Analysis
-
max time kernel
88s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-03-2024 01:57
General
-
Target
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
-
Size
259KB
-
MD5
e5477d6420e21e75a4bb411a3947201a
-
SHA1
7120bf0ba0196ecc8cc04dd0c3166185ee3f7892
-
SHA256
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
-
SHA512
de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
-
SSDEEP
6144:K7vq2CD3/WTO/Ukgn4olUKm4shprkwnf8/9tQ:ERM3/WTO/dgxUWshprDnatQ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 3 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe"C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe"1⤵
- DcRat
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92DA.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeC:\Users\Admin\AppData\Local\Temp\AB64.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeC:\Users\Admin\AppData\Local\Temp\AB64.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\31b71721-def9-4837-b67d-e00ddce7a876" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\AB64.exe"C:\Users\Admin\AppData\Local\Temp\AB64.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AB64.exe"C:\Users\Admin\AppData\Local\Temp\AB64.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 33161⤵
-
C:\Users\Admin\AppData\Local\Temp\FF13.exeC:\Users\Admin\AppData\Local\Temp\FF13.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D0.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\2BC2.exeC:\Users\Admin\AppData\Local\Temp\2BC2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2BC2.exe"C:\Users\Admin\AppData\Local\Temp\2BC2.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 428 -s 11642⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2708 -s 36122⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD559e81183e22d6940a35f6ed67fd7284f
SHA1f89e79506bb55e28e917700270d43ced58a3f359
SHA2561f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d
SHA512afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5e2548042ab950e3c4931c09fa2680c22
SHA110bf4b1c81c74ac174f846b2aed4cc8ed12db4b7
SHA256748fe195b0143dd2cfe476702e7d1ae96f273cc3661f1b97328be817df1153df
SHA512e4296522ef36f879d387aa9fbcee972886bafaef83baa683cd3f6dd8270aab83a1b66b17169915f2b5c2f0a3627e82052454f4931a75d41633c8bf03814f2d0f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1SA07OI6\microsoft.windows[1].xmlFilesize
97B
MD5fb9854a5b056cc3d006b38bf0eab1b7c
SHA10a2b0432e2e9938be1f652c2247827e47b265f44
SHA2563d454d15255bb82fb8a4cfa40ea848af32395be899aaaf83b6d626a814aa21c2
SHA51220366182bf5a658b19e3df4eef2fa4e484bdcecc85a893834fbcb2b0ab64100a7694c3dbbdf1597bf3e3a747ede6fe7b81aab5f07653ef40a515edbef90ed00d
-
C:\Users\Admin\AppData\Local\Temp\2BC2.exeFilesize
4.1MB
MD52a7399dc3ad509f391cd5422054320e5
SHA1d8ae9690d2be466697b50f0019bf39780fe35513
SHA256bbbf4e8231c7f5b0374dcd424b5fae89775f3b4344097e9a824fe591d8e441d9
SHA512726a2d26c283d5f27cff79547f9934eee85babfd9697e2f084ce153d5b2637980d74de5f037e6c69a7b2090345612e84bb72bf7b5815008b03ea71d8c64d619b
-
C:\Users\Admin\AppData\Local\Temp\92DA.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeFilesize
731KB
MD578dfee0a26911ec18d9cae49bcb4c6c0
SHA1ccd3e0a8dd4626ce87554a2b8fc30659d51e5978
SHA2563414774186b164063e7f83a550f360bd034ab85c94917aec2e325e3c23b38f94
SHA512174e2144fa1b659ba5683b9b791d094f687a55dca8569c8d0f4aba8c367d99ab320393493733fd18d8f58d950f6e4f7ee158e4b25c0b1a8906575d7c850b0017
-
C:\Users\Admin\AppData\Local\Temp\FF13.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdiaefm3.qmq.psm1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51149837931a8f36a6a86f7038912ea1f
SHA1861d9504f02cdf2e97bc93514c0d580c05c31b30
SHA2568fcdab789c816f90ceabe381ac2a857492e2cbd71150533ca74bde9153be7600
SHA51217d5a3448e6969adea9476f42eaa51c843846898453250642636b2f98ab02f47a0a7744e3a272d8e43cd317c191b990bad5a94aaddf0f8bd98afb881301d41b2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD525cdf666bcf573c0b71fafa8e218c45f
SHA12a8252b2e08ca1ab64005d2e7ce19a4959797c74
SHA2562229844c0a3122f720c186b051e0724fc0c89a78f8fe314ddedb45aa59edcee6
SHA5124eee70e27df7b433bc0bdf45b778b38e46ff8e880fdcac4e23b456775536fc0608e5a4c4e47b16a0211c5ba8ec994186ca74a33564b738bfe549ae9541911ce9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58580040d8a3a84515880a3dc5cff86a7
SHA146f0ef03e5bf99a1c587ef0afbe1084215bdc136
SHA2565adde4f69aecea73e3724c8c05fb133f2008b2def69ff5d5f17747f878fb6491
SHA512bb70167675d1c56692d7d02a5d48f283a9cb6880c6c9326f040d8d4e20b38a95d374ba0ce33289ef315704134ac558bda25dbd4325ab5db19b4f6ee4e41c93b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5744de4287b2bc4b585177f2c603e8119
SHA1781678b43a5116b56622b896043b0e1bd8f39362
SHA256acbb0240e710870e685a35b9553acf8353c1985765194df408815d3349f5d025
SHA5125c2054a81b77e6bc000bdea5af37fc6a8bc8952db9d8ef2ed761df5cbc2700962c9131ee3888c9bd092805271aab40feb9667578e80de283846a6ee5ce9ceb83
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54defe66326a50e50823f4c952809fc3b
SHA15d1518067409f69068da48c057cca58103f9e896
SHA256f4438ec0cb448a180c476bede9962c5ec8227f7618add805cb03936109987694
SHA512de8aad1965b587a424f6c83eeb32cfcdacb672e9da20612ccd154dcdb1863f0173dc991fe36aa13fad5619e6e4a41bb08922b5770d5694268e698d5a0e53408c
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-568-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/692-307-0x00000128036C0000-0x00000128036E0000-memory.dmpFilesize
128KB
-
memory/692-303-0x0000012802FB0000-0x0000012802FD0000-memory.dmpFilesize
128KB
-
memory/692-301-0x0000012803300000-0x0000012803320000-memory.dmpFilesize
128KB
-
memory/704-78-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-107-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-61-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/704-59-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/704-62-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/704-63-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/704-65-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/704-66-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/704-67-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/704-79-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-52-0x0000000000F70000-0x0000000001C55000-memory.dmpFilesize
12.9MB
-
memory/704-77-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-80-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-81-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-76-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-75-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-74-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-82-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-83-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-73-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-72-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-86-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-85-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-88-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-87-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-89-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-84-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-91-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-90-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-93-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-92-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-96-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-95-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-94-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-97-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-98-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-112-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-120-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-124-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-123-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-122-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-121-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-119-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-118-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-117-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-116-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-115-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-114-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-113-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-111-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-110-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-109-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-108-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-60-0x0000000000F70000-0x0000000001C55000-memory.dmpFilesize
12.9MB
-
memory/704-106-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-105-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-104-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-103-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-102-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-101-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-100-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/704-99-0x0000000004080000-0x0000000004180000-memory.dmpFilesize
1024KB
-
memory/704-57-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/704-58-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/708-2-0x0000000000BB0000-0x0000000000BBB000-memory.dmpFilesize
44KB
-
memory/708-5-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/708-1-0x0000000000C20000-0x0000000000D20000-memory.dmpFilesize
1024KB
-
memory/708-3-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/2104-608-0x0000021BA2160000-0x0000021BA2180000-memory.dmpFilesize
128KB
-
memory/2104-613-0x0000021BA2520000-0x0000021BA2540000-memory.dmpFilesize
128KB
-
memory/2104-611-0x0000021BA2120000-0x0000021BA2140000-memory.dmpFilesize
128KB
-
memory/2380-601-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/2688-295-0x00000000041C0000-0x00000000041C1000-memory.dmpFilesize
4KB
-
memory/3052-565-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3076-21-0x0000000002380000-0x000000000249B000-memory.dmpFilesize
1.1MB
-
memory/3076-20-0x0000000002220000-0x00000000022BA000-memory.dmpFilesize
616KB
-
memory/3316-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3316-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3316-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3384-542-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/3476-236-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/3476-4-0x00000000029A0000-0x00000000029B6000-memory.dmpFilesize
88KB
-
memory/3496-363-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/3512-39-0x00000000021F0000-0x0000000002291000-memory.dmpFilesize
644KB
-
memory/3620-472-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3624-464-0x0000021A67FE0000-0x0000021A68000000-memory.dmpFilesize
128KB
-
memory/3624-456-0x0000021A67C20000-0x0000021A67C40000-memory.dmpFilesize
128KB
-
memory/3624-459-0x0000021A679D0000-0x0000021A679F0000-memory.dmpFilesize
128KB
-
memory/3688-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3688-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3688-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3688-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3688-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3972-597-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4084-274-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4260-550-0x000001893D920000-0x000001893D940000-memory.dmpFilesize
128KB
-
memory/4260-552-0x000001893D8E0000-0x000001893D900000-memory.dmpFilesize
128KB
-
memory/4260-554-0x000001893DF00000-0x000001893DF20000-memory.dmpFilesize
128KB
-
memory/4332-449-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/4536-580-0x0000026B6D880000-0x0000026B6D8A0000-memory.dmpFilesize
128KB
-
memory/4536-577-0x0000026B6D270000-0x0000026B6D290000-memory.dmpFilesize
128KB
-
memory/4536-575-0x0000026B6D2B0000-0x0000026B6D2D0000-memory.dmpFilesize
128KB
-
memory/4972-371-0x0000022471210000-0x0000022471230000-memory.dmpFilesize
128KB
-
memory/4972-373-0x00000224711D0000-0x00000224711F0000-memory.dmpFilesize
128KB
-
memory/4972-375-0x00000224715E0000-0x0000022471600000-memory.dmpFilesize
128KB