Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-01-2024 22:35
General
-
Target
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe
-
Size
11KB
-
MD5
d2e9696ec235cec72512dec6e9ce5935
-
SHA1
dccd11c272d2fa2e700e7b8b51fa6a9a89f9f3ea
-
SHA256
0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455
-
SHA512
573cdf5ac0ebacb05b5043c062d237c7ddf202816b04b3938ab3059f0bb5ef9979c17d04ff869cf86646a87b8df0e40f8d2f4955ba13165c8adbfc1d8b2f138a
-
SSDEEP
192:gzlJOMaLAN+QHzdV4z1ULU87glpK/b26J46667nh5:6lJOM3+qzqULU870gJEM
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Exodus
91.92.255.187:4449
ypyertvpyqfr
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Extracted
redline
Bloomberg
194.33.191.102:21751
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
pedophile@siscop.com.co - Password:
+5s48Ia2&-(t
Extracted
redline
Exodus
91.92.255.187:1334
Extracted
xworm
secure-connection.portmap.io:62391
-
Install_directory
%AppData%
-
install_file
svc.exe
Extracted
risepro
193.233.132.62:50500
195.20.16.210:50500
Extracted
formbook
4.1
he09
clhear.com
maythunguyen.com
xiongmaoaijia.com
kembangzadsloh.xyz
speedwagner.com
360bedroom.com
campereurorg.top
cwxg2.site
mcdlibre.live
globigprimecompanylimited.com
1707102023-stripe.com
xhfj5.site
mugiwaranousopp.xyz
texmasco.com
sc9999.net
lite.team
8xb898.com
cibecuetowing.top
mgplatinemlak.xyz
southwestharborkeyword.top
Extracted
xworm
5.0
KspRabpn35rQf3I6
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/yLqnBLCS
Extracted
C:\Users\ONa9v7hKI.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 2 IoCs
-
Detect ZGRat V1 6 IoCs
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Async RAT payload 3 IoCs
-
Formbook payload 2 IoCs
-
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 20 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 8 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe"C:\Users\Admin\AppData\Local\Temp\0341c1348baae5bc2bb53f7c39724eaeaaa929e4d2c11474b267ed064e45f455.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\venom.exe.exe"C:\Users\Admin\AppData\Local\Temp\venom.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD86.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\autorun.exe.exe"C:\Users\Admin\AppData\Local\Temp\autorun.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'securityhealths.exe.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svc" /tr "C:\Users\Admin\AppData\Roaming\svc.exe"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\red.exe.exe"C:\Users\Admin\AppData\Local\Temp\red.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exe"C:\Users\Admin\AppData\Local\Temp\leru.exe.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exe"C:\Users\Admin\AppData\Local\Temp\perlo.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\file.exe.exe"C:\Users\Admin\AppData\Local\Temp\file.exe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exe"C:\Users\Admin\AppData\Local\Temp\1.exe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\miner.exe.exe"C:\Users\Admin\AppData\Local\Temp\miner.exe.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\miner.exe.exe'; Add-MpPreference -ExclusionProcess 'miner.exe'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rty31.exe.exe"C:\Users\Admin\AppData\Local\Temp\rty31.exe.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\abc.exe.exe"C:\Users\Admin\AppData\Local\Temp\abc.exe.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\92A1.tmp"C:\ProgramData\92A1.tmp"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 8564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe"C:\Users\Admin\AppData\Local\Temp\twoo.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ER2RM.tmp\tuc5.exe.tmp"C:\Users\Admin\AppData\Local\Temp\is-ER2RM.tmp\tuc5.exe.tmp" /SL5="$B01C8,4682184,54272,C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exe"4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 11235⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 11236⤵
-
C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe"C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -i5⤵
-
C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe"C:\Users\Admin\AppData\Local\Video set plugin\videosetplugin.exe" -s5⤵
-
C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exe"C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\love.exe.exe"C:\Users\Admin\AppData\Local\Temp\love.exe.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0Sh71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yR0Sh71.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft4zB43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ft4zB43.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kz3UX33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kz3UX33.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yT7zk44.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yT7zk44.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mo36kY7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mo36kY7.exe8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,2473637822182172198,6246527500349494235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11403953976269777907,11193221203574651712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:810⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff83979758,0x7fff83979768,0x7fff8397977810⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff83979758,0x7fff83979768,0x7fff8397977810⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com9⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6096 CREDAT:17410 /prefetch:210⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff86ea46f8,0x7fff86ea4708,0x7fff86ea471810⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com10⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login10⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\conhost.exe.exe"3⤵
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\svc.exeC:\Users\Admin\AppData\Roaming\svc.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svc.exe"C:\Users\Admin\AppData\Roaming\svc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1584 -ip 15841⤵
-
C:\Users\Admin\AppData\Roaming\svc.exeC:\Users\Admin\AppData\Roaming\svc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.iniFilesize
129B
MD562b61238e513136dcae39ac313f13c76
SHA19cfd97c6ca306218f8a2abe63fd89d05dd321ff3
SHA2568dd0851b82095046b5edbb16e7788a5f52158d51971f4b86492e3f693fe1c090
SHA5128973fb232256166b3902eae193e481c6a21ff16ab7b0b48c5e742f593cb72f8718cdef50dfd58466d04f487a113d09751127ca2fafcb03f1cddddfab10ff6c32
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\plugmanzx.exe.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d5564ccbd62bac229941d2812fc4bfba
SHA10483f8496225a0f2ca0d2151fab40e8f4f61ab6d
SHA256d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921
SHA512300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5dc3878a836972b5ef809b76a239ab31b
SHA19f4d47f13cedf3ee8ff00f93e9bea273bbbf9f57
SHA256526e06f544f25923af904bf0067dcaeae9bf92e67f942b44650e810b7c726fc6
SHA512d66928455d9551aa017035275d8d9715aa3879b21ebd47a09a15197453166a47c7d08098b8107f9910ac72817f37f69fd036fa13f056569620adb1d016090560
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56b5fec177b378618d39fec7045763a79
SHA1d8769699f61c0f26cfb45af68f7068f7a5e52d3c
SHA256e04e61bd3e6607f9a8716fe697719c2983177ece992776f608a38422e00e937a
SHA5121593f4348bceec890f41141768cb40a7a239eda992752570e52706755a0acf99c0c0b12f8dea7170844859fee994e85375889708f093e4e5071dd34f314f3a92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a4254c3f39b036a29005b3864aabcb34
SHA1ee6ddfa1b68d29e8065aab7bb1c4c02c65f2b924
SHA256fac4742d42bd62c9fc90931012c54f3129b8782ef4a2b26edea63ec5d9225911
SHA512df6951d961a6e8cc6bea5ac24c1703543eb7989ec56ac20fb4e46cb5936f7d4ccc79fead624c8adac2358d325c652aa89260b5b83619650c0cd120ecbbe4153e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5798c12bcccd6628cd8bf33fbd80f3843
SHA1da0c325c67cebe4d7f5abe63ca7fcd59337fcffc
SHA2560deb41da91b71b31615f3d48ad67bd59b0728096ba5321518ac724d95946ae34
SHA5120403437b39195c90599ef44bfacb8e708605f883a0a54e636972fc4b2930abde9594de12cb731a68620e8733d5b116c26b79476ba3c6b5f1800cd3ea71e726af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ba15fe4e6cb00686a8c4c286a6eaa047
SHA19c79a10348992ab2f1a362216a6bd3a3ba8dbffb
SHA2563ab92587a9126907ca045be7a5b8db92e6bf622a8d764fbc4a65bb1ffbe602a5
SHA51286fffebc5d2e13fe5f69ce8f27e5f9ec7294381547d18e5c81dc3a1d8031c65bf147b4143c8bb4896748f08e19777c6b6fecd87c8617c611d03be25f635c90ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
584KB
MD5e741a2b67316f180a249808375aca0b5
SHA13500982a3c4b48cde5dfa290eaee0ced72683c80
SHA2569c51db3ead53b07f7c9efa6d20adc9fdf96c3feb1b5d568d0d04adb27d3bd2cf
SHA51238c6c1a4b27c65123251d948535cdf1092cf8f1ff404fa507dc053d0aa8858055cccc3d767a65eab59806c95fa016f044bae8350f553d6c211a5104af384192c
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
320KB
MD56eb62463b50208a3e025b1bcd3ef792a
SHA194ffadb67408683d3d221ddbb42f565a8efc6d74
SHA2564c6a56c6f44f55a6c8a3758e5b4f24c233dfc1d555902727a7efe19f010ded0f
SHA512b304f3f33ee7b6f47694ec0da04105acd6302df258e999aa3ae339d7d6a3101460719c1471000784ca974d5b769ead0de9ce62c5d313b51be9eda736467bff0f
-
C:\Users\Admin\AppData\Local\Temp\1.exe.exeFilesize
373KB
MD5cdbaeac3e88b8413d20a6c6a05771013
SHA191c5b06ddf008fb777c34c7489c614f6393a1891
SHA25691327d7a280dcbea151156b0cc87df1b9fe5f84b01c9ee5e27d0d244697a92aa
SHA512cf53ec60c788cab330c226d647ab0bfd59775856d0e04b9fbb19c401e4e89c53f4c48803226d9da0b68339c209eafd8966458f17cfc0b0bfa3216abc3b3baca5
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDFilesize
371KB
MD5c2c62876867408019c6a57fb545cc297
SHA12f445353eae05c0e5a8273e679afd23a9435c077
SHA25697e8c33194b06bf2a61a09b977248dbc14b68c2ad65339a0dcda09cdeea3a2c9
SHA512d80e9c1e7900ff29d98d94dd03858ebf87bdbeadcddfc8beb084a41cb28783c9477f9a6a58b0ceb77c0da98174bbcf39a79b68fd0316cc411702fce34f560be0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcce1cbp.x5n.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\abc.exe.exeFilesize
371KB
MD57a83a738db05418c0ae6795b317a45f9
SHA1bbd1c1fe4a01b698963c28a2231c33d70338014c
SHA2561520e4cb2748aa5725d8b6c242ff6cf365f6672db35df2745c920ed228666317
SHA512735c9762d72ae8cbce79749145d7530b89ce2be75f591af963bca225f68d80b824c33e36f7805cc778838d684cb23dc317be83b291e4bd77239085082183dad2
-
C:\Users\Admin\AppData\Local\Temp\autorun.exe.exeFilesize
434KB
MD549a101f27b36c7ee8a0931a656749c43
SHA113874d352aa3fbb9a262e29c03ff885714ff8429
SHA256b61c3baadd541bcafad124668888e322d70720335a6f46173b489a47d5b66c1c
SHA512121f6b0b8c8342df96837e173cac6814fff315385a2f1a234b77c5b59fd661930b6f67e910f797db2f7a69d00f282dd9788770925c8390dfe6abcb52ac612ad3
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe.exeFilesize
575KB
MD557ec8609c4c4bdc9c6249a30ba59b489
