq60yw60.exe 2824 iDz87KI.exe 2868 kpP84Jw.exe 2436 mQq74YO.exe 1800 nuF94Mg79.exe 2024 oyd61If.exe 2856 rSm55if.exe 5048 mnolyk.exe 4760 mnolyk.exe 2624 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3268 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
iDz87KI.exemQq74YO.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iDz87KI.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mQq74YO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mQq74YO.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exesSp89Pw47.exespq60yw60.exesqm53qB19.exesMV74Hb74.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sSp89Pw47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" spq60yw60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sSp89Pw47.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce spq60yw60.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sqm53qB19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sqm53qB19.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sMV74Hb74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sMV74Hb74.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4240 2868 WerFault.exe kpP84Jw.exe 4572 2436 WerFault.exe mQq74YO.exe 3328 1800 WerFault.exe nuF94Mg79.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
iDz87KI.exekpP84Jw.exemQq74YO.exenuF94Mg79.exeoyd61If.exepid process 2824 iDz87KI.exe 2824 iDz87KI.exe 2868 kpP84Jw.exe 2868 kpP84Jw.exe 2436 mQq74YO.exe 2436 mQq74YO.exe 1800 nuF94Mg79.exe 1800 nuF94Mg79.exe 2024 oyd61If.exe 2024 oyd61If.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
iDz87KI.exekpP84Jw.exemQq74YO.exenuF94Mg79.exeoyd61If.exedescription pid process Token: SeDebugPrivilege 2824 iDz87KI.exe Token: SeDebugPrivilege 2868 kpP84Jw.exe Token: SeDebugPrivilege 2436 mQq74YO.exe Token: SeDebugPrivilege 1800 nuF94Mg79.exe Token: SeDebugPrivilege 2024 oyd61If.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exesqm53qB19.exesMV74Hb74.exesSp89Pw47.exespq60yw60.exerSm55if.exemnolyk.execmd.exedescription pid process target process PID 4816 wrote to memory of 464 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe sqm53qB19.exe PID 4816 wrote to memory of 464 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe sqm53qB19.exe PID 4816 wrote to memory of 464 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe sqm53qB19.exe PID 464 wrote to memory of 624 464 sqm53qB19.exe sMV74Hb74.exe PID 464 wrote to memory of 624 464 sqm53qB19.exe sMV74Hb74.exe PID 464 wrote to memory of 624 464 sqm53qB19.exe sMV74Hb74.exe PID 624 wrote to memory of 1956 624 sMV74Hb74.exe sSp89Pw47.exe PID 624 wrote to memory of 1956 624 sMV74Hb74.exe sSp89Pw47.exe PID 624 wrote to memory of 1956 624 sMV74Hb74.exe sSp89Pw47.exe PID 1956 wrote to memory of 1424 1956 sSp89Pw47.exe spq60yw60.exe PID 1956 wrote to memory of 1424 1956 sSp89Pw47.exe spq60yw60.exe PID 1956 wrote to memory of 1424 1956 sSp89Pw47.exe spq60yw60.exe PID 1424 wrote to memory of 2824 1424 spq60yw60.exe iDz87KI.exe PID 1424 wrote to memory of 2824 1424 spq60yw60.exe iDz87KI.exe PID 1424 wrote to memory of 2868 1424 spq60yw60.exe kpP84Jw.exe PID 1424 wrote to memory of 2868 1424 spq60yw60.exe kpP84Jw.exe PID 1424 wrote to memory of 2868 1424 spq60yw60.exe kpP84Jw.exe PID 1956 wrote to memory of 2436 1956 sSp89Pw47.exe mQq74YO.exe PID 1956 wrote to memory of 2436 1956 sSp89Pw47.exe mQq74YO.exe PID 1956 wrote to memory of 2436 1956 sSp89Pw47.exe mQq74YO.exe PID 624 wrote to memory of 1800 624 sMV74Hb74.exe nuF94Mg79.exe PID 624 wrote to memory of 1800 624 sMV74Hb74.exe nuF94Mg79.exe PID 624 wrote to memory of 1800 624 sMV74Hb74.exe nuF94Mg79.exe PID 464 wrote to memory of 2024 464 sqm53qB19.exe oyd61If.exe PID 464 wrote to memory of 2024 464 sqm53qB19.exe oyd61If.exe PID 464 wrote to memory of 2024 464 sqm53qB19.exe oyd61If.exe PID 4816 wrote to memory of 2856 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe rSm55if.exe PID 4816 wrote to memory of 2856 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe rSm55if.exe PID 4816 wrote to memory of 2856 4816 797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe rSm55if.exe PID 2856 wrote to memory of 5048 2856 rSm55if.exe mnolyk.exe PID 2856 wrote to memory of 5048 2856 rSm55if.exe mnolyk.exe PID 2856 wrote to memory of 5048 2856 rSm55if.exe mnolyk.exe PID 5048 wrote to memory of 1764 5048 mnolyk.exe schtasks.exe PID 5048 wrote to memory of 1764 5048 mnolyk.exe schtasks.exe PID 5048 wrote to memory of 1764 5048 mnolyk.exe schtasks.exe PID 5048 wrote to memory of 4736 5048 mnolyk.exe cmd.exe PID 5048 wrote to memory of 4736 5048 mnolyk.exe cmd.exe PID 5048 wrote to memory of 4736 5048 mnolyk.exe cmd.exe PID 4736 wrote to memory of 3296 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 3296 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 3296 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 2712 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 2712 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 2712 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4864 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4864 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4864 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4516 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 4516 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 4516 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 4832 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4832 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4832 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4604 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4604 4736 cmd.exe cacls.exe PID 4736 wrote to memory of 4604 4736 cmd.exe cacls.exe PID 5048 wrote to memory of 3268 5048 mnolyk.exe rundll32.exe PID 5048 wrote to memory of 3268 5048 mnolyk.exe rundll32.exe PID 5048 wrote to memory of 3268 5048 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe"C:\Users\Admin\AppData\Local\Temp\797cd8fc8d79347b8bcd37e4d3da854f81e02dbe2dc7c44e52afe9076ef43ae5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sqm53qB19.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sqm53qB19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV74Hb74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV74Hb74.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSp89Pw47.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSp89Pw47.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\spq60yw60.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\spq60yw60.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iDz87KI.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iDz87KI.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kpP84Jw.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kpP84Jw.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 17887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mQq74YO.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mQq74YO.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 10806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nuF94Mg79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nuF94Mg79.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 13365⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oyd61If.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oyd61If.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rSm55if.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rSm55if.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2868 -ip 28681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1800 -ip 18001⤵
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rSm55if.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rSm55if.exeFilesize
239KB
MD50179181b2d4a5bb1346b67a4be5ef57c
SHA1556750988b21379fd24e18b31e6cf14f36bf9e99
SHA2560a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31
SHA5121adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sqm53qB19.exeFilesize
1.1MB
MD5e73e79f7310ac31613f148088607b87b
SHA1723904bb0885afa08de96f273e3d3ee8d87a3dd5
SHA2561e4a5c43e1da461799592c02f34124c0d5ac9f26c2ce8564c9c975c76c3d4947
SHA512eb4860c791227258e301192ad5377f1b209b6d4d472938d79f4434de1eb85d14a68250096b997ca4aba177f62d344285e209c3920e140e670ff28f8aece33434
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sqm53qB19.exeFilesize
1.1MB
MD5e73e79f7310ac31613f148088607b87b
SHA1723904bb0885afa08de96f273e3d3ee8d87a3dd5
SHA2561e4a5c43e1da461799592c02f34124c0d5ac9f26c2ce8564c9c975c76c3d4947
SHA512eb4860c791227258e301192ad5377f1b209b6d4d472938d79f4434de1eb85d14a68250096b997ca4aba177f62d344285e209c3920e140e670ff28f8aece33434
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oyd61If.exeFilesize
175KB
MD52ca336ffac2e58e59bf4ba497e146fd7
SHA1ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14
SHA2568a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459
SHA5123a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oyd61If.exeFilesize
175KB
MD52ca336ffac2e58e59bf4ba497e146fd7
SHA1ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14
SHA2568a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459
SHA5123a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV74Hb74.exeFilesize
948KB
MD5d84a1c6b5ccca4147d6b0a27abb8062f
SHA12e65c2ff9c3ae864b0c4e0f43e5cb00232aa09fd
SHA256d9a8501f923fdc82b4b76e8d808f79101ef06e3e80339798e420632755b3271a
SHA5127b206d8aff67c4c4a66e29a9cff438939a37909720860da401b9f6319f6e57ced9d64b4d6256cc8c0966ee2e8cbc09d1879cd2487fee67e8d6eb02283abd22a3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMV74Hb74.exeFilesize
948KB
MD5d84a1c6b5ccca4147d6b0a27abb8062f
SHA12e65c2ff9c3ae864b0c4e0f43e5cb00232aa09fd
SHA256d9a8501f923fdc82b4b76e8d808f79101ef06e3e80339798e420632755b3271a
SHA5127b206d8aff67c4c4a66e29a9cff438939a37909720860da401b9f6319f6e57ced9d64b4d6256cc8c0966ee2e8cbc09d1879cd2487fee67e8d6eb02283abd22a3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nuF94Mg79.exeFilesize
315KB
MD586e5608deb282bb5d4d6059359f9956e
SHA148628696c49c79ac94337d9c3c4c60f1b6ad982d
SHA25675deeda887614e97b71b72afdc1a89d6e570a06fbfa24767bf02b1049a7334d8
SHA512a3ab8991bf74b17fd8ad2ae19b19ff7925423eb7d41cf5eadd1a75934bc16589ff717249a8648e41cc041cc79f9b80f6c2eb0ce67b4bc0dac04f86844181dc1c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nuF94Mg79.exeFilesize
315KB
MD586e5608deb282bb5d4d6059359f9956e
SHA148628696c49c79ac94337d9c3c4c60f1b6ad982d
SHA25675deeda887614e97b71b72afdc1a89d6e570a06fbfa24767bf02b1049a7334d8
SHA512a3ab8991bf74b17fd8ad2ae19b19ff7925423eb7d41cf5eadd1a75934bc16589ff717249a8648e41cc041cc79f9b80f6c2eb0ce67b4bc0dac04f86844181dc1c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSp89Pw47.exeFilesize
675KB
MD538c25bba67d01a5c58fe997f124c23a2
SHA125e22a45b0b02531d8b5b3eac0ffccb46bad5991
SHA256006fede3f39fa8588edf638724218216b8b1b89a9f4462381317f07067e98e57
SHA512ef73ae90f90458d84d1f6933d43ccba7f9ba80e076a6d68bbef7f2b4edb978f4e72d30da7068c6f2ff94f20db8a0c7d86c02d7e7c020e8b6004d567f705af06a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sSp89Pw47.exeFilesize
675KB
MD538c25bba67d01a5c58fe997f124c23a2
SHA125e22a45b0b02531d8b5b3eac0ffccb46bad5991
SHA256006fede3f39fa8588edf638724218216b8b1b89a9f4462381317f07067e98e57
SHA512ef73ae90f90458d84d1f6933d43ccba7f9ba80e076a6d68bbef7f2b4edb978f4e72d30da7068c6f2ff94f20db8a0c7d86c02d7e7c020e8b6004d567f705af06a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mQq74YO.exeFilesize
256KB
MD59039b2f1026dfbcd0482f82d38bd37ca
SHA105fc7f591d3851ac43ddd0ff94c4b178e66caada
SHA25634a5ec5eac9f8cb4b150320484e9af25a7f7d8195c7185da3b5e36381cd1feb4
SHA5120f567b386a99f730d8789b4479618c0b095103f05d1cd74892d8b09648177e58a371d4fd3465a2fa5d6cdcb7a1e9c616af0375ffffe5f7dfc98a457b306aadc6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mQq74YO.exeFilesize
256KB
MD59039b2f1026dfbcd0482f82d38bd37ca
SHA105fc7f591d3851ac43ddd0ff94c4b178e66caada
SHA25634a5ec5eac9f8cb4b150320484e9af25a7f7d8195c7185da3b5e36381cd1feb4
SHA5120f567b386a99f730d8789b4479618c0b095103f05d1cd74892d8b09648177e58a371d4fd3465a2fa5d6cdcb7a1e9c616af0375ffffe5f7dfc98a457b306aadc6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\spq60yw60.exeFilesize
395KB
MD5bcd9dfa5adec056e8255e14e9ecd3f49
SHA1143f15900fbe2eb128c7c8a1e839484ea04a253c
SHA2563cd6b0dd8e5728cc697fa84f86d4092bcf3f8924f770a703c3d560ff417e0f31
SHA5129fd13733fb9a70b0c69609e769102fa9b71b80d1faf8b9ba7366c569954d0426ff430ec7a74ce9560e6aae9b9855fb4c3b67eaf8d1ae66e0a2ac5546b1da5105
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\spq60yw60.exeFilesize
395KB
MD5bcd9dfa5adec056e8255e14e9ecd3f49
SHA1143f15900fbe2eb128c7c8a1e839484ea04a253c
SHA2563cd6b0dd8e5728cc697fa84f86d4092bcf3f8924f770a703c3d560ff417e0f31
SHA5129fd13733fb9a70b0c69609e769102fa9b71b80d1faf8b9ba7366c569954d0426ff430ec7a74ce9560e6aae9b9855fb4c3b67eaf8d1ae66e0a2ac5546b1da5105
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iDz87KI.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iDz87KI.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kpP84Jw.exeFilesize
315KB
MD586e5608deb282bb5d4d6059359f9956e
SHA148628696c49c79ac94337d9c3c4c60f1b6ad982d
SHA25675deeda887614e97b71b72afdc1a89d6e570a06fbfa24767bf02b1049a7334d8
SHA512a3ab8991bf74b17fd8ad2ae19b19ff7925423eb7d41cf5eadd1a75934bc16589ff717249a8648e41cc041cc79f9b80f6c2eb0ce67b4bc0dac04f86844181dc1c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kpP84Jw.exeFilesize
315KB
MD586e5608deb282bb5d4d6059359f9956e
SHA148628696c49c79ac94337d9c3c4c60f1b6ad982d
SHA25675deeda887614e97b71b72afdc1a89d6e570a06fbfa24767bf02b1049a7334d8
SHA512a3ab8991bf74b17fd8ad2ae19b19ff7925423eb7d41cf5eadd1a75934bc16589ff717249a8648e41cc041cc79f9b80f6c2eb0ce67b4bc0dac04f86844181dc1c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kpP84Jw.exeFilesize
315KB
MD586e5608deb282bb5d4d6059359f9956e
SHA148628696c49c79ac94337d9c3c4c60f1b6ad982d
SHA25675deeda887614e97b71b72afdc1a89d6e570a06fbfa24767bf02b1049a7334d8
SHA512a3ab8991bf74b17fd8ad2ae19b19ff7925423eb7d41cf5eadd1a75934bc16589ff717249a8648e41cc041cc79f9b80f6c2eb0ce67b4bc0dac04f86844181dc1c
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1800-1399-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-2060-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-2058-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-2056-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-1404-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-1402-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1800-2059-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2024-2067-0x0000000005AA0000-0x0000000005AB0000-memory.dmpFilesize
64KB
-
memory/2024-2066-0x0000000000EF0000-0x0000000000F22000-memory.dmpFilesize
200KB
-
memory/2436-1141-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2436-1140-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2436-1137-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2436-1136-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2436-1135-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2436-1134-0x0000000000650000-0x000000000067D000-memory.dmpFilesize
180KB
-
memory/2824-168-0x00000000004B0000-0x00000000004BA000-memory.dmpFilesize
40KB
-
memory/2868-190-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-223-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-237-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-239-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-241-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-1084-0x00000000052D0000-0x00000000058E8000-memory.dmpFilesize
6.1MB
-
memory/2868-1085-0x0000000005970000-0x0000000005A7A000-memory.dmpFilesize
1.0MB
-
memory/2868-1086-0x0000000005AB0000-0x0000000005AC2000-memory.dmpFilesize
72KB
-
memory/2868-1087-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-1088-0x0000000005AD0000-0x0000000005B0C000-memory.dmpFilesize
240KB
-
memory/2868-1090-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-1091-0x0000000005DC0000-0x0000000005E26000-memory.dmpFilesize
408KB
-
memory/2868-1092-0x0000000006490000-0x0000000006522000-memory.dmpFilesize
584KB
-
memory/2868-1093-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-1094-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-1095-0x0000000006580000-0x0000000006742000-memory.dmpFilesize
1.8MB
-
memory/2868-1096-0x0000000006760000-0x0000000006C8C000-memory.dmpFilesize
5.2MB
-
memory/2868-1097-0x00000000081C0000-0x0000000008236000-memory.dmpFilesize
472KB
-
memory/2868-1098-0x0000000008240000-0x0000000008290000-memory.dmpFilesize
320KB
-
memory/2868-1099-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-233-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-231-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-229-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-227-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-225-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-235-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-221-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-219-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-217-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-215-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-213-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-211-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-209-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-207-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-205-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-203-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-201-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-199-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-197-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-194-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-195-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-192-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-188-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-186-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-184-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-182-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-180-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-178-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-177-0x0000000004B40000-0x0000000004B7E000-memory.dmpFilesize
248KB
-
memory/2868-176-0x0000000004C20000-0x00000000051C4000-memory.dmpFilesize
5.6MB
-
memory/2868-175-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2868-174-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB