Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe
Resource
win7-20230831-en
General
-
Target
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe
-
Size
1.1MB
-
MD5
50d53ccddcb21bcc34aecab4837643a3
-
SHA1
9edf6722f7a9e1b70ccd4043355163107a8d111e
-
SHA256
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200
-
SHA512
97d83bd6dc634d0c845128f7542bbb92c4b6e33e70a0d24b789864726d7e0175164b30f4879b9df00d9a3173496ef87d5be8386feadac45251f540eac83d7631
-
SSDEEP
24576:zyhzdCR1vA3PiCQ0Rfu7NVD5P81/Uqrf/W/HQrOeAwHc47030:GhzdCrY3PhHRfYBErfu4DHS
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2804-44-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2804-42-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2804-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2804-40-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-35-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
legota.exet0452907.exeexplothe.exeu0105870.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation t0452907.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation u0105870.exe -
Executes dropped EXE 16 IoCs
Processes:
z8010042.exez6981677.exez1410646.exez0755799.exeq7140165.exer7017975.exes2287233.exet0452907.exeexplothe.exeu0105870.exelegota.exew9471230.exelegota.exeexplothe.exelegota.exeexplothe.exepid process 4460 z8010042.exe 640 z6981677.exe 3704 z1410646.exe 3916 z0755799.exe 2488 q7140165.exe 3864 r7017975.exe 684 s2287233.exe 960 t0452907.exe 3736 explothe.exe 1316 u0105870.exe 2660 legota.exe 1304 w9471230.exe 3524 legota.exe 416 explothe.exe 3860 legota.exe 4240 explothe.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4812 rundll32.exe 3328 rundll32.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exez8010042.exez6981677.exez1410646.exez0755799.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8010042.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z6981677.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z1410646.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z0755799.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
q7140165.exer7017975.exes2287233.exedescription pid process target process PID 2488 set thread context of 4972 2488 q7140165.exe AppLaunch.exe PID 3864 set thread context of 2804 3864 r7017975.exe AppLaunch.exe PID 684 set thread context of 5024 684 s2287233.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4924 2488 WerFault.exe q7140165.exe 2884 3864 WerFault.exe r7017975.exe 5100 2804 WerFault.exe 4388 684 WerFault.exe s2287233.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1016 schtasks.exe 4676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 4972 AppLaunch.exe 4972 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4972 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exez8010042.exez6981677.exez1410646.exez0755799.exeq7140165.exer7017975.exes2287233.exet0452907.exeexplothe.exeu0105870.exedescription pid process target process PID 2136 wrote to memory of 4460 2136 2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe z8010042.exe PID 2136 wrote to memory of 4460 2136 2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe z8010042.exe PID 2136 wrote to memory of 4460 2136 2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe z8010042.exe PID 4460 wrote to memory of 640 4460 z8010042.exe z6981677.exe PID 4460 wrote to memory of 640 4460 z8010042.exe z6981677.exe PID 4460 wrote to memory of 640 4460 z8010042.exe z6981677.exe PID 640 wrote to memory of 3704 640 z6981677.exe z1410646.exe PID 640 wrote to memory of 3704 640 z6981677.exe z1410646.exe PID 640 wrote to memory of 3704 640 z6981677.exe z1410646.exe PID 3704 wrote to memory of 3916 3704 z1410646.exe z0755799.exe PID 3704 wrote to memory of 3916 3704 z1410646.exe z0755799.exe PID 3704 wrote to memory of 3916 3704 z1410646.exe z0755799.exe PID 3916 wrote to memory of 2488 3916 z0755799.exe q7140165.exe PID 3916 wrote to memory of 2488 3916 z0755799.exe q7140165.exe PID 3916 wrote to memory of 2488 3916 z0755799.exe q7140165.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 2488 wrote to memory of 4972 2488 q7140165.exe AppLaunch.exe PID 3916 wrote to memory of 3864 3916 z0755799.exe r7017975.exe PID 3916 wrote to memory of 3864 3916 z0755799.exe r7017975.exe PID 3916 wrote to memory of 3864 3916 z0755799.exe r7017975.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3864 wrote to memory of 2804 3864 r7017975.exe AppLaunch.exe PID 3704 wrote to memory of 684 3704 z1410646.exe s2287233.exe PID 3704 wrote to memory of 684 3704 z1410646.exe s2287233.exe PID 3704 wrote to memory of 684 3704 z1410646.exe s2287233.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 684 wrote to memory of 5024 684 s2287233.exe AppLaunch.exe PID 640 wrote to memory of 960 640 z6981677.exe t0452907.exe PID 640 wrote to memory of 960 640 z6981677.exe t0452907.exe PID 640 wrote to memory of 960 640 z6981677.exe t0452907.exe PID 960 wrote to memory of 3736 960 t0452907.exe explothe.exe PID 960 wrote to memory of 3736 960 t0452907.exe explothe.exe PID 960 wrote to memory of 3736 960 t0452907.exe explothe.exe PID 4460 wrote to memory of 1316 4460 z8010042.exe u0105870.exe PID 4460 wrote to memory of 1316 4460 z8010042.exe u0105870.exe PID 4460 wrote to memory of 1316 4460 z8010042.exe u0105870.exe PID 3736 wrote to memory of 1016 3736 explothe.exe schtasks.exe PID 3736 wrote to memory of 1016 3736 explothe.exe schtasks.exe PID 3736 wrote to memory of 1016 3736 explothe.exe schtasks.exe PID 3736 wrote to memory of 3036 3736 explothe.exe cmd.exe PID 3736 wrote to memory of 3036 3736 explothe.exe cmd.exe PID 3736 wrote to memory of 3036 3736 explothe.exe cmd.exe PID 1316 wrote to memory of 2660 1316 u0105870.exe legota.exe PID 1316 wrote to memory of 2660 1316 u0105870.exe legota.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe"C:\Users\Admin\AppData\Local\Temp\2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8010042.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8010042.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6981677.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6981677.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1410646.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1410646.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0755799.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0755799.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7140165.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7140165.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 5967⤵
- Program crash
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7017975.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7017975.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1527⤵
- Program crash
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2287233.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2287233.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1366⤵
- Program crash
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0452907.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0452907.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
PID:1016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2096
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵PID:4608
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4116
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:4564
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:2564
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0105870.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0105870.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵PID:4396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:732
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵PID:5116
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵PID:5112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:3708
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵PID:2872
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵PID:1264
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9471230.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9471230.exe2⤵
- Executes dropped EXE
PID:1304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2488 -ip 24881⤵PID:4904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3864 -ip 38641⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2804 -ip 28041⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 5401⤵
- Program crash
PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 684 -ip 6841⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:3524
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:416
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:3860
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:4240
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9471230.exeFilesize
23KB
MD55342651d5a1bf4f76fa69eac2f2fd836
SHA1253afe7029c3d08193d8e2e0f873204d7527ed2d
SHA256e4c0dfed63baf9b98bafc91005d535382274897539976c0019a77d91f712184d
SHA512a03cd14287d3835e470f20fbccf39c53b2f6f8576b97dae3a6c17a926329d434b5db3dc66c18810b2d9799d2c254c2362f9d03d2c97fc9d3588a1f9f701ac4fb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9471230.exeFilesize
23KB
MD55342651d5a1bf4f76fa69eac2f2fd836
SHA1253afe7029c3d08193d8e2e0f873204d7527ed2d
SHA256e4c0dfed63baf9b98bafc91005d535382274897539976c0019a77d91f712184d
SHA512a03cd14287d3835e470f20fbccf39c53b2f6f8576b97dae3a6c17a926329d434b5db3dc66c18810b2d9799d2c254c2362f9d03d2c97fc9d3588a1f9f701ac4fb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8010042.exeFilesize
982KB
MD5a9cc9cb0fde2c0b2ee8f54e7b3ce53df
SHA1361d4a94e316afc582f4c1f3f198996bb159fc46
SHA256b59ae1ba37503d05d08d6af986ee32e9c8464d4434cbbb31d4978a5f7c60ad2e
SHA51279d295c64c73ec4e155a9542fad6b24b2cd0012a5b37112cdbae615d33718c40f98826434377bf6e4fc66e052023b57fbc839a9c331097fbe20818ea5087c090
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8010042.exeFilesize
982KB
MD5a9cc9cb0fde2c0b2ee8f54e7b3ce53df
SHA1361d4a94e316afc582f4c1f3f198996bb159fc46
SHA256b59ae1ba37503d05d08d6af986ee32e9c8464d4434cbbb31d4978a5f7c60ad2e
SHA51279d295c64c73ec4e155a9542fad6b24b2cd0012a5b37112cdbae615d33718c40f98826434377bf6e4fc66e052023b57fbc839a9c331097fbe20818ea5087c090
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0105870.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0105870.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6981677.exeFilesize
799KB
MD560e1e12cb2728a1bed6cf5ff23fa40a2
SHA1ce06e16414814e4f5b6524b7a091c69eb85fb498
SHA2565c45a4b183f2a01d027e098a5719d77158e257b328c0a004a9e746ba70aa6fe9
SHA5127bc0b09a712c0352e00c8a43af93617120616919ab45519a233a1b0cbfdb95727e3ae9fa3bde20726653f370686d3cb2cf7a2a41a93808e8e66bdf7efaeb12fe
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6981677.exeFilesize
799KB
MD560e1e12cb2728a1bed6cf5ff23fa40a2
SHA1ce06e16414814e4f5b6524b7a091c69eb85fb498
SHA2565c45a4b183f2a01d027e098a5719d77158e257b328c0a004a9e746ba70aa6fe9
SHA5127bc0b09a712c0352e00c8a43af93617120616919ab45519a233a1b0cbfdb95727e3ae9fa3bde20726653f370686d3cb2cf7a2a41a93808e8e66bdf7efaeb12fe
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0452907.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0452907.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1410646.exeFilesize
616KB
MD533704ce1dac1a97754e16c7012a1ee94
SHA12159fd2b385813106d9c69d93c6c2183dc32eca6
SHA256adfe39c5947ad6d002f816cbd277787a34ea437c143d519960e20f8f5eac2fd6
SHA512ee730edf2bb99bf575b87ac712f004e40a2910a7e90ce6b1391a94d14e68228726d94a2d62989d2b7289d57e67ed0a80f339af8d216c21c72f1175cd9d190875
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1410646.exeFilesize
616KB
MD533704ce1dac1a97754e16c7012a1ee94
SHA12159fd2b385813106d9c69d93c6c2183dc32eca6
SHA256adfe39c5947ad6d002f816cbd277787a34ea437c143d519960e20f8f5eac2fd6
SHA512ee730edf2bb99bf575b87ac712f004e40a2910a7e90ce6b1391a94d14e68228726d94a2d62989d2b7289d57e67ed0a80f339af8d216c21c72f1175cd9d190875
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2287233.exeFilesize
390KB
MD57f2fe6f6870100ff5320f44b97361b66
SHA111b0f9da53931e914f14601a9e2557041f7fd55e
SHA2568392dd5fd5a7947c73da633b7e00e6ae47b1f8d2602aeb103a56c3cf0118df76
SHA51271f4e9ea118f92161dcba5b8aaeda24b0859a5b329823c606006ea94f12396b2c408aebe9f37cbf65f0dbcf356d2612190b583e562aaf8aa5e3cfc173c50cc20
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2287233.exeFilesize
390KB
MD57f2fe6f6870100ff5320f44b97361b66
SHA111b0f9da53931e914f14601a9e2557041f7fd55e
SHA2568392dd5fd5a7947c73da633b7e00e6ae47b1f8d2602aeb103a56c3cf0118df76
SHA51271f4e9ea118f92161dcba5b8aaeda24b0859a5b329823c606006ea94f12396b2c408aebe9f37cbf65f0dbcf356d2612190b583e562aaf8aa5e3cfc173c50cc20
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0755799.exeFilesize
346KB
MD5d027c8d1665e13816570b9b39f192ff8
SHA1ffd9d219b750820e7527501c7f6f2b745bedfaf9
SHA2566f96a1045a974ec83a34fbd5fb627cfe980a2f8442a6b3b7ecf39aa8b4a7cc28
SHA51200280865aaeaff6b0022ae233dd808bb1b7e609a7c9fb7ddd55200f8712f0c18c4269ae29a24e3bce24b8a6a4f0e45a4a761079d12025baeaf37a7a33cdb921c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0755799.exeFilesize
346KB
MD5d027c8d1665e13816570b9b39f192ff8
SHA1ffd9d219b750820e7527501c7f6f2b745bedfaf9
SHA2566f96a1045a974ec83a34fbd5fb627cfe980a2f8442a6b3b7ecf39aa8b4a7cc28
SHA51200280865aaeaff6b0022ae233dd808bb1b7e609a7c9fb7ddd55200f8712f0c18c4269ae29a24e3bce24b8a6a4f0e45a4a761079d12025baeaf37a7a33cdb921c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7140165.exeFilesize
227KB
MD5f0958156b6b486348b5148ad415c67a6
SHA1696dd53b0efc75646744408b2618fb66cf223dcf
SHA25673256bfa94ae373934ace099d8f767d2bfa29e7549d1f29fef52df50c9797e47
SHA512cf47439794b91df5a524af7546110fd5a3f79901004355f9c23cd2018ae5b62583109aac2df59f5bde81294e069592f9130102ac58d9f05c765b1a05a89a5dda
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7140165.exeFilesize
227KB
MD5f0958156b6b486348b5148ad415c67a6
SHA1696dd53b0efc75646744408b2618fb66cf223dcf
SHA25673256bfa94ae373934ace099d8f767d2bfa29e7549d1f29fef52df50c9797e47
SHA512cf47439794b91df5a524af7546110fd5a3f79901004355f9c23cd2018ae5b62583109aac2df59f5bde81294e069592f9130102ac58d9f05c765b1a05a89a5dda
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7017975.exeFilesize
356KB
MD5f6f8708284888f4206e82d2bdee74d1d
SHA1a8dbddcd3add78f772549723e9d48c5fd895ad38
SHA256d877dea5982fc83756dff560f1c43d8b340e7a919d0d9f8eb0c5bb71920daa0c
SHA512b1e8d9d3e2771efaff7b154ed71b652e32899f3cc674cebe37b7da0c30fa375a935b59844d90570897f6be9e8b5c265f3ae43d418dde5fa6d7daf6ef66941c44
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7017975.exeFilesize
356KB
MD5f6f8708284888f4206e82d2bdee74d1d
SHA1a8dbddcd3add78f772549723e9d48c5fd895ad38
SHA256d877dea5982fc83756dff560f1c43d8b340e7a919d0d9f8eb0c5bb71920daa0c
SHA512b1e8d9d3e2771efaff7b154ed71b652e32899f3cc674cebe37b7da0c30fa375a935b59844d90570897f6be9e8b5c265f3ae43d418dde5fa6d7daf6ef66941c44
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
memory/2804-40-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2804-41-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2804-42-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2804-44-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4972-86-0x0000000073EF0000-0x00000000746A0000-memory.dmpFilesize
7.7MB
-
memory/4972-66-0x0000000073EF0000-0x00000000746A0000-memory.dmpFilesize
7.7MB
-
memory/4972-35-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4972-36-0x0000000073EF0000-0x00000000746A0000-memory.dmpFilesize
7.7MB
-
memory/5024-62-0x0000000005130000-0x0000000005142000-memory.dmpFilesize
72KB
-
memory/5024-68-0x0000000005860000-0x000000000589C000-memory.dmpFilesize
240KB
-
memory/5024-67-0x0000000005710000-0x0000000005720000-memory.dmpFilesize
64KB
-
memory/5024-87-0x0000000073EF0000-0x00000000746A0000-memory.dmpFilesize
7.7MB
-
memory/5024-61-0x0000000005930000-0x0000000005A3A000-memory.dmpFilesize
1.0MB
-
memory/5024-60-0x0000000005E40000-0x0000000006458000-memory.dmpFilesize
6.1MB
-
memory/5024-50-0x0000000001620000-0x0000000001626000-memory.dmpFilesize
24KB
-
memory/5024-49-0x0000000073EF0000-0x00000000746A0000-memory.dmpFilesize
7.7MB
-
memory/5024-48-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/5024-72-0x00000000058B0000-0x00000000058FC000-memory.dmpFilesize
304KB
-
memory/5024-88-0x0000000005710000-0x0000000005720000-memory.dmpFilesize
64KB