Analysis
-
max time kernel
293s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
06-04-2024 11:32
General
-
Target
conan.exe
-
Size
822KB
-
MD5
f29bb9918f3803046c2bab24c20b458d
-
SHA1
c162f42333a6a7ef23ea9fc17e470daece374b6c
-
SHA256
b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993
-
SHA512
e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164
-
SSDEEP
24576:OYHymN8tZiUqGvCBSYcjOaTKsB5Oih4un0:OYRNyZiUqwCgYWHhn
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\conan.exe"C:\Users\Admin\AppData\Local\Temp\conan.exe"1⤵
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\vXbOe0IOrFqOJ3RBX7tj.exe"C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\vXbOe0IOrFqOJ3RBX7tj.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\pDMNvQfde2FIEHTlZsFc.exe"C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\pDMNvQfde2FIEHTlZsFc.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee947184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14995326193530452740,7062548041192396924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee947184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12164434068693872930,12129800140860022836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb2ee946f8,0x7ffb2ee94708,0x7ffb2ee947184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8347799521481178533,6511208524997219383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\5JVua4DaMoZkTEvuxZBj.exe"C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\5JVua4DaMoZkTEvuxZBj.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 22442⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1580 -ip 15801⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50bd5c93de6441cd85df33f5858ead08c
SHA1c9e9a6c225ae958d5725537fac596b4d89ccb621
SHA2566e881c02306f0b1f4d926f77b32c57d4ba98db35a573562a017ae9e357fcb2d2
SHA51219073981f96ba488d87665cfa7ffc126b1b577865f36a53233f15d2773eabe5200a2a64874a3b180913ef95efdece3954169bdcb4232ee793670b100109f6ae2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD59763f91ebffba4d97d87816eed9826a2
SHA1721992c3110d329a7651e2490b7d4863e2065028
SHA2560a6b8fdbc7a9c5a210ead280eadc58418156c35886aeb3a922ca0f39acf08ef2
SHA512a164e96b896605d58dfc59b1245bc1c116112a8ccb9123c45f4059477dbcf2e333f36f24e13c15abb9c30f2ebf5edf00d4762bdc79eae9cc5d71e47478ce880c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD512e64895490aadf749726c488fe6978d
SHA13d64a1de54fc8516b516fd8b2bec03f61a815dcb
SHA256b9ba58d7c9965b91847fc6aff5185a84f60c4053e747e5f0e94ebd4b652a0e2f
SHA5124bd7c20e7ac2036547009b0e1d04c6d3e9138970f8ab9d6e3208c3ee5b407734f14d976e743c3c6a955954a697a53da7b270bc1f362d563d1eda618005b24a4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5670f5e5630ba40bcc0b448cbf2a0138d
SHA12f8625be1ab3a00e74b503a27ba087445644144b
SHA2564273f8aee2c2f79b5263601980ac28b85f42625cecf4fe2ce8e6bc25e26b9dd8
SHA512b66caa92425626e8d465ebede3b1032614e48199e4fded1afa16347e407055639b2906ad01715eccf5c092489abdc38f260ba459661b94351082097c9b1208d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD585a10647879e0a3de112c1c9c4960f3c
SHA144efe8cc905fe6d04b6df5a632f4dfa9d6d058ea
SHA256b1dc53ce9bc0b699a538eed0edc5123925f27d7b117f703a17f7473a4e115a86
SHA5122263a29def46f5c60e878c7716af8dc472931a4befc498dd84b40c4581d5e1ef0e62e2ef88f9bbee8c75f133f02eea0cd9a32d7490371cd33598f80a7477b1ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5612e350a7b6fa7b16a678d31f5a7a888
SHA11530f6ba89a32019e8b8a5a2f090db4f1e24fba0
SHA256a256b4058b2edf07188f7b49f7e157bb262e9a1d8b09f03b247dc3a1a5964372
SHA512249212f5dc8f7b6eccdf1d07e0f6a7592a05b017ea2cca6872fbe8f918d00ee33092eb66f8562310b3d7e9eb7f2ae6fbd37361a0ac9a5e7121245745b823c2f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5eed18cf92c02286f487c80bf43e595c5
SHA13b954982beb5cdfb51130de8ac4ca637f379fb42
SHA25620955496eb7b95f32c8bedc63560338ad48dedf669ca69ab173d5136a4fbade8
SHA5124efb03f178fb554f0cbcee2d77b697bc16193fc6b43ddc9d225a645c282714bc8ecbc4c9f7083b3d3aaa54546d81e878e5d4869aed043b4cb482e37dc69a9f93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD505a55a2b389fc6f11159214b29906a14
SHA1b5382c75fde57a53db013fc986777d2acc9becc8
SHA2569ee514bf845fc19daa1c595a3dc47647713109f5fe8afefbc88e2b4f716cb95d
SHA5126ad07f837cdfd59b237a3d0b081615ac894b98375c7f5690706a0d0ca8e138f6289f853168eac5b77685f146fcd1f9857bc06a869a5f19db2b0e9811b4a53126
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5bc08b6113a14b4fa87d6adbad894e414
SHA174c209560bb1c901f07a4e32ce3d2a8bbe076f38
SHA256a6734e2e271b46a076d07519cc0cff96e7c59a3ee3f6641c56deb9fbae80643d
SHA512e4aec91b8b9c1062ca665eb56fd776e7839830dbb6c7a22b38bbbebd930867fac66d246cf4d5ae254d464e07f98741fcbdff2b244afffe408ae443cba1a4c619
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD51365e1f7b1258204b6a6338aa79191a0
SHA19fd3fde1dd4954604d2a2da392423eb7c8e9c602
SHA256d6772177aaafacde49a58ec134d5ea154956ff6b28946bf8a7719d24c2effde8
SHA5127803be22720d14fe09dbc4c536c80d6011d473f85d7af44ef1ad1991db9d320030383730d11954c3bea0ac9fc9409634280f5660d1a7e480d84223a2dd6fe70b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5822f4.TMPFilesize
707B
MD521a096b36f6eb90830a8d3bcda54637e
SHA144fc9589248f1149635b51daea801fa91dfec232
SHA2561867782df4241ef3fd2dd065d4ac080f9d4b05b231330d37717e3f759be2d7c6
SHA512e18088d160f4aeade70cb48b0f840c5e2df4187093e02ce8ec4371cca5f41263bce90da6ee2bd79d31d7929a832fe0e6c85544e11eb6314ea440b39ff18408b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD55e0e8a8ceeafda88b07ccd6b3d11fcf5
SHA1dee0c62d1521263d27942b17d3854682b12ecb1f
SHA256a0f65333d777517b9161da9f475ef4a924e225c00162c2f6ed6302c158210b74
SHA5122b68531b06ed1ab4a4d9e38ba40d90398d3e66ad8578f199fa74055646812c0bfc879083c0de3ac67fe642e89fd9bdf9eafb99eefc428b46e0ec1c759ed71920
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD576aa7ee3dc179642f91d75250cc1ca69
SHA1f10960e14cdfe8b9007d4ab68036040d6c9f6b55
SHA2565949438ec22bd4a1bca5027d7d740341f9f03b0e1f4b3648f83f600b7635401c
SHA512b631e646eb15f50b9a48353f7a56d12722a03c1186cb7d2665184dd8f5ab80bf08e5c9347f111dbc234e2f47de588610a01e91350c8816f247c7814e9e3caf5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5e712daced44929833ec2dc022fead645
SHA1c62de1bc26436612cf8a7d31c4b12d314c35ef5c
SHA256adc010206ba85a68646c1fe7deadb5f311f90bd81bed889a19011c5809af1bf9
SHA51278da6e1c6641d8204737464aa2ff4d9af0e63f849148aee860d4f5715521b10c58a8847a9aaa30ae22ba0f524fb75d50cd494389a11067d96ba7153b5b323341
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ng0tql1x.0wi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\5JVua4DaMoZkTEvuxZBj.exeFilesize
3.0MB
MD56ebd906e25283ebcb066339aec7b2748
SHA1284b2adbc58cc0b29cd75165cc25fd553e62cf42
SHA256899f5167771795f206e42cd753eec97ffd89634cd9dd12ae5ae5541bb507ff23
SHA5129aa0e13597201202292d55796c1e588486e55762bbed3a9c1faff6fa16b76cc741a19072ed5d9d5631f1a69ca788fa1434837e3ae51d5030fe0b791d7bb6d034
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\8VURsuyPe_6xWeb DataFilesize
92KB
MD517a7df30f13c3da857d658cacd4d32b5
SHA1a7263013b088e677410d35f4cc4df02514cb898c
SHA256c44cbdf2dbfb3ea10d471fa39c9b63e6e2fc00f1add109d51419b208a426f4d0
SHA512ea96cc3e2a44d2adeca4ecb4b8875a808ef041a6a5b4ae77b6bfd1600dd31f449b51b1a5997064c43e5111861ac4e3bc40a55db6a39d6323c0b00ff26d113b72
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\M8diSlRFlK9iWeb DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\pDMNvQfde2FIEHTlZsFc.exeFilesize
896KB
MD5e07def78215d8b31691e95749ae64444
SHA1719b39241b8a2545e95efc2e933397f54415a925
SHA256fde82aadfd48bd57bcf3acaac337ff6a5eb638e666214f629201c82bacf1409b
SHA51217fdda98433c425472d3e2f7a094cb9deb1ad53a97bca032b749f06088e14ef103f72247d7776c7ad1532e49d8cd532b6b5cecfec657a2fc48abadbfc379f8af
-
C:\Users\Admin\AppData\Local\Temp\heididG9Xp13RC7Cv\vXbOe0IOrFqOJ3RBX7tj.exeFilesize
1.8MB
MD5b3dbda56ecfe09c85268eb617fa2188a
SHA17717351b65fd1c3f70bec22e1c25738e85568b8e
SHA2569027bd383469d043450e59b3e310a0b67984e681764dc9948ea398b8df5f75ec
SHA5122ea6b74088c9da4802e5f3ce141d95aca06ca810a3859b9cdc89eb53e62701f8d8b15b8434e6864f5ffdcc86a9dff708b3a080ec56af744eeea5740ab134981a
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\LOCAL\crashpad_4980_QPIGVZQKCGUAYUKWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1216-589-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-148-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1216-146-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-156-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1216-158-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1216-157-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1216-159-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1216-149-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1216-143-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-198-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/1216-199-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1216-541-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-547-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-659-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-661-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-587-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-510-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-508-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-477-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-476-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-155-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1216-644-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-642-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-631-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-591-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-657-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-549-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-603-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-618-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-663-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-665-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-667-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-680-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-682-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-428-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-616-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1216-466-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/1580-3-0x0000000000400000-0x0000000002BF7000-memory.dmpFilesize
40.0MB
-
memory/1580-2-0x0000000004B80000-0x0000000004CCF000-memory.dmpFilesize
1.3MB
-
memory/1580-75-0x0000000004B80000-0x0000000004CCF000-memory.dmpFilesize
1.3MB
-
memory/1580-378-0x0000000000400000-0x0000000002BF7000-memory.dmpFilesize
40.0MB
-
memory/1580-74-0x00000000049A0000-0x0000000004A58000-memory.dmpFilesize
736KB
-
memory/1580-73-0x0000000000400000-0x0000000002BF7000-memory.dmpFilesize
40.0MB
-
memory/1580-16-0x0000000000400000-0x0000000002BF7000-memory.dmpFilesize
40.0MB
-
memory/1580-1-0x00000000049A0000-0x0000000004A58000-memory.dmpFilesize
736KB
-
memory/1580-142-0x0000000000400000-0x0000000002BF7000-memory.dmpFilesize
40.0MB
-
memory/3256-656-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/3256-650-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/3256-652-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/3256-651-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3256-649-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3256-654-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/3256-653-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/3256-648-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/3256-655-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/3256-647-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/3400-468-0x000002814E960000-0x000002814E972000-memory.dmpFilesize
72KB
-
memory/3400-475-0x00007FFB2B640000-0x00007FFB2C101000-memory.dmpFilesize
10.8MB
-
memory/3400-463-0x0000028136440000-0x0000028136462000-memory.dmpFilesize
136KB
-
memory/3400-464-0x00007FFB2B640000-0x00007FFB2C101000-memory.dmpFilesize
10.8MB
-
memory/3400-465-0x0000028136280000-0x0000028136290000-memory.dmpFilesize
64KB
-
memory/3400-467-0x0000028136280000-0x0000028136290000-memory.dmpFilesize
64KB
-
memory/3400-469-0x0000028136470000-0x000002813647A000-memory.dmpFilesize
40KB
-
memory/3888-128-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3888-101-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/3888-127-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3888-104-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3888-105-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3888-103-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/3888-97-0x0000000000CA0000-0x000000000116B000-memory.dmpFilesize
4.8MB
-
memory/3888-98-0x0000000077434000-0x0000000077436000-memory.dmpFilesize
8KB
-
memory/3888-102-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/3888-100-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3888-99-0x0000000000CA0000-0x000000000116B000-memory.dmpFilesize
4.8MB
-
memory/3888-139-0x0000000000CA0000-0x000000000116B000-memory.dmpFilesize
4.8MB
-
memory/4280-516-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4280-521-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/4280-518-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/4280-522-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4280-515-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4280-519-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4280-520-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/4280-513-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4280-514-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4280-517-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4388-670-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4388-679-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4476-599-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4476-602-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4476-594-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4476-595-0x0000000000860000-0x0000000000D2B000-memory.dmpFilesize
4.8MB
-
memory/4476-596-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/4476-597-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/4476-598-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4476-601-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/4476-600-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/6104-250-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-441-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-272-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-264-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-269-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-255-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-246-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-243-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-244-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB
-
memory/6104-245-0x00000000005B0000-0x0000000000D56000-memory.dmpFilesize
7.6MB