SHA1437cfeb671c04f5393cf0732bf602d3fae226501
SHA256861f5ebaad65712e0c699fe6fad2f63cca3f35759ed92f44db0d6d089889d209
SHA512860496bfa148c6c69416797ceacb2085f317833474d8a018b66da142f4ca167096b5c9f7988b99159236d0325d1435db3b515d7a84ea3f13cc548ad968ee1e58
-
C:\Users\Admin\AppData\Local\Temp\dwm2.exe.exeFilesize
188KB
MD5cdb5da91ed9624691148563d0c234e06
SHA1fd12f9d82869b65184d4bbe76119f623a9746303
SHA256cb1ae846ff0cf850daca17d92289cbbcd099f5ea3b68c3f3877409b8c4df2b44
SHA5122f773775f0b4b83b8a8ebd0c88831d7588c06c8733fbc1571086f568e0226b5ba27305cf89f3a338727dc3abcc8aeb1135de2353b94c32a953a91339da78e88a
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
293KB
MD5603afaa08ee271ed30466d84ac63c81f
SHA179c1c3e466875effdf84269f902df1e1f4fae052
SHA2564c93aaee0b19b0a8e4d9f1c5cb4e66ca060837bcb1d59e61c482eea7a06b661b
SHA512a7e9eba2841873094cf326d4e9f46e26137f953d7113644bb75e47981f7eaf442f928a5c59aa66737b71e30adc14eb153714aa193c69eb472a7a41bc807efa44
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
245KB
MD5e3aac295f104b5978ea88b26a2fb3d8e
SHA1ca4944a3fadd292c3b4d6bdb2dc12625c5be0f24
SHA2563ed49485349289ba7cc596a5d6b3f755593be0a14e70ebe7415f775dd7c289d4
SHA512360fccccabe4a080bf59ed5934b2d3a4efbecaef92d2227c0faf78b998cc1609d1c51f1e61355a517fa4064c6391a54b7af14a242d0c9565aa8279c8e0855725
-
C:\Users\Admin\AppData\Local\Temp\exploittttt.exe.exeFilesize
371KB
MD5df897e2c03db226d842971cdae69e384
SHA101abe6e49dd388eb75d16cfd2b6f211325d95e21
SHA2564916f80936024362c970124bbe89e2eff9ff035f1a375eccfed83a1f73c96b52
SHA51223a2d850ef3bde4c0488d62e3f2c6305bdf40bb81bb723c858a3964b3d0b7541d04be419765c2f4336733aa869a9e144a3c3b861812269f8f0a9c0c747d95517
-
C:\Users\Admin\AppData\Local\Temp\file.exe.exeFilesize
206KB
MD5cdba8c58e4d9e0a5e0b5053b8198f302
SHA1f2eea90e6d683f6d9c3dd973c33ccb526160ea05
SHA256ff0bd362c496178316aa66375828349d11825dd9afaa90c5ece39a401e4e0a7d
SHA51234cd31b65b587ae1abd59ec37d80c3036eb75730182a2b72f4d544d40325654f07588c72a32f738f13a4d67dc05013f3c978430fdcdb07d8e23ee78905c2c069
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
250KB
MD5c4270737aa55801b20ec0c0a7f70b68c
SHA1a3564ce59d9e35b59b218fb94a83c6480424473f
SHA256b8d4c2d8d806946988857b0dc1cdc0fda72df6baf9e270fb86431ee998e29dc8
SHA5122a4e4710f39ee1edefe503df758bc363a7d75464dad12b0c4d73161e19ef539bc99492e173166248fc44dd5e19bcb6cf0d441751441a1f336c360afcaef10f5c
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
545KB
MD562025eb8dbb3867db2dcbca5c8afa8cb
SHA1674ed0a7aaa67f6702ae6df8609d07090a810432
SHA25681a4ed8622278c5d4beff07909f93aa4a5530eca2df0e2ca3541f282867ac041
SHA51274930212f133e728d8e03f130384651f9bd1b8880648795581831ebd4d127552d54f8c2d2e0b10f013cb2a9f8d74cd3ab4e1b605962a3730aa9e0714d1c159c4
-
C:\Users\Admin\AppData\Local\Temp\leru.exe.exeFilesize
234KB
MD5c6f8f6e181ef80ca60d5c2ae12da5e02
SHA1e355265a3f921959fa241d75cc692476b88e60d9
SHA2562290e215b5763822c839f5878b2432c246bd9d31e5fa65d00b9ec59d9f7b1df9
SHA51222fcc385e1d83a7746fb5bc7843fd96353a83b6a33ac081a43979c283b79dde501613e03bb3f3fe3f7b7c02bb491d888aec5a47226106ef14f40d7ec133ecbb4
-
C:\Users\Admin\AppData\Local\Temp\love.exe.exeFilesize
5.4MB
MD55a6a676298bfb90f1fe093b469f2af75
SHA1f3e36d48a6653707235b76a85fdf0822736dde37
SHA2563ff4800fe0822f42c5c44f0efc8dc7dbd92a27ce36032bc0cc49ef514af89d0c
SHA5128fd9c237873c22566c58e6b3234e16b4010891519fb178c7cd4ddaaae72b0922b45468a6ce4826a6c2b1bc20c6db8cd81f52fcf41e9a47e8f17a5b7cd8455d90
-
C:\Users\Admin\AppData\Local\Temp\miner.exe.exeFilesize
23KB
MD5cafeab1513ff424cc79caeca170678d1
SHA11b0f46593b38a577f56aa617f37413ea1053ffb1
SHA25671f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2
SHA5129fd7762058b41612eecf8ed17888ad884cb97185c19cdde960a24a1835627158bc5cf339bd33ed15bf3df91456f91e91038f03de0ad04c043f442d3da04ba113
-
C:\Users\Admin\AppData\Local\Temp\newrock2.exe.exeFilesize
1.1MB
MD54b3f1024a48676ccceb11098c2abb1be
SHA1fd86c4fc060d8584364520bbabd298f7b629d179
SHA256394c3d5a9c159861454e2db0d8ee5c97d050e011caa4cb387488911af8bd936b
SHA5128a06a101215e45bbfdc01f335e5098a50dc77c339e0d09a3a3eccfefc4037be958d39616abcdb713397e508800c9e7aadf8b0863867979e7900000eaadb333d1
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.8MB
MD53324f385006b03800693844e46126fc0
SHA1e2d7636a96c3fde5a62bd1244035cbb119bb439c
SHA2563fe20b6304e4252a8ac3592f69ea2e6d1354c0b16bf51062fb094f26d024ea39
SHA512c243367801d00fc224b2fc25c1517a1d49ab755f8cb20c1c1956484998a0542c18108787ab163f34578d2521210f0f67e2e0c23c61a592f040e6bf9f37e4c1ed
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.6MB
MD5cdf2a0f359f9b72781003c5045ce3e18
SHA1d877424e91b8003e490a9a446a38ca2673db6a70
SHA2561d80a6708dd23984f980a5c9d4acfa5d8e318a2bfb3864c142adbc7d273a49d6
SHA512ad9930923e9a24e3d1b9ea8f607199312aef15251169db982fe1b0c3bb8498eaf61be9affd5a1a9373f31aa740aaded0fc3782bdb17f5c6e95605699c3fbeab3
-
C:\Users\Admin\AppData\Local\Temp\perlo.exe.exeFilesize
1.3MB
MD5fc0195c69a6a9cccbeab20f7d4c46571
SHA16f2f3394f721fe891afd14f84ea8d62cb15426d2
SHA256c4fc1b26b6a1ba69aa5c872efdf80048ac0d3d7aefc67ea5b70d817abf0e38b6
SHA5126abc2ea919148c4330e6e42a3a9454fccdbdeace5ee67c5fa44df77330fccfbf547acc5e5e032adaead5383075368516a7306559db0ca01714da0e9f317f1d3d
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
185KB
MD5ec5083852bb834b1918fb748acc02f2b
SHA1085b672cd356665231e5fa491a727c51b67f9dfb
SHA256ba1f7240b30530c040734308fba5ce453e07b6a8df58a298fb3030a66f34627c
SHA51206a76e69670c4b419f37378938ad0ff85b9c61f3b89b956f1d2c97f3fe824b677a8a45f5ffa68037a09444f58f39ca6f8256349c3fd1a9f7c3bc2085ece59274
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
116KB
MD5685cada243cf1f9989f0fe40f91ad835
SHA169c55eded5c8bfa335e35978f300111a5b5f91db
SHA2566d273c5084341d530e8631444c8ed231e5d5513e78f3357e90f1dd983c9077c4
SHA5123c6bd1b11bf61e3b007a694a5aab4c1725f944279eafb30f810fb7aa369513ddc2d5040f1894abeefa0dc8c736006eb571af3cef9c5126402d0f6ce201177bdf
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
374KB
MD598122b8f1aacd9238a1fa64510248316
SHA11aa02f7b21f5900f0712be32464ab72f7fa8fb21
SHA2568360f4c0dac11ccc290856411afbd7e969d48f1159b7de208f046d521553e991
SHA512952c367c5c5b61d6ecb91649cb4fe9e7b8f9fd8c9eadd63cdff1bc8908a046c5a28fbc1f720e2c6890e088714cb95e3495dcd033c081e3133cc89481c6d49cda
-
C:\Users\Admin\AppData\Local\Temp\plugmanzx.exe.exeFilesize
173KB
MD50aabfdb57eb36835e6be031a5997bf7c
SHA1fe1d9c1c875fe50c5fe5e05bcecef1fcb9f03940
SHA256e6b61f2f5faf7b13e6857dec75aec024d4938bc3216774a84d2c012a5bf1970a
SHA5128c9814d9dec447e7d6c9b0a33df45d303c387a3a87b0778e6809be289c99a2a5153221d2cc23a406e96d821cef866bfe72109bcddf98937bd64890bebee9c9c4
-
C:\Users\Admin\AppData\Local\Temp\red.exe.exeFilesize
95KB
MD53c78cef4203a47012167be0877274540
SHA18fba278e3fbcfcf5dffc871a92aa0a5a382edda8
SHA256202ebcf24cd4b6a4394e7dddd7ee98bceb9ac2b8c281e9f4610c7a93dafaa959
SHA512009391e72b23e5fd963a09dc1a91db37b9b0815cea80311333c8c7f52cb0c43095cc29b60d7db145b49006b7c2fdcdfda31e52c8f6ceeb7085c4dc615b3fae66
-
C:\Users\Admin\AppData\Local\Temp\rty31.exe.exeFilesize
369KB
MD5797344a5766214c49734b8f63f78e797
SHA19635642026072bc12dcc5fdfb017b9c234c5bab8
SHA256aafa82fb621b4843c3ae89bb8beddfe66244e203149880b79a4e8f42f5a7c4b9
SHA512cacbf814ec9eeb5fa586cbf90437e82330d463d024af92a1a728b51e96d69ae0f6d8f7274691df534945accde3fb6c54c000095191d55d57653dfc1f0a8f6d9e
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
198KB
MD5d45f14011ea40c3a966764d4d057fe0f
SHA1167a0ef966167f078ad14cc14a6d2c39615c8283
SHA25650f231d1596f874eed3b6e3942f2f409a83f6e39fbef18915ea92687d26bb22c
SHA512735204c1d5e3386cf3121c1e4d68ccdfcd7b4fbecdfe238b033408a6f01cee0a731c7ec4230f4187eb19e2e897c1e7b81f1294fe96fbfb55a9fcb84bdfb430d8
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
198KB
MD58a9dec3a337b97aaa890c7a2ff14caa4
SHA131485e61b54bac91c0431bf6a613361cbccf9785
SHA2563c7e45c9437b93e5ddbb1485b6b6b5e56135e02ba0842a8798750fbf80db4146
SHA51220d172c8f34d37c5b5c8b20eb31b6c4f2a08f23b343db72471ec0b900908e061de38e5c98703634bf6aeed8cd79a381172fbefd5b779ac1a0b38f9faad0d5ee1
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
247KB
MD5d72482254a4aeb092be5fc1a957a533e
SHA141d61c1195c0a4a374f298170f64ad117e246248
SHA256278e6fe465356877f204df347b239befbe043006c39e5422a4579ae9c62411c8
SHA512436aa9726c26887c2a4d9561d59621144c420d1975367fc57065aac8bd92250e973302422e45952847b3dfbb979938d24d9230564a98cb3e3702a2fb2ce8a7c2
-
C:\Users\Admin\AppData\Local\Temp\securityhealths.exe.exeFilesize
151KB
MD5a8bcaa953a8f675728850c6977ac24b5
SHA14b43ddff1aaf30f453e776897988eb8a50f40b24
SHA2564369a95490aa433f6aa1c01c87311b441f765653971a07e31fbf54c7dcc16a6a
SHA5129a28e99dab0217d5d3f5ac5f8cc6bb9f823611caee1351c96c1478520f06c47d19df295f716efb0a138aeef3a4fa7a0e6e166485f02a8992cf74fe4e3bc75e76
-
C:\Users\Admin\AppData\Local\Temp\tmp163A.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp165F.tmpFilesize
92KB
MD546a9527bd64f05259f5763e2f9a8dca1
SHA10bb3166e583e6490af82ca99c73cc977f62a957b
SHA256f226fe907da2a1c71bff39823b1cb5063431c7e756ca79e6e86973f1b7c46742
SHA512f49e5b0f584765fc93cc6d972553b7acfc618a950022ad9d1b05bc3185dd685d9fe8ea3d6376c6b257fda49f9db52e73770b3ef0612943c96c818c5d0e0f5241
-
C:\Users\Admin\AppData\Local\Temp\tmp169A.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp16AF.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\tmp16B5.tmpFilesize
54KB
MD5c64a422bdeba1d491bc0823a7d1474c2
SHA1dbfc60fbbe11ab578a98ce0754574f6a5da64a6f
SHA256a85d200fb53ff115b7624aaccd889a11087c4bedf498d3ea6e03b0ea7f23341a
SHA512eafa11cccd266bbffdcfbe5c54b19699537861ce2007a5d0abfed0ee86b30fe4b18aa0c26a557073ef5beaa74c0d319b21a6f6ab8ea52fd39d98cc62bca4f076
-
C:\Users\Admin\AppData\Local\Temp\tmp16F0.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpAD86.tmp.batFilesize
156B
MD50515205550c16b42b4525295d34c52c1
SHA1ff1dccb3ed336a17f61e804ff3a51b78e02accd0
SHA25627281db06861cff7aa138f67a08fa3f8bc82fdb09e7fc221e02c773810b588f8
SHA51277cdedd902260d1e429a4cdf1fd219a4a4c368b25603e068ceeb7e753e83f84a62328230ac31227433403e3ceef397229835ab5080a7c6508a4046ddbe3f2562
-
C:\Users\Admin\AppData\Local\Temp\tuc5.exe.exeFilesize
4.7MB
MD50fa21a39b7e1858af3604852116b7af1
SHA141cf29a9656ebd1afb4f4e002e244dd683b31b90
SHA25674a74a949bf4727ce7b8318c1f5baea1ca58b8bbd6a6b65f89f56ac5470f2c65
SHA512de45e6476ac29b674e7ce6272d816a842551d059c37eb38da1ea230becd62bdc66cd4ba96af4b7313747ac94048e27991004a849d4237a4c5c12c930cc251433
-
C:\Users\Admin\AppData\Local\Temp\twoo.exe.exeFilesize
5.8MB
MD5013dd34c1d52ad6a86419657437e247a
SHA17e3e065d69e1217ac0a795989464e8c1266f9224
SHA2566fc264d3ffc563ee44ae41f7693c1ec08d3d57e19b69b6e59c0a300c7317135c
SHA512f5adcb348abf7255b5369e05c6c883acbc3015ffa18cb67e95f296b51eeb525cc1d1f17c4e33f026d7aa5333aec4c529dea1f73358515892da8b0ec61b4466a6
-
C:\Users\Admin\AppData\Local\Temp\venom.exe.exeFilesize
73KB
MD538312527c8f936445c85e7ddde36f420
SHA1725a7f7522e907878eb84456ccb0424332b5cdd6
SHA2563df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
SHA512b748a3c76aaeefe29ca856ebbe49b7e316c992af399e6678bb43e0bef297e03cf0144b06cad64a9c46c6a2950e38036a07bd9e3dc23cc67f1b63702153fc38d0
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\svc.exeFilesize
632KB
MD593f01bd10921f4455e9577442cbadcec
SHA1c102e4fa585fd6a4005274cfa4150f4ffb59bfc3
SHA256ca9b7d7e6c9100b5f7987a56ade722b373343af8be2e498723219a8d6d993257
SHA5126dec77c8a473bc948d0145c1b1a851647cbb187bdf815e2d273d28657992439cc5666b7365f94d079e284bcc2fa72434454e97777824dccdcc7a30187155dcca
-
C:\Users\ONa9v7hKI.README.txtFilesize
10KB
MD50a673ba4a3710f76f2fd417744f21904
SHA16b9de57ffb3e4188600044bf582bc2ccf96270d8
SHA25682eba2fde3799ac6daa62fafc401daf73aa4b3fb76e77b5c7c0a75ae97d70b57
SHA512f962f3084920d4d9687be55f739b30836d6dc919d09168ef687b80d8b5c55a39930e058b4ef2956276c2c6dc81d89198cbe62c2363675ca3d6a2380192d9d84c
-
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\DDDDDDDDDDDFilesize
129B
MD5cb7f20bfbcdab730e3e352f65dae38a4
SHA1ef4594a75f89e0b3ab64e588a9c0f513dec70676
SHA256fb74f1794303111006b65454527b889c6c6f59639713cfd0995f3afa51fc11b9
SHA512b966839d6bfc933696d6d4d8dde6e35858fe8661c8a919b2b529d98686d37f8eb45d3661322a3bfeb109ee0850f73f993c7440516316b655997ec939828620c2
-
memory/112-29-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/112-33-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/112-63-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/112-35-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/112-31-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/112-30-0x0000000000A10000-0x0000000000A82000-memory.dmpFilesize
456KB
-
memory/548-316-0x0000000008DA0000-0x0000000008E3C000-memory.dmpFilesize
624KB
-
memory/548-139-0x0000000007BC0000-0x0000000007BD0000-memory.dmpFilesize
64KB
-
memory/548-315-0x0000000008D50000-0x0000000008DA4000-memory.dmpFilesize
336KB
-
memory/548-79-0x0000000000BA0000-0x0000000000C44000-memory.dmpFilesize
656KB
-
memory/548-78-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/548-104-0x0000000007CF0000-0x0000000007D02000-memory.dmpFilesize
72KB
-
memory/548-314-0x0000000007D30000-0x0000000007D3E000-memory.dmpFilesize
56KB
-
memory/548-80-0x0000000007BC0000-0x0000000007BD0000-memory.dmpFilesize
64KB
-
memory/548-321-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/548-138-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1260-60-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/1260-108-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/1260-61-0x000000001B5A0000-0x000000001B5B0000-memory.dmpFilesize
64KB
-
memory/1280-320-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1280-107-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/1280-106-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1280-325-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/1280-109-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/1584-1094-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2496-135-0x00000000001F0000-0x000000000020E000-memory.dmpFilesize
120KB
-
memory/2496-136-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/2496-137-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/2496-141-0x0000000006740000-0x000000000675E000-memory.dmpFilesize
120KB
-
memory/2496-140-0x00000000065D0000-0x0000000006646000-memory.dmpFilesize
472KB
-
memory/2544-1256-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2544-1332-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/3164-54-0x00007FFFA7890000-0x00007FFFA7A85000-memory.dmpFilesize
2.0MB
-
memory/3164-17-0x0000000000160000-0x0000000000178000-memory.dmpFilesize
96KB
-
memory/3164-28-0x0000000002310000-0x0000000002320000-memory.dmpFilesize
64KB
-
memory/3164-26-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/3164-49-0x00007FFFA7890000-0x00007FFFA7A85000-memory.dmpFilesize
2.0MB
-
memory/3164-52-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/3488-627-0x00000000091A0000-0x0000000009249000-memory.dmpFilesize
676KB
-
memory/4408-65-0x0000000006F70000-0x0000000007132000-memory.dmpFilesize
1.8MB
-
memory/4408-39-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4408-34-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4408-38-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4408-40-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/4408-41-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/4408-42-0x00000000052C0000-0x00000000052CA000-memory.dmpFilesize
40KB
-
memory/4408-43-0x00000000064A0000-0x0000000006AB8000-memory.dmpFilesize
6.1MB
-
memory/4408-44-0x0000000005600000-0x000000000570A000-memory.dmpFilesize
1.0MB
-
memory/4408-45-0x0000000005530000-0x0000000005542000-memory.dmpFilesize
72KB
-
memory/4408-48-0x0000000005590000-0x00000000055CC000-memory.dmpFilesize
240KB
-
memory/4408-55-0x0000000005710000-0x000000000575C000-memory.dmpFilesize
304KB
-
memory/4408-62-0x0000000005F80000-0x0000000005FE6000-memory.dmpFilesize
408KB
-
memory/4408-64-0x0000000006D50000-0x0000000006DA0000-memory.dmpFilesize
320KB
-
memory/4408-66-0x0000000007670000-0x0000000007B9C000-memory.dmpFilesize
5.2MB
-
memory/4408-102-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4408-105-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/4724-326-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4724-121-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/4724-122-0x0000000000430000-0x00000000004E2000-memory.dmpFilesize
712KB
-
memory/4724-123-0x00000000050E0000-0x00000000050F2000-memory.dmpFilesize
72KB
-
memory/4824-0-0x00000000006F0000-0x00000000006FA000-memory.dmpFilesize
40KB
-
memory/4824-1-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/4824-32-0x00007FFF897E0000-0x00007FFF8A2A1000-memory.dmpFilesize
10.8MB
-
memory/4824-2-0x000000001B3F0000-0x000000001B400000-memory.dmpFilesize
64KB
-
memory/4924-103-0x0000000003670000-0x0000000003674000-memory.dmpFilesize
16KB
-
memory/4936-540-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4936-533-0x0000000000910000-0x000000000091B000-memory.dmpFilesize
44KB
-
memory/4936-532-0x0000000000910000-0x000000000091B000-memory.dmpFilesize
44KB
-
memory/5348-523-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5448-1057-0x0000000000D90000-0x00000000012A7000-memory.dmpFilesize
5.1MB
-
memory/5464-1270-0x0000000000400000-0x00000000005CD000-memory.dmpFilesize
1.8MB
-
memory/5524-328-0x0000000005880000-0x0000000005EA8000-memory.dmpFilesize
6.2MB
-
memory/5524-323-0x00000000050B0000-0x00000000050E6000-memory.dmpFilesize
216KB
-
memory/5524-327-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/5524-324-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/5524-329-0x00000000057D0000-0x00000000057F2000-memory.dmpFilesize
136KB
-
memory/5532-322-0x0000000074D70000-0x0000000075520000-memory.dmpFilesize
7.7MB
-
memory/5532-317-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5696-1276-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5696-1278-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5696-1279-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/5856-1117-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5856-1255-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5928-370-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB