Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:38
General
-
Target
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe
-
Size
1.5MB
-
MD5
3b58f52654cf24ceac5a682fedf56ea6
-
SHA1
4e012ff7eed34f394136e4490f7bc281613f84fd
-
SHA256
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
-
SHA512
bbcf48c981fdc8b9019a8388ebc7179474ee9896003431f04f1d978078837a06c22335458a0fd782683afbfff4a06dffa17f09e71513fdaf34e0872597461f22
-
SSDEEP
49152:CdCs0UvZJ3HkXkf+/1ZvY1qaKidaHjskUWQP7RQ:Vs0UvZJtf6qdaH5SP7
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"C:\Users\Admin\AppData\Local\Temp\df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 5888⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 5409⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 6128⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 5846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A76.tmp\4A77.tmp\4A78.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc54947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8464394576591200258,3912340075654944157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8464394576591200258,3912340075654944157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc54947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10081989513356824106,16077514217473091631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5840 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdc54946f8,0x7ffdc5494708,0x7ffdc54947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18165509693370091018,1229602589578352036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 876 -ip 8761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2708 -ip 27081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 952 -ip 9521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 49761⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5964f17883288fac96402098da063ba47
SHA1fbfa856949e464b4fb9b7c20cd3dee16686a75cb
SHA256f0eb5a246aede83e799d65d5a7616ddf63d9dc473c6d82f22ea5513aece1d2cb
SHA512603fdfe59a9b8fcfb1e60f1ab9cb2b743edc678da6f6c6f50c800e715c4281b1314f2d21690e4d38774ba113eeb807b942b25c8f6c8ccf54f1a3bf9e74d0cf94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5ecb9c30af4687571e2705e41772812f7
SHA1a390fedfd6cff3d7a18fb2b17820fcfcaa39ac58
SHA256317a85d5a5ab17429e781e64ddfa876533e82f12f53a243976b71135ac01023a
SHA512e62b7f66fdb08ab8cdd11477dab469b4838be716f8cc55dd36eecb828f485df4af2cbec127adf371cf85839f79c7ab363d4963fc6202a309769ee3db3b332bf7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5fb72a68135c93ab44421dc460d28712c
SHA12b850bd50a1ccbe68fb9c83d3e5e2549ece486d1
SHA256fe8ae13dab902355415b5196a3ab111c167df669cfe5d004c7eba0e64b383a85
SHA512004af2015c9410c14468da2f9b443c5fbd24391dcba39337c33ab738b9b07c31407901e56c6f01e86bcb77991a0e7837bfed01b21d3edada6060c660b4d40143
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a59a229ba320dc791036ff52ea43de0f
SHA1dd6aedd7073f5418f6ed059b58fbe664324fb6e4
SHA2564e162235a745a00f0b817f0506e52ea7f9524b6308d9da1fb210510d48e6c058
SHA5120432ef122636fd2d2ba21ded7829ce8f4d91d40b8aaf04301f902bce6560153077cd4ca8aa4c0e375a3dc001725897fa956d616c89365c44375d735be7358ae9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d0e9e410e994a96bb3c35587dbd7d213
SHA133ac34cb769e6d3895e27f27d7805dd112e46f60
SHA2564fd1fa505fcc30043def1096a421437d67288d6884b491bb77df01214a095319
SHA512010b7ee48c60de3e8d2edfdc07c807cf88840e7aa21343bd7eab8a7f422ed8e2672502e15a4cdb6e0c1a9083204327de66214218b953cdef67dbd38905c239eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD514e592e6104478ee4851b31d8060ce4b
SHA1b3c12bc4ba37542ff92a8281e4e60f1317b7cacc
SHA2561ff93c966c842ac88412691bb5d49f0ae63dc7749c4fb80fc9ea5999a08497ee
SHA51217e574dcadb2e3c1355c43188c03ad70882271d48964f7392229b03f3d74defc4fd2f14b36c587a76e393f9e089a227450fedb96adf25028883feabacc7448ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD588a963d7f3849e0e1d728c1af1b70db2
SHA1da3fff86a3d8b56293e321201eb45f7ca3938372
SHA256c52aded6dfd5a30394f13d1946d43b6a51b9c51b36265dcaeab860c49f2e5da2
SHA51285d84f7469f25ecdae8be98c7c3e3ef19b3d55f03f472573087dad623b526941afa1c13c6e927de2fbaff9753c17bb3332664ad054f93a965102e5e996ad62f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD576a123011a383e26d7b7ad42278e5117
SHA123984f54906d5a652d98664e6837edc718a432ef
SHA256b232d0fd14f9e1f693c9e9993469e0e0464103e699376321c588d476e1b05fb9
SHA5129348433af02c94ba86a874a7670aa9713c030a6876e14b73a93037fed431b516f867074b889c7b9a58dfbcf4b966d9bb9fd2c01f57ee595ff56bddf332930321
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmpFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD59103a2ff303d96086b4127a540b0d0ca
SHA144b6466acf4bcd74bbb89da05b24ef5bb8e3c208
SHA25620ec70e5401d2a99985bf2d4fa8d1f7bd9b5d17ef6f6418ebf57a2eef6db0434
SHA5124fd59f585570595fcbc196bf10aa93b2b487c6862a05fce31b37eb2dbf397e0cb67c35ca1e500e399e081ad79e1bbd7155308f25aeea4a74af856e641e445930
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b640.TMPFilesize
48B
MD5acdaa64333bbcef60ca656f3d1cb4aa1
SHA1153de06628b22a30c09f228ab0685f69dd67ad2c
SHA256515541b54f1786b83e90ada2aa2b67c5b56232431d85151c3f7b1cba9537613f
SHA5129eb951bc4067503ac17301a2ce148cf368134251a2fdc767368dad6c31a333ca2eca3201c6ded5b80e50c4594271e3a9b181aa6751b1fd15c84fbca6545623a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD563f37f940c269f27a8737f270113a3c9
SHA1d5dbffb3027b733c11776102ed07cbe19eb45410
SHA256ecca2680bda7b6747762e457d9b109b8362214689f262d24f7136bb130d81c84
SHA512e02316df8e4266122194cc03f6cccd6fff2743881d7d22a4aee9f1a3092baec151bc0bccc8892d9316a82d9910dc1d76d4aa2e291e5939bae3e63826fc1d570e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD563d686801371609251ed678d9b5e9ba0
SHA1860d410c518a4bb10ffbb609348bd4486d6e0c1e
SHA2565e672af11138fb328c34bd3499a4620d9bbf6cd509aae49dd604bcb6548440e7
SHA512e406e0fb5cba9ac25697d86f8f9d5d8320dda78f17c3e93a0a8a33a52bf597cb2fc6031bfe904b39923585aebed5e557e6b81da371db417240fb7d06a4f5131d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54d0cc3fee8e3407659391c44950122ca
SHA1ec814c92ed993c925f556ec869781b17f3709f39
SHA256b9f7cc834a5a2ad556392e48432578bd3a2725b67e783899e9a8c85ba8b15146
SHA512b9498d82d4a1291cd9f37416eba3909e918bfabfa15b502a1f33204efa27aceb915944211a1da5e6462c2fa3aa5052b331e7fc91e24c9533b59ac913dfe63753
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57add4.TMPFilesize
1KB
MD5c77687ad47d20808c0b9719a1233e2bd
SHA1bac97ee8d3df00a1a4530ad82008919d1ca9e607
SHA2560b73a3ad3557445a974c4e0f38ca5115ce5299ea477d579f521ad8f58d4f48d2
SHA5120ac9dd261b1793223fd58fccc7a07fc24f8e233f0a851e410c866469c8f7d7d0c2ecc927053adbebd7755a9842e86f4cd8d277673218921423aa3a540392e453
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5774330dd1457999dedffd26ca7a1fdd8
SHA136c350b2cfcf2bf17b87310658d78339d8d159ba
SHA256539067fb490494b75a014bd586254ec0d966869928a315528a9a6ff3e7eed20d
SHA51288b5374bbe5b88a194453c6338380f42ba091dac22dffdf1708e1a6c3d8436005e8baae428a4ee44f2f6dc4d5e153e65e6542afe875d3b4dc2b451c18efc85c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5dc08509ec010feaa0039dd0efa000fbe
SHA1f58941a637a89ad480853072908bd5f00471146c
SHA256e3d33848d29439a29a95b3faae68959be643a321f427c0bbcd10675a37cbd1dc
SHA512953f84f6a606760ed81197f1779f8836f8911330d039d14108e3c8e16cb593c52a6c28e02e0b483cfcfe34a18cafa7359b3215bf2c3d3debd7f0517c3ba5e81e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD594a0c2b8177e0c7645b91ac23b7d95a5
SHA1aafdd88c3369f8821f637ccd1fd76a3d5f878cdb
SHA2568c4cca1ae13eca9e97f280120eebbef84dfc596666c965f8ebcf3fef5652a214
SHA512e540870282fb11499f45b89cc64256e65aca457fab840d61f490e8822947eb61fe46b8ba359fc4f34cb0c9407726861b63e6488a7f4dacc6be3f3ec0959b571d
-
C:\Users\Admin\AppData\Local\Temp\4A76.tmp\4A77.tmp\4A78.batFilesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7RH4ca26.exeFilesize
89KB
MD519b35690fef22b53e35cb4620c110278
SHA140d0326f69fcb00feebb4837bd27438a704be293
SHA256dbd44f7f9eb2d3b661b4cc1b29641771f18a0f1a799780fdaa692881e821b8c5
SHA51237042b386e70d15b67059768f68c65713d34a8a244cfdb8bd66eaa3caaf0122d16a5ebb2d1630fa47a305c200463b4c2a2ea6dd8e87a9a6e3ed5f12ad641950f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ab2Gu05.exeFilesize
1.4MB
MD572e03d75bf021a1e1c28ff695d055e65
SHA14bf5e85f2cea24d2ba29301752ead08f4e3335a6
SHA2564e82df1cf92a65295b16dbc6970198ae671c24fac90a7f652d7537f191014917
SHA512de178b3877e6e91be15e47dbe0ceab6e0516789c0e8bc518efc08ed9549e8e365a11275acd30c7d469c957bd15bf57f7acb7f10fe6dc417c070dc6a6bd754577
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Di5ea1.exeFilesize
183KB
MD5a74799b632685d03258b15358c504f6f
SHA14ecc07bfb9529bca4802624b3022f1f5c1bfb0e9
SHA25655ce1354cdacb4dec0dc86e9f226811b03f9a6319e4081414150a4e430e9c6eb
SHA5122343190d7aeb9441e4790ef280af0e3a0dbb7902b5b1a7d3f81aaca360af71807af004cdb53ab608cae6cc821d236aff758e3c217032495c5d96fa5161c15935
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xR0ra48.exeFilesize
1.2MB
MD5499e17320cf1e742f55e01f7eb92336b
SHA13fc2af18b4fdab29de2b69fd3ecda89c7d407e9a
SHA256898bc6a3ee887af2d77e1d992a1f38c14e01fa69e89475a706b24e9d6a63e7b6
SHA51267c26da5d5d6819d5a369a82ab6b8b7aa1b18d7fb7af7faa875392f0d0642551e815e22257680f6584ba528c0d720d40cc3aa21024bf6830942ee519c5669ef0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Tc5kJ4.exeFilesize
220KB
MD5aa7cc12b3dde7d799e1183153155d888
SHA18f394a9bd8a8e228ab7295cebd3309096309da64
SHA256ac667d2b3675379b1281d8c0f55314b363c58628b9d7144ec032df1c6331dc0b
SHA5120f2dcc4004fb66ebe082f449bb848acb643ec6a34d0fb152cba49537e2a277cd45fe603202d81c2b79016500eae030cd59f0835461aee86a3fc89f928cd2cbef
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gR4rB18.exeFilesize
1.0MB
MD55a68637c88b223f1fac3fb1c4ea1b538
SHA1a655224147ecabbaf4d8bb2577156209b51fd9aa
SHA256a5c6444cb47785f054f5b56131c7302dc491a3c6132b58790b8d31fd9837df16
SHA5120df0c017d6d636a5ef348535968341f01fa7550eddf8ab3a3b45d65b7f5099ac9e5392134b2491ba861d68d0b4545b84dc8cef4af8931c41e9689e9b5014755c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4HZ757cf.exeFilesize
1.1MB
MD5015e607043c90b874c79fbb8d90eca89
SHA1ff203ebdc57402fc379f5ad5a08f2538b8f72dd5
SHA256d07bfeccd987516ff3d4b1bc4ce077a883ffcd939f579a671d157fd2d4517ecb
SHA51267c9f170ff8b52a254cdc029f7ccb88cb83219818c08115c8742cccaea0cc05eaacb4bd894ff76b995b55864fe85feb25df024c973bee8643f08897906168719
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EJ9sY61.exeFilesize
652KB
MD5e6e37e2474b5937c1a145f756f96215f
SHA14213fe56509f7abd595e50d30e4a73aacc64c9ab
SHA256a20f06c5948ab7494affe351d0a576ac5740af4869dc6506ccd6a1500ab485a8
SHA5120819e4326326e6c0f6f8fc96430e88be19caf87388faeeac8074cd4e417fb5e145f8ebb3538eab156783b0d59a0b8a1f307121cc9e631f998ffc12c6148ca738
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ay80kJ.exeFilesize
30KB
MD5bc03a784fd2017ef45b2a287e5cf2677
SHA134340ea6b35e566d0f2679da52b771d05502047b
SHA25652f47ea7d168e7162ba6acac451627775216b7761ad85a5e72d8c274d5703f2f
SHA51249fdbdb52ae19d4939b875b2884467376bc2d21e64e828ee69086d0b78d3fe447f0a719742d0d00038eb4d3ae00d47af7a1362483f43f22c5f97b9aadcb6d8fb
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eH5es48.exeFilesize
528KB
MD5b4025db382bf54c40fe5db916e2cc818
SHA1bbfe26d8397f215a1924530e2fb072d806dfa115
SHA256afc4ef89b474589eac5a915c2d0d4581667b214fdf56c0169edb11b8998fc56e
SHA512924deb510b622e7accb82eefaff33ac351b7a54e46ccc2945502cfe64f733e9d57bb3e6f2ff30884304808d01bd377b4c7a1406521f4c98e72071c7b3de8853f
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jQ62EW9.exeFilesize
890KB
MD5327aa11b65c9cbe127902f2ec75fba02
SHA1458538e3618da2f69566bf654a19a3aca30d29a2
SHA256fd4b9ba15bdb3f4e55e650a648830320ba602ef2bdd0d3f7a793123460229a81
SHA512d3d4162fab37875565500b773595bc643c3a073a3154fd894bb50db370a09195b97bc1d593d3c2b007c1276608dc47328e41cf81401fe1c8bcc91a6f15a599d5
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2bu2715.exeFilesize
1.1MB
MD50ccf469c1d2932e86d4a8d0e076e0f1b
SHA1f6dc4b3f9918e82cbf0e66de7240f5b2bfd5119f
SHA25639f35aa3c665edd1a19a13d8e030e667399e917d4ac23f236609688b35755615
SHA512ace2473b33424eb4f4cb1bb0110570fc35d95d1459f817646eec16bb333e9efa76aa3c467eff413c4f9531e1086bebbc7887bf8f2703dda13a7da0980029bf27
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/952-47-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/952-48-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/952-49-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/952-51-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3508-56-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/4264-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4264-57-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4464-43-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4464-186-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4464-42-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4940-66-0x0000000007BF0000-0x0000000007C82000-memory.dmpFilesize
584KB
-
memory/4940-378-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4940-379-0x0000000007E00000-0x0000000007E10000-memory.dmpFilesize
64KB
-
memory/4940-65-0x00000000080A0000-0x0000000008644000-memory.dmpFilesize
5.6MB
-
memory/4940-82-0x0000000007F20000-0x000000000802A000-memory.dmpFilesize
1.0MB
-
memory/4940-64-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4940-63-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4940-67-0x0000000007E00000-0x0000000007E10000-memory.dmpFilesize
64KB
-
memory/4940-92-0x0000000007E90000-0x0000000007EDC000-memory.dmpFilesize
304KB
-
memory/4940-89-0x0000000007E50000-0x0000000007E8C000-memory.dmpFilesize
240KB
-
memory/4940-73-0x0000000003060000-0x000000000306A000-memory.dmpFilesize
40KB
-
memory/4940-86-0x0000000007DE0000-0x0000000007DF2000-memory.dmpFilesize
72KB
-
memory/4940-78-0x0000000008C70000-0x0000000009288000-memory.dmpFilesize
6.1MB