Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
12-02-2024 20:46
General
-
Target
02f3c4c6ad01e1986b261aa12b05602d556bcbf8b00bff66f2830c2cfb150f77.exe
-
Size
1.8MB
-
MD5
41fcd95b28e78fd19b27bed8228b492a
-
SHA1
fec049a89b16ad04f2164819ee50d997a79f57b6
-
SHA256
02f3c4c6ad01e1986b261aa12b05602d556bcbf8b00bff66f2830c2cfb150f77
-
SHA512
fc3b6ee59106e1a6f1387c748b997e5faa4ce54b284741f43f47fb0f15a1f4430bab5e448ed8811e50dad3d2cb78a56fb905ef5afab7f9db9a8445ef799280c6
-
SSDEEP
49152:qNGJgYbif/3Wf3rjA8FVU0/WGfdliCkzwLC:qNGW4j/zFVU0/TfdlPiuC
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
20.79.30.95:33223
Extracted
redline
@RLREBORN Cloud (TG: @FATHEROFCARDERS)
45.15.156.209:40481
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.ldhy
-
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw
Extracted
lumma
https://mealroomrallpassiveer.shop/api
https://gemcreedarticulateod.shop/api
https://secretionsuitcasenioise.shop/api
https://claimconcessionrebe.shop/api
https://liabilityarrangemenyit.shop/api
https://triangleseasonbenchwj.shop/api
https://resergvearyinitiani.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detected Djvu ransomware 7 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 5 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 8 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 27 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 49 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\02f3c4c6ad01e1986b261aa12b05602d556bcbf8b00bff66f2830c2cfb150f77.exe"C:\Users\Admin\AppData\Local\Temp\02f3c4c6ad01e1986b261aa12b05602d556bcbf8b00bff66f2830c2cfb150f77.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exe"C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 12004⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exe"C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exe"C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exe"C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exe"C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exe"C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exe"C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nine.exe"C:\Users\Admin\AppData\Local\Temp\nine.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 4484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 2284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 3884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 4004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 6804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 6924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 6924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 7484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 7404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 7724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 8284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 6164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 8884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 9124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 9604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 8804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 9524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 9604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 9764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 10004⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 2205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 3565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 3605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 7245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 7445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 7325⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 7325⤵
- Program crash
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 3726⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 3886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 3966⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 6806⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 7366⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 6806⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 7606⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 7686⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 7886⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 9246⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 9046⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 8246⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 9726⤵
- Program crash
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 9246⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 9486⤵
- Program crash
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exe"C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 8204⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exe"C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2724 -ip 27241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4052 -ip 40521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1152 -ip 11521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4980 -ip 49801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4832 -ip 48321⤵
-
C:\Users\Admin\AppData\Local\Temp\4E69.exeC:\Users\Admin\AppData\Local\Temp\4E69.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 4642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1132 -ip 11321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4832 -ip 48321⤵
-
C:\Users\Admin\AppData\Local\Temp\781A.exeC:\Users\Admin\AppData\Local\Temp\781A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\781A.exeC:\Users\Admin\AppData\Local\Temp\781A.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\4579542a-2853-47a9-b11a-6db9e01864e6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\781A.exe"C:\Users\Admin\AppData\Local\Temp\781A.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\781A.exe"C:\Users\Admin\AppData\Local\Temp\781A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 5845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2208 -ip 22081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4832 -ip 48321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4832 -ip 48321⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\72C.exeC:\Users\Admin\AppData\Local\Temp\72C.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D76.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\1509.exeC:\Users\Admin\AppData\Local\Temp\1509.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\3A93.exeC:\Users\Admin\AppData\Local\Temp\3A93.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD51305705ab4eb7a8ff5a73874670d91f4
SHA1a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA51227ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD541fcd95b28e78fd19b27bed8228b492a
SHA1fec049a89b16ad04f2164819ee50d997a79f57b6
SHA25602f3c4c6ad01e1986b261aa12b05602d556bcbf8b00bff66f2830c2cfb150f77
SHA512fc3b6ee59106e1a6f1387c748b997e5faa4ce54b284741f43f47fb0f15a1f4430bab5e448ed8811e50dad3d2cb78a56fb905ef5afab7f9db9a8445ef799280c6
-
C:\Users\Admin\AppData\Local\Temp\1000266001\lolololoMRK123.exeFilesize
698KB
MD5bf2a3e48b0ea897e1cb01f8e2d37a995
SHA14e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA51278769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91
-
C:\Users\Admin\AppData\Local\Temp\1000268001\monetkamoya.exeFilesize
2.5MB
MD5e9adf3fcd6efd04ad2d9fcbb0c652a5d
SHA1bfe3f7167266c6e17572e801394517513d4b7501
SHA2561e97aba3bea70cedc575c7a181f1782ba7d8a3bd5859960bd46ea3a0663a95a2
SHA5126e0be0d272eea1ca92ea164549b0a4c26f7a89ecdbc85c6998a278eb961c406e43964eb13cd3d573fe063aeb64e8d38a984cee8706747f82610a56a716c0b255
-
C:\Users\Admin\AppData\Local\Temp\1000269001\goldprime2.exeFilesize
473KB
MD53f049cf620677b51325e05a0d50b69ec
SHA165166e6999ab77d8b32bd39b46f5bbb9dff70e3f
SHA2566fff17483379f7962982c0fc6f593694c67389d1257d683b5d62fa72b93361b2
SHA512afe20976e9f7efd36ac301ec6629b7aab6479864fea137c76bc976bfe504d8e894aa6fba590c2fd6c2cf061118e070ae5a276e894c8941adce7588609c7a1ec4
-
C:\Users\Admin\AppData\Local\Temp\1000270001\RDX1.exeFilesize
313KB
MD5a98147219e118138a69583d2bf4b4a4f
SHA10933d682bc3d11a1468fbca7c863a5c1619b06ed
SHA256aea02ed572705a2cb522550f31ec39cf0781b90d5ea6f58686f60bd7c91e52c2
SHA512719e73b5341d7c358439efdcf9d479c68bd7d0a67a77fc190e187a1dc293f4791357e509e08b94156b71b9bcc02c4ab5576f4f67a25da7ea4d5a026ae4f86266
-
C:\Users\Admin\AppData\Local\Temp\1000271001\daissss.exeFilesize
421KB
MD510a331a12ca40f3293dfadfcecb8d071
SHA1ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA5121a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399
-
C:\Users\Admin\AppData\Local\Temp\1000272001\newfilelunacy.exeFilesize
539KB
MD5c1982b0fb28f525d86557b71a6f81591
SHA1e47df5873305fbcdb21097936711442921cd2c3b
SHA2563bab5e1befbdc895d9e36e76cb9a40e59de61a34109c36ed26d7dedcd5db3080
SHA51246dcabbfb57b3665faa76bc6f58b6f252934788acabbf2ba75263d42cac8c013f6feb5992a7043123842a609bdd1b3084f2f0c8b192c2b219b87274d29f8c432
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
4.5MB
MD59e4d1c2ddddb0bb9ab403a7540fcb44c
SHA19d3d818c60aca0d501133497055fe43dd1d8f2c6
SHA256cb6fd0e4779453133de64e1af45a7489ce2e858f7024b792f03c9be549afb84b
SHA51215932b3b10c53ee596101085a0df42218f8c94553cb36d2b5bc384a679288b82eacc5bb52c18ae565426bbccc7c8d4a7a9cbd3df6ee3e60e968de28c0ef8812e
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
3.9MB
MD52bd2da15f5ed01312062b1edb9073850
SHA12b271ccebfe6759cf1618572b9b32cbb66211db5
SHA256b9301317ab4658a6c204257ce8b50ce938096be61b5b33edc9001c13cb83b367
SHA51234dc1a78c08058694b5add39238026a1996cf595351a549986e3d923f5b917ae2390539c967209707a9f0fdc85a1c6c80521d73f7197882774c6e91ce1e8b103
-
C:\Users\Admin\AppData\Local\Temp\1000273001\dayroc.exeFilesize
3.9MB
MD52099b7e9fedc4e4fbf8b9429333740ff
SHA150cd8f7201dcb133cc3f1e3c9d4b1084132c422c
SHA2565467f9f52d2447bac08a24ef1e5a7055e276790a842b15dec8af6e98bc7faa56
SHA5126ef2c287afbd27d3d62257884e5c83871425b49e2e945a0a71d8f2faac2c171014ba9653516a2c9d92cfd3eace2977380aaf6bd0a85a4650286547547555fe68
-
C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exeFilesize
600KB
MD5cad41f50c144c92747eee506f5c69a05
SHA1f08fd5ec92fd22ba613776199182b3b1edb4f7b2
SHA2561ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6
SHA51264b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045
-
C:\Users\Admin\AppData\Local\Temp\1000274001\lumma123142124.exeFilesize
64KB
MD5928bd233aeabc8ac63874038d80a31ae
SHA1bc43e5239c3b975fe7a736e6b01faa4171641eb9
SHA256cd0396e3b7f1386e5d96bf04e789cd59164bdff590f2b5fbfd16b8c2f0f0ca39
SHA5127b5bf1a2105b1b484b117c24fa46c5372604812de2455016ec7b4ab8366e5cb420635ab4269ec56f84239d53b5f656c1ecadb7e2cf9a2463ef6bf60de1f3dd29
-
C:\Users\Admin\AppData\Local\Temp\1000276001\File300un.exeFilesize
57KB
MD5055231d52a308768e6f648954fd9a3af
SHA1eb07ae002f10dd7a0940499b1b65ad4726bd9576
SHA2561da862e5ed37d1aca728940d0f58601c2932a86289bcd8aee627d4b8f3abb3c3
SHA5129b4807e91b195c776dff98087298cd465083d57aac425d149e733b1b9e37cfd0bca73182dbf93f4ce75c74730656778a3b2e6f52f8dd054efa9c5040f38b80c4
-
C:\Users\Admin\AppData\Local\Temp\1509.exeFilesize
364KB
MD5ea21f591a31754a8d327f905bccfca2f
SHA1576b00213e4c05a4a4fdad1b54d9e6ce725b4f5f
SHA2564768efd3769c4525cb2230482561c0fb0df37802d247f0bfea1f713a8561ad61
SHA512d9ba855b9c9a4344e6c4d584de2962f2e1175a2c98095dde389ce41e8a8b9211b16cc3a0862c86e2f35e7923cf3699d2ca5e1558aa40fb9d65e70a8b731c3670
-
C:\Users\Admin\AppData\Local\Temp\3A93.exeFilesize
16.5MB
MD528ae83bd8caafc9949baac5ab47013e7
SHA1a2d8957f3dcc951057b58d7d1b0ac06b71036c77
SHA25667025c4b6a8ca9566f9d3588baa152af8644f6335b2410e843942f397e2e6316
SHA51291ac8df551ba2f7d4282723e8dabfd15251fcba93091e761e89f890878b9b33d21cbb7a5615ddf424cce3f938768f117b4d700f4e36f45861c1efc27e3d8ea92
-
C:\Users\Admin\AppData\Local\Temp\4E69.exeFilesize
217KB
MD545d570affa3319d89121c755e490090c
SHA11a74367c97128ca66cf6d04ba671d71df8d5e440
SHA256f09dbd237c0b7f9024adefec0d677cd2ddf6fa709021bb7c4efabc2a94fc788c
SHA51200194e4b64f1e92811058249a26d6dee2d225065280842f700815ed6d4dcef7ee12737fa03b0971d784754f8c3cad69b1768f1df15af951d17fe6c153b0cd1b3
-
C:\Users\Admin\AppData\Local\Temp\72C.exeFilesize
6.3MB
MD5b1e8d4d7dd26612c17eccbf66b280e7c
SHA197dd5e81a4014fb54ef5ac3f1db88519843c85c2
SHA256e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2
SHA512ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8
-
C:\Users\Admin\AppData\Local\Temp\781A.exeFilesize
745KB
MD581a548e80c5767f4677ce9f469e21b84
SHA18d4713faf51d266ec4e8e4ddaf64a456aa5e151f
SHA25684a3f5649b934034467453762dce5e0f40cbf79cfe970d2d1b8fc1a4bf582121
SHA512e081561435bd705008d84d34419d1e7de7cf2a0c460ae177b77f00492e97d5a93272dbf12a8375fcbcbcf47e8ee35218915a13b20bfe23f81b9e9a7fa99db6d3
-
C:\Users\Admin\AppData\Local\Temp\D76.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oard5hiq.ii4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
2.2MB
MD550706759971af61260d4fba0063e50cc
SHA1bfe25847f6f19f55fda737d44382cdfad507c425
SHA256f3b3c782dd845b4cacdb042682c8b7c3c34711004d59a77960c79e68f65577e5
SHA5127d18ad236cb3f1a1ef8b611ad3b7bf89867d53f31b70a99256433459e37063ffd7dd60c00cb3f4b7b543581d0b1fb06bd375ba4bdc7a193b772335e7dc89f86a
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
2.6MB
MD551c27e7e68e6b20e34235e0e1baecbf3
SHA1041caf0f6acca3c8c59785dea9fb3e24813c64ce
SHA25662071e36eda401388587b6347fc8f8048c44c5397db4d695a6c39c5bc613867d
SHA512dce4bac35184c65c29ee8173dcb6f417b36784a4d785bd1d1c88f0e83acae6c8832187e717ed97d4352e10d25ce4d3720de28b991b805e69f9b8dc5cb9cddacd
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
1.8MB
MD538c5b0b3c2e77e3c52a56ad8014f5908
SHA17efb6f39a2ea7fcfd484b144ad4fc2cc8d38340e
SHA2561acecfe3919d5e187b3561245c3b24b334c8e57c1d79ebe054f46460556d7c20
SHA512220a1a781e17a3246cbe9a15219765c0561311b1ca6eb164e860eecfe41d07715ee4b0c76663aa3adf6cbfcd3afe79ba6f295df5215b63633fd0c07911141cea
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
4.1MB
MD5294c5614c7183a453d7eef1b36ab1266
SHA1ddef7ff18a09042fdadc0a1c78f88fc2050c703c
SHA256d4194f95a8ede895fd6344ec12b5038058d9a5130016207f490f16572c3d9a01
SHA5122f6c8bc173a3cc49ac0acb4cde6dc22ce4ebe078763d9543b0511b185efb1878bb0ae01519c805fec83c7face791bfc73c505d8f9245695b64f179f035c8739e
-
C:\Users\Admin\AppData\Local\Temp\nine.exeFilesize
257KB
MD59377b2d9cf30cdb95938581d2f443d0c
SHA15b2d23dea7d5f7deded14b1f33e08260b9c25878
SHA2561b045d664cd5ce2bf315bffef85f0b4be363bd6d146533e3c3624257122330e9
SHA5124278f05d7da33465332fe62b8a9f1e01717f99a3b7e8f7769ec62947b9aca924228575087a035bcc064f816e4b58ff28bc7ba0cc84545ebbe8cc0d69b7ca7f0e
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exeFilesize
170KB
MD555f8359ef2f889e04fe418c80bc952ed
SHA1b2ac224b69c20b721ef9810b79003b513823e55f
SHA256732cb080fb5e27e98728c42f77b5dd865faa1f5e840d8113c9f30fa2c3f550c8
SHA51242bfba12e19f399beb54d65dfdb8767584c75264a1f321aee68cb85880d7ac606b3022bb0ab7df72075d3f2271e7d4918c9c7bae7acf6675856bcd21f6fe46b8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD504abc89cadafc6ebb96be39b58a91050
SHA152dccb2cf983a2e1e977cc4817b11b7bcfb2fceb
SHA256e51bdcb221d6dc46f24012c9fea9a3d36d55ecdc7f7effae763340b9e2852663
SHA51299a7bfd5c712398946d59e2b9801eda805e584c1d7befe9cc52177c6d4e0c44446b9d6171f3885a40ad5ee4332e64c25e6bf90aea9dc02c100914cbd50827421
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ae337e6b252304fb71a4a48eb3a277fc
SHA1bf6bac36d7fdb0c594986455eeef82258ae3e33d
SHA2563324a7480d9b5db49d5f49de2e3b11bb750d3b1ce495113ae570b1fdb71d5d91
SHA5123e95183c7f992d5f90f7ab97d1ff8a2d373c18912e97a6ed9b143164c81138301afc82c40de3fe0e177fc029f5402ffada3feb6338fee460462e86c5edc4b4fd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e86755c16e857de873077aa4012d22e8
SHA18b49201d0d4437d2631ecf6ee6b8cd66c124f85e
SHA256afa0f14f4c173d94661407eca0878f6c7de869d5344a4260e070d5caa37aafbe
SHA51242c818f7b8089589a287296de251ee71778465b8cc53952f155c37a4ad181017fbe410cf768be780002b3b8a453eba2bbc9be72859f1dc66a20e5b9c82c6df89
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5232b3111697494e63613f85b322266b2
SHA1722eed1af6b03bf1ac7bc1f63fa509510f897128
SHA256d32f5f8951815a91c098e68ebbbce95800cf366cb736be4a8ac41a1690ccd9e9
SHA512267c83fbfb54a6e89e04b692bb869056cfce73786e1351a6d274079306147c3781e84c73133d30187f38e1fcf0d248dca7743c0ad3c30e70476230124f0266fa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD518b25216c9c368c95fe6b4fd569fc603
SHA1b87a11e463f82810ae5dc0a803f55b6fa40f9d00
SHA25694a0edea8e483f656bf00ea794adc9be5248482f724f1c0775726b24ce5e6a59
SHA5125edce1993b38a137383f9c04c896dfccb43a67511dfefe72719f0d940ab027ff335c29f6f1c6c248e73d7ab2f3d356d819edfee3e9dd688b34c478910407aa0a
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/876-450-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-445-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-759-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-439-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-454-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-453-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-452-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-451-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-448-0x0000000001620000-0x0000000001640000-memory.dmpFilesize
128KB
-
memory/876-447-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-446-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-442-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-444-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/876-443-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1152-501-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/1188-441-0x0000000000400000-0x0000000002BD7000-memory.dmpFilesize
39.8MB
-
memory/1552-235-0x000002CA875D0000-0x000002CA875D9000-memory.dmpFilesize
36KB
-
memory/1552-257-0x00007FF87B650000-0x00007FF87B919000-memory.dmpFilesize
2.8MB
-
memory/1552-253-0x00007FF87C7D0000-0x00007FF87C88E000-memory.dmpFilesize
760KB
-
memory/1552-252-0x00007FF87DB10000-0x00007FF87DD05000-memory.dmpFilesize
2.0MB
-
memory/1552-250-0x000002CA89050000-0x000002CA89450000-memory.dmpFilesize
4.0MB
-
memory/2108-22-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2108-69-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-28-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/2108-20-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-21-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2108-148-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-659-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-23-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2108-606-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-19-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-27-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/2108-506-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-26-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2108-25-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/2108-24-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/2108-107-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-417-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2108-29-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/2108-757-0x0000000000510000-0x00000000009BA000-memory.dmpFilesize
4.7MB
-
memory/2184-6-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2184-5-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/2184-8-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2184-9-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/2184-16-0x0000000000790000-0x0000000000C3A000-memory.dmpFilesize
4.7MB
-
memory/2184-1-0x00000000777E4000-0x00000000777E6000-memory.dmpFilesize
8KB
-
memory/2184-2-0x0000000000790000-0x0000000000C3A000-memory.dmpFilesize
4.7MB
-
memory/2184-4-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/2184-10-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/2184-0-0x0000000000790000-0x0000000000C3A000-memory.dmpFilesize
4.7MB
-
memory/2184-7-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/2184-3-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2184-11-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/2208-731-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2208-732-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2208-734-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2376-51-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/2376-62-0x0000000002680000-0x0000000004680000-memory.dmpFilesize
32.0MB
-
memory/2376-50-0x0000000073400000-0x0000000073BB0000-memory.dmpFilesize
7.7MB
-
memory/2376-52-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/2376-53-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/2376-54-0x0000000004CB0000-0x0000000005254000-memory.dmpFilesize
5.6MB
-
memory/2376-55-0x0000000004B60000-0x0000000004BF8000-memory.dmpFilesize
608KB
-
memory/2376-67-0x0000000073400000-0x0000000073BB0000-memory.dmpFilesize
7.7MB
-
memory/2376-49-0x0000000004C10000-0x0000000004CA8000-memory.dmpFilesize
608KB
-
memory/2724-65-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/2724-58-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2724-61-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2724-70-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2724-68-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2724-175-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/2724-66-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2724-63-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/2960-128-0x0000000002530000-0x0000000004530000-memory.dmpFilesize
32.0MB
-
memory/2960-129-0x0000000072B50000-0x0000000073300000-memory.dmpFilesize
7.7MB
-
memory/2960-108-0x0000000072B50000-0x0000000073300000-memory.dmpFilesize
7.7MB
-
memory/2960-109-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/2960-106-0x0000000004970000-0x00000000049CC000-memory.dmpFilesize
368KB
-
memory/2960-111-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/2960-110-0x0000000005000000-0x000000000505A000-memory.dmpFilesize
360KB
-
memory/2960-112-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/3284-433-0x0000000000B30000-0x0000000000B46000-memory.dmpFilesize
88KB
-
memory/3936-182-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4264-174-0x0000000002590000-0x00000000025E2000-memory.dmpFilesize
328KB
-
memory/4264-172-0x0000000072B50000-0x0000000073300000-memory.dmpFilesize
7.7MB
-
memory/4264-171-0x00000000021B0000-0x0000000002204000-memory.dmpFilesize
336KB
-
memory/4264-173-0x00000000025E0000-0x00000000025F0000-memory.dmpFilesize
64KB
-
memory/4272-143-0x0000000072B50000-0x0000000073300000-memory.dmpFilesize
7.7MB
-
memory/4272-146-0x0000000005350000-0x0000000005360000-memory.dmpFilesize
64KB
-
memory/4272-144-0x0000000000820000-0x0000000000874000-memory.dmpFilesize
336KB
-
memory/4332-575-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/4332-612-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/4396-697-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-694-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-699-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-715-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4752-229-0x00007FF87DB10000-0x00007FF87DD05000-memory.dmpFilesize
2.0MB
-
memory/4752-228-0x0000000003180000-0x0000000003580000-memory.dmpFilesize
4.0MB
-
memory/4752-230-0x00007FF87C7D0000-0x00007FF87C88E000-memory.dmpFilesize
760KB
-
memory/4752-227-0x0000000003180000-0x0000000003580000-memory.dmpFilesize
4.0MB
-
memory/4752-232-0x00007FF87B650000-0x00007FF87B919000-memory.dmpFilesize
2.8MB
-
memory/4832-758-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/4832-673-0x0000000000400000-0x0000000002FC1000-memory.dmpFilesize
43.8MB
-
memory/4884-150-0x0000000006150000-0x000000000618C000-memory.dmpFilesize
240KB
-
memory/4884-132-0x0000000072B50000-0x0000000073300000-memory.dmpFilesize
7.7MB
-
memory/4884-131-0x0000000005410000-0x000000000541A000-memory.dmpFilesize
40KB
-
memory/4884-130-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/4884-126-0x0000000005280000-0x0000000005312000-memory.dmpFilesize
584KB
-
memory/4884-151-0x00000000061D0000-0x000000000621C000-memory.dmpFilesize
304KB
-
memory/4884-145-0x0000000006730000-0x0000000006D48000-memory.dmpFilesize
6.1MB
-
memory/4884-115-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/4884-149-0x0000000007FD0000-0x0000000007FE2000-memory.dmpFilesize
72KB
-
memory/4884-147-0x00000000080C0000-0x00000000081CA000-memory.dmpFilesize
1.0MB
-
memory/4980-379-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4980-373-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB