Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 21:56
Static task
static1
Behavioral task
behavioral1
Sample
3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe
Resource
win7-20230831-en
General
-
Target
3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe
-
Size
1.0MB
-
MD5
dc062986a0acf016b2fb5edc0d9c3a4e
-
SHA1
187cc01b5d1525b53e4a2b0608a90b413244a388
-
SHA256
3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428
-
SHA512
b1ff44fea8a6b0abfac8240c0e77e33386a58022946cdd750fb67145cb1c033a526977c307ee776c5f5935b2530d86ec70c4a1365c94b64aa7066bafc091e5f5
-
SSDEEP
24576:MyAApfcUUWSF8bGQFVmrw54J4Mw1C7r8LHveC2bGekz:7rRcU48bGQXxMwArAHmCUx
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4968-42-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4968-43-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4968-44-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4968-46-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exe healer C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exe healer behavioral2/memory/1348-35-0x0000000000A00000-0x0000000000A0A000-memory.dmp healer -
Processes:
q7553627.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q7553627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q7553627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q7553627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q7553627.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q7553627.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q7553627.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
t9119601.exeexplothe.exeu5118768.exelegota.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation t9119601.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation u5118768.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation legota.exe -
Executes dropped EXE 16 IoCs
Processes:
z0923342.exez4449250.exez6363428.exez6417688.exeq7553627.exer6200092.exes2826281.exet9119601.exeexplothe.exeu5118768.exelegota.exew9993825.exeexplothe.exelegota.exeexplothe.exelegota.exepid process 2732 z0923342.exe 984 z4449250.exe 2632 z6363428.exe 4736 z6417688.exe 1348 q7553627.exe 1808 r6200092.exe 388 s2826281.exe 772 t9119601.exe 3888 explothe.exe 2456 u5118768.exe 1200 legota.exe 4828 w9993825.exe 432 explothe.exe 828 legota.exe 4032 explothe.exe 1752 legota.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4896 rundll32.exe 784 rundll32.exe -
Processes:
q7553627.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7553627.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exez0923342.exez4449250.exez6363428.exez6417688.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z0923342.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z4449250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z6363428.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z6417688.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
r6200092.exes2826281.exedescription pid process target process PID 1808 set thread context of 4968 1808 r6200092.exe AppLaunch.exe PID 388 set thread context of 4804 388 s2826281.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2564 4968 WerFault.exe AppLaunch.exe 1144 1808 WerFault.exe r6200092.exe 4620 388 WerFault.exe s2826281.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1048 schtasks.exe 1176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
q7553627.exepid process 1348 q7553627.exe 1348 q7553627.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
q7553627.exedescription pid process Token: SeDebugPrivilege 1348 q7553627.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exez0923342.exez4449250.exez6363428.exez6417688.exer6200092.exes2826281.exet9119601.exeexplothe.exeu5118768.exedescription pid process target process PID 4204 wrote to memory of 2732 4204 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe z0923342.exe PID 4204 wrote to memory of 2732 4204 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe z0923342.exe PID 4204 wrote to memory of 2732 4204 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe z0923342.exe PID 2732 wrote to memory of 984 2732 z0923342.exe z4449250.exe PID 2732 wrote to memory of 984 2732 z0923342.exe z4449250.exe PID 2732 wrote to memory of 984 2732 z0923342.exe z4449250.exe PID 984 wrote to memory of 2632 984 z4449250.exe z6363428.exe PID 984 wrote to memory of 2632 984 z4449250.exe z6363428.exe PID 984 wrote to memory of 2632 984 z4449250.exe z6363428.exe PID 2632 wrote to memory of 4736 2632 z6363428.exe z6417688.exe PID 2632 wrote to memory of 4736 2632 z6363428.exe z6417688.exe PID 2632 wrote to memory of 4736 2632 z6363428.exe z6417688.exe PID 4736 wrote to memory of 1348 4736 z6417688.exe q7553627.exe PID 4736 wrote to memory of 1348 4736 z6417688.exe q7553627.exe PID 4736 wrote to memory of 1808 4736 z6417688.exe r6200092.exe PID 4736 wrote to memory of 1808 4736 z6417688.exe r6200092.exe PID 4736 wrote to memory of 1808 4736 z6417688.exe r6200092.exe PID 1808 wrote to memory of 4884 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4884 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4884 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 1808 wrote to memory of 4968 1808 r6200092.exe AppLaunch.exe PID 2632 wrote to memory of 388 2632 z6363428.exe s2826281.exe PID 2632 wrote to memory of 388 2632 z6363428.exe s2826281.exe PID 2632 wrote to memory of 388 2632 z6363428.exe s2826281.exe PID 388 wrote to memory of 1884 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 1884 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 1884 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 388 wrote to memory of 4804 388 s2826281.exe AppLaunch.exe PID 984 wrote to memory of 772 984 z4449250.exe t9119601.exe PID 984 wrote to memory of 772 984 z4449250.exe t9119601.exe PID 984 wrote to memory of 772 984 z4449250.exe t9119601.exe PID 772 wrote to memory of 3888 772 t9119601.exe explothe.exe PID 772 wrote to memory of 3888 772 t9119601.exe explothe.exe PID 772 wrote to memory of 3888 772 t9119601.exe explothe.exe PID 2732 wrote to memory of 2456 2732 z0923342.exe u5118768.exe PID 2732 wrote to memory of 2456 2732 z0923342.exe u5118768.exe PID 2732 wrote to memory of 2456 2732 z0923342.exe u5118768.exe PID 3888 wrote to memory of 1048 3888 explothe.exe schtasks.exe PID 3888 wrote to memory of 1048 3888 explothe.exe schtasks.exe PID 3888 wrote to memory of 1048 3888 explothe.exe schtasks.exe PID 2456 wrote to memory of 1200 2456 u5118768.exe legota.exe PID 2456 wrote to memory of 1200 2456 u5118768.exe legota.exe PID 2456 wrote to memory of 1200 2456 u5118768.exe legota.exe PID 3888 wrote to memory of 3880 3888 explothe.exe cmd.exe PID 3888 wrote to memory of 3880 3888 explothe.exe cmd.exe PID 3888 wrote to memory of 3880 3888 explothe.exe cmd.exe PID 4204 wrote to memory of 4828 4204 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe w9993825.exe PID 4204 wrote to memory of 4828 4204 3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe w9993825.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe"C:\Users\Admin\AppData\Local\Temp\3ca27f58f147d0a2da8a868f8e73c7cd5917106741d67ce79ceb88622ae2d428.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0923342.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0923342.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449250.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449250.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6363428.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6363428.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6417688.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6417688.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6200092.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6200092.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 5408⤵
- Program crash
PID:2564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 6047⤵
- Program crash
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2826281.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2826281.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 5886⤵
- Program crash
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9119601.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9119601.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
PID:1048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵PID:3880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:684
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵PID:4684
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵PID:368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:404
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:560
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:4228
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5118768.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5118768.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
PID:1176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵PID:3104
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2080
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵PID:1616
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:5008
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵PID:3672
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9993825.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9993825.exe2⤵
- Executes dropped EXE
PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4968 -ip 49681⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1808 -ip 18081⤵PID:3376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 388 -ip 3881⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:432
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:828
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:4032
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:1752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9993825.exeFilesize
23KB
MD57095cbb5f5cda29f325ac4478ee1dea9
SHA1fc9a32197041ee1e5c9d5865e1254d8f704f3c0d
SHA2567487902c9d7f8a72bb10b9bc89920021095691ad77a8782b3af09a27c12525b4
SHA5120e17d8e432310974db120db17d513c763a0a0e09b6e0a87036f5e7940ccc6315cb3922bd9b383d57202a31763b692e94d13e5eeb49f703f6e3c8ab86efcbff8b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9993825.exeFilesize
23KB
MD57095cbb5f5cda29f325ac4478ee1dea9
SHA1fc9a32197041ee1e5c9d5865e1254d8f704f3c0d
SHA2567487902c9d7f8a72bb10b9bc89920021095691ad77a8782b3af09a27c12525b4
SHA5120e17d8e432310974db120db17d513c763a0a0e09b6e0a87036f5e7940ccc6315cb3922bd9b383d57202a31763b692e94d13e5eeb49f703f6e3c8ab86efcbff8b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0923342.exeFilesize
972KB
MD585a7008f4d4b9cab05c2b04fbc31ad05
SHA1c4b562ded0e81b4e38231f081e88bf70ed0404fb
SHA2563989382da62ab9aaee35d880f8e92c91d401f511b082d53bbbc1cc1d966a3bee
SHA512171d7fb168a1784d8ff5add19f2f435c3a0d3d20e20ca522a0d7643d28e01ef35abd111f7699b3c3fad4a282b359ad331e09a7e0125770ff24d99244a7ff9c97
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0923342.exeFilesize
972KB
MD585a7008f4d4b9cab05c2b04fbc31ad05
SHA1c4b562ded0e81b4e38231f081e88bf70ed0404fb
SHA2563989382da62ab9aaee35d880f8e92c91d401f511b082d53bbbc1cc1d966a3bee
SHA512171d7fb168a1784d8ff5add19f2f435c3a0d3d20e20ca522a0d7643d28e01ef35abd111f7699b3c3fad4a282b359ad331e09a7e0125770ff24d99244a7ff9c97
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5118768.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5118768.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449250.exeFilesize
789KB
MD55f1ab4d5e0f97902418487aea7709077
SHA191dc26174d12b967c3c925c908a6a0973a9cb453
SHA2566f44cdc3d9d28d76b86c42546897abcd488cd2f1e42ad326ac352ab040b1e6e7
SHA512727d88dd08b89ac39b6177a2e66a780cc5ca21b6b2ceafb2fcef780497974546b448d5a6183b36e17b448827d7badfb633fe0f124abf0f3c33b29c5c62f122d8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4449250.exeFilesize
789KB
MD55f1ab4d5e0f97902418487aea7709077
SHA191dc26174d12b967c3c925c908a6a0973a9cb453
SHA2566f44cdc3d9d28d76b86c42546897abcd488cd2f1e42ad326ac352ab040b1e6e7
SHA512727d88dd08b89ac39b6177a2e66a780cc5ca21b6b2ceafb2fcef780497974546b448d5a6183b36e17b448827d7badfb633fe0f124abf0f3c33b29c5c62f122d8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9119601.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9119601.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6363428.exeFilesize
606KB
MD5fb14dc2b317a0606e03c69889c1dd9d0
SHA198798ee8d3c79d23a5a25c328c31f11d725ad2a3
SHA256bdcc2db4100bc8274314d7a0451764af86ef000cddb9e6b646ca7c5baf2298a6
SHA5120cf01ad1e38a06e34f0b91fbce66a651df9cfd247ef2345db1626f644c71cf906b71808b341214eb403044b8a25ed87875c0d6a233be2b1cef94491a2bd12eec
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6363428.exeFilesize
606KB
MD5fb14dc2b317a0606e03c69889c1dd9d0
SHA198798ee8d3c79d23a5a25c328c31f11d725ad2a3
SHA256bdcc2db4100bc8274314d7a0451764af86ef000cddb9e6b646ca7c5baf2298a6
SHA5120cf01ad1e38a06e34f0b91fbce66a651df9cfd247ef2345db1626f644c71cf906b71808b341214eb403044b8a25ed87875c0d6a233be2b1cef94491a2bd12eec
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2826281.exeFilesize
390KB
MD5a9938d6fd6fcca6352dcad51c8f8c2a0
SHA121b6ac1af5f958d0ada1aecea628441f3edc1877
SHA256ec0abb3e34245f1b70e155356691a6bccd9cce1ff9efa0cbddb21b67bd594ecc
SHA51206d78329496a911cc171a0e847f48a5f1a47fdd938c66d6384650ed42f75c23e980348df575a99f08132c9d580d325fa129b70149d037b6c027a32b27cc2ac94
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2826281.exeFilesize
390KB
MD5a9938d6fd6fcca6352dcad51c8f8c2a0
SHA121b6ac1af5f958d0ada1aecea628441f3edc1877
SHA256ec0abb3e34245f1b70e155356691a6bccd9cce1ff9efa0cbddb21b67bd594ecc
SHA51206d78329496a911cc171a0e847f48a5f1a47fdd938c66d6384650ed42f75c23e980348df575a99f08132c9d580d325fa129b70149d037b6c027a32b27cc2ac94
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6417688.exeFilesize
335KB
MD5123211f586f2e7e7d8729d982517c0e1
SHA1bbf2502418896ad439ba7ba1f56662303c9f0b26
SHA2563c53378e9cee418fe73a5c74947882dffe79ddc536e67c7387db634b16793825
SHA51297c0c114b891740653d16bbd90724a7a915fed3ba625a71f0ec49d2d2e81bd513cb7ff86d0c0a67b4949f464e4c67e48e07fc5ae84b3ab311a8dbe9394b559ee
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6417688.exeFilesize
335KB
MD5123211f586f2e7e7d8729d982517c0e1
SHA1bbf2502418896ad439ba7ba1f56662303c9f0b26
SHA2563c53378e9cee418fe73a5c74947882dffe79ddc536e67c7387db634b16793825
SHA51297c0c114b891740653d16bbd90724a7a915fed3ba625a71f0ec49d2d2e81bd513cb7ff86d0c0a67b4949f464e4c67e48e07fc5ae84b3ab311a8dbe9394b559ee
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exeFilesize
11KB
MD5f30d06fd5f5aff12cf50f850bd7aeaf2
SHA1048dd0d1f82fd02edd858d722f51255e7b6a93ac
SHA256166fff7e2ac9ca6040feb8699ce165b0701046ce3f43be90d1a12e48c6434358
SHA5121f692964f390b3735011b336ec061e432156a76cab0128988e7ec48afae03af09bf1e2a42ad84d9316cb773837505ef4250c80f2480e86b66a01e6b18853b37a
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7553627.exeFilesize
11KB
MD5f30d06fd5f5aff12cf50f850bd7aeaf2
SHA1048dd0d1f82fd02edd858d722f51255e7b6a93ac
SHA256166fff7e2ac9ca6040feb8699ce165b0701046ce3f43be90d1a12e48c6434358
SHA5121f692964f390b3735011b336ec061e432156a76cab0128988e7ec48afae03af09bf1e2a42ad84d9316cb773837505ef4250c80f2480e86b66a01e6b18853b37a
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6200092.exeFilesize
356KB
MD52e26324e6bc278a965bc4c9bb90d340c
SHA151b40440965c1de24f6aac349221ee6ba9612601
SHA25644b7868fe3a50c7a63c14fafaac27a7bd1abc27bd28698c11b02ef2533050150
SHA512bc50e3b15f108b0ae948c1b5f5b6d2c14a39747063ecd0531824894363acf2b6257b6925c95b3151629092531183e032fa76f76eced0ceaec09c43f52c786b7a
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6200092.exeFilesize
356KB
MD52e26324e6bc278a965bc4c9bb90d340c
SHA151b40440965c1de24f6aac349221ee6ba9612601
SHA25644b7868fe3a50c7a63c14fafaac27a7bd1abc27bd28698c11b02ef2533050150
SHA512bc50e3b15f108b0ae948c1b5f5b6d2c14a39747063ecd0531824894363acf2b6257b6925c95b3151629092531183e032fa76f76eced0ceaec09c43f52c786b7a
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
memory/1348-36-0x00007FFBF10D0000-0x00007FFBF1B91000-memory.dmpFilesize
10.8MB
-
memory/1348-35-0x0000000000A00000-0x0000000000A0A000-memory.dmpFilesize
40KB
-
memory/1348-38-0x00007FFBF10D0000-0x00007FFBF1B91000-memory.dmpFilesize
10.8MB
-
memory/4804-79-0x00000000056A0000-0x0000000005CB8000-memory.dmpFilesize
6.1MB
-
memory/4804-81-0x0000000005190000-0x000000000529A000-memory.dmpFilesize
1.0MB
-
memory/4804-85-0x0000000005130000-0x000000000517C000-memory.dmpFilesize
304KB
-
memory/4804-84-0x00000000050E0000-0x000000000511C000-memory.dmpFilesize
240KB
-
memory/4804-89-0x00000000029B0000-0x00000000029C0000-memory.dmpFilesize
64KB
-
memory/4804-83-0x0000000005080000-0x0000000005092000-memory.dmpFilesize
72KB
-
memory/4804-82-0x00000000029B0000-0x00000000029C0000-memory.dmpFilesize
64KB
-
memory/4804-86-0x0000000073410000-0x0000000073BC0000-memory.dmpFilesize
7.7MB
-
memory/4804-57-0x0000000002940000-0x0000000002946000-memory.dmpFilesize
24KB
-
memory/4804-56-0x0000000073410000-0x0000000073BC0000-memory.dmpFilesize
7.7MB
-
memory/4804-50-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4968-46-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4968-44-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4968-43-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4968-42-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB