Analysis
-
max time kernel
134s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 06:15
Static task
static1
Behavioral task
behavioral1
Sample
ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe
Resource
win7-20230831-en
General
-
Target
ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe
-
Size
1.0MB
-
MD5
07f7a8bcc7fddd099dfe7cb1d0aa1f9d
-
SHA1
304ffbf0d14dd116bb93af98daf74e8727029c88
-
SHA256
ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849
-
SHA512
a9b958fd995494a744fb930f8ecbc5aab009bae313c97fef3e6509c8b8df8c834c122e5ade4f51e4a9ce833ab78da89c232ae70702431fa476da5704985904a2
-
SSDEEP
24576:By4ic/Fijjq4I4B5zs2UUk4g77iUAD8NA5EpKqbQ4TxDIYV6x3fgI6:04qj+4J7g7OUa5Ep/QI6YcvgI
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4300-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-42-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-43-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-45-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3048-35-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explonde.exeu5574575.exelegota.exet7399213.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation explonde.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation u5574575.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation t7399213.exe -
Executes dropped EXE 16 IoCs
Processes:
z1438647.exez6650939.exez6832019.exez6061401.exeq7064207.exer5717339.exes9174472.exet7399213.exeexplonde.exeu5574575.exelegota.exew1198696.exeexplonde.exelegota.exeexplonde.exelegota.exepid process 1276 z1438647.exe 2680 z6650939.exe 3740 z6832019.exe 64 z6061401.exe 4072 q7064207.exe 2348 r5717339.exe 744 s9174472.exe 1796 t7399213.exe 968 explonde.exe 2728 u5574575.exe 2952 legota.exe 1392 w1198696.exe 2200 explonde.exe 3468 legota.exe 1228 explonde.exe 4360 legota.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2772 rundll32.exe 1056 rundll32.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
z1438647.exez6650939.exez6832019.exez6061401.exeee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1438647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z6650939.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z6832019.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z6061401.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
q7064207.exer5717339.exes9174472.exedescription pid process target process PID 4072 set thread context of 3048 4072 q7064207.exe AppLaunch.exe PID 2348 set thread context of 4300 2348 r5717339.exe AppLaunch.exe PID 744 set thread context of 4912 744 s9174472.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3600 4072 WerFault.exe q7064207.exe 3268 2348 WerFault.exe r5717339.exe 3356 4300 WerFault.exe AppLaunch.exe 4272 744 WerFault.exe s9174472.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1388 schtasks.exe 3872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 3048 AppLaunch.exe 3048 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 3048 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exez1438647.exez6650939.exez6832019.exez6061401.exeq7064207.exer5717339.exes9174472.exet7399213.exeexplonde.exedescription pid process target process PID 4100 wrote to memory of 1276 4100 ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe z1438647.exe PID 4100 wrote to memory of 1276 4100 ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe z1438647.exe PID 4100 wrote to memory of 1276 4100 ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe z1438647.exe PID 1276 wrote to memory of 2680 1276 z1438647.exe z6650939.exe PID 1276 wrote to memory of 2680 1276 z1438647.exe z6650939.exe PID 1276 wrote to memory of 2680 1276 z1438647.exe z6650939.exe PID 2680 wrote to memory of 3740 2680 z6650939.exe z6832019.exe PID 2680 wrote to memory of 3740 2680 z6650939.exe z6832019.exe PID 2680 wrote to memory of 3740 2680 z6650939.exe z6832019.exe PID 3740 wrote to memory of 64 3740 z6832019.exe z6061401.exe PID 3740 wrote to memory of 64 3740 z6832019.exe z6061401.exe PID 3740 wrote to memory of 64 3740 z6832019.exe z6061401.exe PID 64 wrote to memory of 4072 64 z6061401.exe q7064207.exe PID 64 wrote to memory of 4072 64 z6061401.exe q7064207.exe PID 64 wrote to memory of 4072 64 z6061401.exe q7064207.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 4072 wrote to memory of 3048 4072 q7064207.exe AppLaunch.exe PID 64 wrote to memory of 2348 64 z6061401.exe r5717339.exe PID 64 wrote to memory of 2348 64 z6061401.exe r5717339.exe PID 64 wrote to memory of 2348 64 z6061401.exe r5717339.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 2348 wrote to memory of 4300 2348 r5717339.exe AppLaunch.exe PID 3740 wrote to memory of 744 3740 z6832019.exe s9174472.exe PID 3740 wrote to memory of 744 3740 z6832019.exe s9174472.exe PID 3740 wrote to memory of 744 3740 z6832019.exe s9174472.exe PID 744 wrote to memory of 2108 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 2108 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 2108 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 744 wrote to memory of 4912 744 s9174472.exe AppLaunch.exe PID 2680 wrote to memory of 1796 2680 z6650939.exe t7399213.exe PID 2680 wrote to memory of 1796 2680 z6650939.exe t7399213.exe PID 2680 wrote to memory of 1796 2680 z6650939.exe t7399213.exe PID 1796 wrote to memory of 968 1796 t7399213.exe explonde.exe PID 1796 wrote to memory of 968 1796 t7399213.exe explonde.exe PID 1796 wrote to memory of 968 1796 t7399213.exe explonde.exe PID 1276 wrote to memory of 2728 1276 z1438647.exe u5574575.exe PID 1276 wrote to memory of 2728 1276 z1438647.exe u5574575.exe PID 1276 wrote to memory of 2728 1276 z1438647.exe u5574575.exe PID 968 wrote to memory of 1388 968 explonde.exe schtasks.exe PID 968 wrote to memory of 1388 968 explonde.exe schtasks.exe PID 968 wrote to memory of 1388 968 explonde.exe schtasks.exe PID 968 wrote to memory of 456 968 explonde.exe cmd.exe PID 968 wrote to memory of 456 968 explonde.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe"C:\Users\Admin\AppData\Local\Temp\ee524f5314131071c292f5ff2cf0e55bad26d76a922fa73b37aa435ae2f13849_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1438647.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1438647.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6650939.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6650939.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6832019.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6832019.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6061401.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6061401.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7064207.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7064207.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1487⤵
- Program crash
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5717339.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5717339.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 5488⤵
- Program crash
PID:3356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1487⤵
- Program crash
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9174472.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9174472.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 5846⤵
- Program crash
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7399213.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7399213.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F6⤵
- Creates scheduled task(s)
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵PID:456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4668
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"7⤵PID:1348
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E7⤵PID:684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4000
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:2760
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:3088
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5574575.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5574575.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2104
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵PID:3836
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵PID:1788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:3520
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵PID:4392
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵PID:2836
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
PID:3872 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1198696.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1198696.exe2⤵
- Executes dropped EXE
PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4072 -ip 40721⤵PID:3768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2348 -ip 23481⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4300 -ip 43001⤵PID:1240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 744 -ip 7441⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:2200
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:3468
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1228
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:4360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1198696.exeFilesize
22KB
MD50709eb40ab0a6eceff58908b14e66c1a
SHA1f691ac7fc6944ec464172e5aeea3616e30b648d9
SHA25643134cbe15d4825d928050b00eed7c9dc6636c96a644869d2c724f0c8c20ec6e
SHA512bf12d482ce6a3f8ab05832f548d6722def988cc3d0ea68b3cae4992ef7893337cba0a825a9d5b6fb60368585222365e5d321105a08f270665416db20b02eb876
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1198696.exeFilesize
22KB
MD50709eb40ab0a6eceff58908b14e66c1a
SHA1f691ac7fc6944ec464172e5aeea3616e30b648d9
SHA25643134cbe15d4825d928050b00eed7c9dc6636c96a644869d2c724f0c8c20ec6e
SHA512bf12d482ce6a3f8ab05832f548d6722def988cc3d0ea68b3cae4992ef7893337cba0a825a9d5b6fb60368585222365e5d321105a08f270665416db20b02eb876
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1438647.exeFilesize
966KB
MD5a01d00e2eee347ec7b3428e46b15d8b7
SHA1b9aff0329dc2b605fe40bb0782e16125b822b2e3
SHA2560664ff3cc11d9597a33f2bda99907e63c304e84621aa64a8e5d8b3a221813fb5
SHA512729afc6e976e72d6e72ff9010fd4b36a0e02ad8198e5e27aaf14acc6b3343fa4cc009d635cfc0435ee565bbd10e0eb52cfa956f6c8543ade3deab2e85f2ecc36
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1438647.exeFilesize
966KB
MD5a01d00e2eee347ec7b3428e46b15d8b7
SHA1b9aff0329dc2b605fe40bb0782e16125b822b2e3
SHA2560664ff3cc11d9597a33f2bda99907e63c304e84621aa64a8e5d8b3a221813fb5
SHA512729afc6e976e72d6e72ff9010fd4b36a0e02ad8198e5e27aaf14acc6b3343fa4cc009d635cfc0435ee565bbd10e0eb52cfa956f6c8543ade3deab2e85f2ecc36
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5574575.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5574575.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6650939.exeFilesize
783KB
MD5ea6ee9af340dc238ac30466cd5ffdef9
SHA1cb773438e9336507c75e024559362ffd3430c2aa
SHA256f067729531e5da249ccf639771eefc0b874229c44fc4fa00139fe723e6fd003f
SHA51264392f5ed3de101b8adeaea2738a7f4b1a4603729e83b56f9feee3600c0be30c8698e86818ff2d9d61c424cf4d98f6c3a3915399edcc46d571a16207508a339d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6650939.exeFilesize
783KB
MD5ea6ee9af340dc238ac30466cd5ffdef9
SHA1cb773438e9336507c75e024559362ffd3430c2aa
SHA256f067729531e5da249ccf639771eefc0b874229c44fc4fa00139fe723e6fd003f
SHA51264392f5ed3de101b8adeaea2738a7f4b1a4603729e83b56f9feee3600c0be30c8698e86818ff2d9d61c424cf4d98f6c3a3915399edcc46d571a16207508a339d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7399213.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7399213.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6832019.exeFilesize
600KB
MD546e1b33ecfe64ae6974752ce3ab4a8be
SHA1bd743c2f85b78dabe55a378a89f6953fe37f46d0
SHA2561445370b7d5dd0cdc39b04e87dbf2c43748f69fb13ecbc4b20012ecc00b59d0c
SHA5120d12757ff2dc0b711af90438a88c0a55f12d30b6cd524529a49933021a363af6218a0a6d838de747ca95ce84f1e3020ad3a934b6362f1d546531d6a4b7f62c02
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6832019.exeFilesize
600KB
MD546e1b33ecfe64ae6974752ce3ab4a8be
SHA1bd743c2f85b78dabe55a378a89f6953fe37f46d0
SHA2561445370b7d5dd0cdc39b04e87dbf2c43748f69fb13ecbc4b20012ecc00b59d0c
SHA5120d12757ff2dc0b711af90438a88c0a55f12d30b6cd524529a49933021a363af6218a0a6d838de747ca95ce84f1e3020ad3a934b6362f1d546531d6a4b7f62c02
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9174472.exeFilesize
380KB
MD569bea88f8b988fa628cc2133c707edff
SHA1ea178a5f32e93aaf3a0296a7a7b97ad0d16e4f7d
SHA256568c905fe90a7db150c85d05c99c86cd9fe6e2cf193d5d6dbff0f36eb5ba3e95
SHA5128714e8b7de03414b8a1cce9d6f02a4beacefaa76a96cfc4ff173f796c2ac1a523e479710fe98e21355a8f66f836982f9b78ad96b6702903f63659a3db1161e51
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9174472.exeFilesize
380KB
MD569bea88f8b988fa628cc2133c707edff
SHA1ea178a5f32e93aaf3a0296a7a7b97ad0d16e4f7d
SHA256568c905fe90a7db150c85d05c99c86cd9fe6e2cf193d5d6dbff0f36eb5ba3e95
SHA5128714e8b7de03414b8a1cce9d6f02a4beacefaa76a96cfc4ff173f796c2ac1a523e479710fe98e21355a8f66f836982f9b78ad96b6702903f63659a3db1161e51
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6061401.exeFilesize
338KB
MD5bc3877eb7769596e9bacd9b11a80d669
SHA14d71fbf746a27f9b29f32ae3768fb2aab39b36f7
SHA256d49a966393fa2a4b9f21bcdc52412cbf94715c00e674eb9847810d4db8f56c6e
SHA512ba341f12526e27cd3b4acce14a50c183a6f524d918269e4216f13e386082c7b09fc221bb7140f0871988482dcb274fc06c59a0be31d1992406517838725e25e4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6061401.exeFilesize
338KB
MD5bc3877eb7769596e9bacd9b11a80d669
SHA14d71fbf746a27f9b29f32ae3768fb2aab39b36f7
SHA256d49a966393fa2a4b9f21bcdc52412cbf94715c00e674eb9847810d4db8f56c6e
SHA512ba341f12526e27cd3b4acce14a50c183a6f524d918269e4216f13e386082c7b09fc221bb7140f0871988482dcb274fc06c59a0be31d1992406517838725e25e4
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7064207.exeFilesize
217KB
MD5283bcade707281853196147565532923
SHA1eaf6edc78b30b25d1f7c3b7c90be35fc9b2c9b98
SHA256b39d6ee147553657f014b1ca2c0e3437aa5702fffc2ec4610c09bdcf414f28ab
SHA512adbeadf999f3e4b46f01d549c45bbdc8390df57216536ee1b11fe58f01bb2260ea4bbc8f3265441fb87aed6c07e32018f5f5a124b54e218a388d0d9aac2a5860
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7064207.exeFilesize
217KB
MD5283bcade707281853196147565532923
SHA1eaf6edc78b30b25d1f7c3b7c90be35fc9b2c9b98
SHA256b39d6ee147553657f014b1ca2c0e3437aa5702fffc2ec4610c09bdcf414f28ab
SHA512adbeadf999f3e4b46f01d549c45bbdc8390df57216536ee1b11fe58f01bb2260ea4bbc8f3265441fb87aed6c07e32018f5f5a124b54e218a388d0d9aac2a5860
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5717339.exeFilesize
346KB
MD5fe1d5ad313e7f6621aa3c893e08cf494
SHA10b9878c06d1825e51d9b413ba96e6be58935fcd6
SHA2569c716a6b50b1b967de579d688ef9c452ee22b746a5e7481f13fe2a1d763debd9
SHA51246b5f302b6ab7e155beb76228b5aa33dfbf9b88a75d5cd5dcec79793da6cc5398c4283e23cddfe143ec641b1a91a4001de484011023140a74340e34781469ead
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5717339.exeFilesize
346KB
MD5fe1d5ad313e7f6621aa3c893e08cf494
SHA10b9878c06d1825e51d9b413ba96e6be58935fcd6
SHA2569c716a6b50b1b967de579d688ef9c452ee22b746a5e7481f13fe2a1d763debd9
SHA51246b5f302b6ab7e155beb76228b5aa33dfbf9b88a75d5cd5dcec79793da6cc5398c4283e23cddfe143ec641b1a91a4001de484011023140a74340e34781469ead
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD50c459e65bcc6d38574f0c0d63a87088a
SHA141e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
memory/3048-37-0x0000000073C20000-0x00000000743D0000-memory.dmpFilesize
7.7MB
-
memory/3048-62-0x0000000073C20000-0x00000000743D0000-memory.dmpFilesize
7.7MB
-
memory/3048-36-0x0000000073C20000-0x00000000743D0000-memory.dmpFilesize
7.7MB
-
memory/3048-35-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4300-45-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4300-41-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4300-43-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4300-42-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4912-59-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/4912-90-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/4912-89-0x0000000073C20000-0x00000000743D0000-memory.dmpFilesize
7.7MB
-
memory/4912-57-0x0000000005F20000-0x0000000006538000-memory.dmpFilesize
6.1MB
-
memory/4912-50-0x0000000005860000-0x0000000005866000-memory.dmpFilesize
24KB
-
memory/4912-58-0x0000000005A10000-0x0000000005B1A000-memory.dmpFilesize
1.0MB
-
memory/4912-60-0x0000000005900000-0x0000000005912000-memory.dmpFilesize
72KB
-
memory/4912-68-0x00000000059B0000-0x00000000059FC000-memory.dmpFilesize
304KB
-
memory/4912-63-0x0000000005960000-0x000000000599C000-memory.dmpFilesize
240KB
-
memory/4912-51-0x0000000073C20000-0x00000000743D0000-memory.dmpFilesize
7.7MB
-
memory/4912-49-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB