Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 05:13
General
-
Target
4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628.exe
-
Size
3.3MB
-
MD5
b9882fe8bb7ab2a4d094f9ff5442df1c
-
SHA1
e17c146530a4371e0595c195c24863935a3dee8b
-
SHA256
4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628
-
SHA512
bee33d43deb43854975e6c7a57f27ab8c6519ea3e6df51297ca670ac62831f29f6a18eff0bb0af14f9e985ebf9e2169ed97582fa64998cfb33b1d8b61ec72db4
-
SSDEEP
49152:zUIbNigeVE2MD7ZDAgUf0dgF8bEOlf84L:JI3bg3J
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628.exe"C:\Users\Admin\AppData\Local\Temp\4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\pB1rLLsZbg8i4p0hn3CUz6t1.exe"C:\Users\Admin\Pictures\pB1rLLsZbg8i4p0hn3CUz6t1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u2g0.0.exe"C:\Users\Admin\AppData\Local\Temp\u2g0.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 11125⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\ZXB_tls\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\u2g0.1.exe"C:\Users\Admin\AppData\Local\Temp\u2g0.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 10924⤵
- Program crash
-
C:\Users\Admin\Pictures\fQ9R3DptvdCNaYJ1IgStBDMw.exe"C:\Users\Admin\Pictures\fQ9R3DptvdCNaYJ1IgStBDMw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 20645⤵
- Program crash
-
C:\Users\Admin\Pictures\fQ9R3DptvdCNaYJ1IgStBDMw.exe"C:\Users\Admin\Pictures\fQ9R3DptvdCNaYJ1IgStBDMw.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\rEYGdGPLPuReP02hBg7p71MT.exe"C:\Users\Admin\Pictures\rEYGdGPLPuReP02hBg7p71MT.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\rEYGdGPLPuReP02hBg7p71MT.exe"C:\Users\Admin\Pictures\rEYGdGPLPuReP02hBg7p71MT.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe"C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exeC:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x6f31e1d0,0x6f31e1dc,0x6f31e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\h8smI5k0eaB4v5FpfVClWZNC.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\h8smI5k0eaB4v5FpfVClWZNC.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe"C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2328 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240421051405" --session-guid=3dee0c41-f5dd-4668-9273-59e0e7613535 --server-tracking-blob="ZmMwYTRmYzUxOTQ4ZjMxN2Q1MTA1NDBmYmZlMDZlNzFlYmRlNGNhN2UyYjA0YWMzNTIxZjNlN2RlOTQwMTBkZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjc2NDAxLjMxMTUiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiZjIyYjg2ODgtNTczMC00MmU0LWIyYTAtNGQ1MGFiY2YwODFlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=94050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exeC:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x280,0x28c,0x294,0x2c0,0x2c4,0x6e54e1d0,0x6e54e1dc,0x6e54e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x406038,0x406044,0x4060505⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\nFHvU3IyZYwbz6X5YOa3iQXm.exe"C:\Users\Admin\Pictures\nFHvU3IyZYwbz6X5YOa3iQXm.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\biV1ONh4n53wlFghLTInVZIm.exe"C:\Users\Admin\Pictures\biV1ONh4n53wlFghLTInVZIm.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS1728.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 05:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ZfjRzVd.exe\" em /gNsite_idpic 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3312 -ip 33121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1276 -ip 12761⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3168 -ip 31681⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
1Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\assistant_installer.exeFilesize
1.9MB
MD5976bc8e5fe65f9bb56831e20f1747150
SHA1f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA5122858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\dbgcore.dllFilesize
166KB
MD59ebb919b96f6f94e1be4cdc6913ef629
SHA131e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\assistant\dbghelp.dllFilesize
1.7MB
MD5544255258f9d45b4608ccfd27a4ed1dd
SHA1571e30ceb9c977817b5bbac306366ae59f773497
SHA2563b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA5122093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404210514051\opera_packageFilesize
103.8MB
MD55014156e9ffbb75d1a8d5fc09fabdc42
SHA16968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA2567a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016
-
C:\Users\Admin\AppData\Local\Temp\2c9bac04Filesize
5.8MB
MD5b96e10e36a9ef9a31b805f9749e57ae3
SHA1bc39aa27931f264be23c4d603d5dbaf09ca8f37e
SHA256ba11437b4ceb6ce1493ec4428eac92404425a4da52cfbe1292e4b2b325c90d02
SHA512cb1c82e0ab8d89a0fe05ec5953fc0dbe16f38439155b6a585fdb2577c86dcfa55bfea0c88145123d9d3ab70ac7af09f6a5ee428e8aab0c1d184bbfdd836afda5
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404210514051982328.dllFilesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
14.6MB
MD59eba9ca5f06b484cbbe41ed6fb4a8768
SHA1b52ea3b800254b0b1ae2f19e442fe98cc575eb18
SHA2565836b09135b1b8060226a6dd32b23a3985cbef5ca17b97102a851d8b8aa2c689
SHA512827f380f0d552b75be688c0de1bb6051c8d4cecf3784c6b396ce710b4c20b1b57c7eb16335cab93f451d7f69110df83f580dd562d1f26bbd2d7ca902e5c6ea74
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UIxMarketPlugin.dllFilesize
1.6MB
MD58f75e17a8bf3de6e22e77b5586f8a869
SHA1e0bf196cfc19a8772e003b9058bdc211b419b261
SHA2565f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985
SHA5125a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\relay.dllFilesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\somebody.rtfFilesize
24KB
MD5ff36ebcf134c8846aea77446867e5bc6
SHA153fdf2c0bec711e377edb4f97cd147728fb568f6
SHA256e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9
SHA512b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1
-
C:\Users\Admin\AppData\Local\Temp\ZXB_tls\spawn.xmlFilesize
1.2MB
MD50d4b3bef832fe7d161ec85f9a3ae2033
SHA198af2a1125bf6e1890ce6dab84834eecdef30d95
SHA256422c6e1fec6485e29bbc20e3f74db6bc1d01be6acfbcaa10b7d9041e5fee8670
SHA512730d1a012eaa109a87705c2b6a53280f99ca8361ad6186df7cd7bf452cbf748bc94e894c35e6cf0590014baf025a3061bce1107fb724922061afdcedf6e7b971
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fpyw12c.5lr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\u2g0.0.exeFilesize
323KB
MD51d4341aa0ca4aefcb043d19eb205d8ac
SHA1c6e7a063a22e6bad72b2c81017747ab31cb59579
SHA25642af762221074082dc3aa6e4efdc2b6439cc026d6e94d6eeae97fcfafda272b4
SHA5121bcc133000feb1ab7944295a14601ff1a66432dcbe117e9e60c9f98cb8aee5b28f0ddcbbc25e2b6d91b677ca67de32a8930a1317de9b8be17524a9bea43c73a7
-
C:\Users\Admin\AppData\Local\Temp\u2g0.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD549f0f49bf7f4d4f471dd96e3bcec0169
SHA12228a89086872b96de3f81e4dfa051ff139e76ae
SHA25609849723c1085c7daaacb524ba00d0e919eb759ca6371769b944e93de312e05f
SHA512b294b03c6f5f783fe4ea6606667e581d038f49c57a890c101de0881f482bfcca5cfee767204f6f28e05e8071932fdc9b14e8511b85e848b9bc27fc77086b367b
-
C:\Users\Admin\Pictures\biV1ONh4n53wlFghLTInVZIm.exeFilesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
C:\Users\Admin\Pictures\fQ9R3DptvdCNaYJ1IgStBDMw.exeFilesize
4.2MB
MD512c1251ddacc8c6651573aaae2a36711
SHA1aa4a4fc95f24a847f33a0fcc22d318fe947929d0
SHA256a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22
SHA512e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69
-
C:\Users\Admin\Pictures\h8smI5k0eaB4v5FpfVClWZNC.exeFilesize
5.1MB
MD5f7a57804b3b3b7d2ceeff559e31f12a6
SHA1b272e2edc9ac4f402da73534d995dc189fb8b4ce
SHA2567111fc6bec45793bf001f2e898ab46147ede9a92332c2c18a8de0bb0b56c5eb0
SHA51264ef82afcdb87448c59a183210d53d534f3bc32a1e5403e41cccd3782925b8a77d056a57561321b0c6ec42b8be24584d686bd70523518759d38e9bccd130fafa
-
C:\Users\Admin\Pictures\mh27y74VaYZFjzUkZF72kCkz.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\nFHvU3IyZYwbz6X5YOa3iQXm.exeFilesize
5.5MB
MD59f8b8a866575e821310f6203c5bdc044
SHA1f39bbd5eb2f736acdf565d6b56e560a60334dd0e
SHA256277677de19193a2297c88689312d1a294edf4f81b3ff4ba8202e2cbb9c6fbeea
SHA512b8222b6c8ec092ccc352676d4bf8c90a4ecb558a8346ab2628a41071d0747e87cc0c805c5c4efaf922a5e7ff18ad78bfa59a9180670df881085f6fab3b67f209
-
C:\Users\Admin\Pictures\pB1rLLsZbg8i4p0hn3CUz6t1.exeFilesize
445KB
MD5ddbb9a4caa78db40bb47ee413252f12f
SHA16153acfbb9773424f3d3ccfcca917c277b2500d5
SHA256f2c98424e2142ea86ef140dd1b0bdf1b3c7b8cc99ec6194c851ad2f0ed3b2e31
SHA5125afa0ee709e43f3445b9c9733ac8df92c04682d9b3e8b25441e5392cb17303c0c39e9c56c9d3bf27ea266815d571d659749dedc18af0506c987b056c6d9dbb60
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b8b622d2f893c0f9a7476d12317a397b
SHA151e329fa98acc3cf9f46d2251a728b0fd5087c86
SHA256fb39df915ed279e8506f3c3f57c828172004310ed783ce0289515356c5025c42
SHA5128a5c420a039b5633e2966a1f374ae4e28559b4f106b69569d92251c026fdee9651f88b14b7f084a04b937135ce3a776e9fdad6d9e6e41e104ff69b6f73ea8af5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5101dad43a7429e54846ee0a128d51ca3
SHA1350bb9196659e125438b1dd141baad09ec7ddc74
SHA256a05a4e4d1d191dec8d2621657906d192897b58f743c361930172d2c001559ebd
SHA512a9f032e41c1c7444e526c66ede4549803b9de316c9ab8b8e9564efa62b5a484e519dcfe57acf53eda8b9ecceb81d00a0f61b476d27517ff2f70dcb5cdc2ac378
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD506ff51fbf3248af39338d8fd1ce87d52
SHA14a398a483b0842f934f63b8f0781f5126eb7a100
SHA25627bc6e7a3fef4c737dba9fa6941fb3b16bb8fb46c90dc543f7839c0fa4ad208f
SHA51265d4795c7c7fd625aa4f5fb307dee33741ce5c6c7af3df5e56721190530dc58e1b4eeb12b9d8dde5c6c77824a88298d0faca09947258f496f69c7bb92cda9c7d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55dafdcd0fd0c81cda2fcd77902814080
SHA1f38321dfa5916b42abfcd3a55b7d4519f8de82ae
SHA256c446c75402d501ee029334158a23b3ccb2f03b944a8e0a736c1ea32f16c3e490
SHA51275644b0a4a2dbb7443514a7b49ab18b54808adfed856ac7438e67142c0f3744caf71b658a9c5c3dcd3d9fee67aa7486f469b62dffe6e870b961762c17a9245dd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59d2b7b0e6237fc22f74b3ea18f59bd2d
SHA1ef0c011bd03b2e18a32a842b7e5d3698c66dc19d
SHA256b4498af89802f91681f54a1b75cad2ff147bc3a1362ee73f27c70f8c7657f8cf
SHA512e03b7d50b8d9cd8fdd49b5495963ea815bbbe05eb1f56cee6e5396b0909f51ab2fc048a792029153edd8c0ff76507deee86ac856f12ff7576e6912070f4944bc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e41e2e644df2db3f84dc34d022bbd24b
SHA13a701501d64787c4923f8b07fc5f2a321ed88bb1
SHA256025cba8ce72dcb4c9b618f97ed0f743f1408e8d1cc4b0e3aeace856875222b32
SHA51256846e2ddc57dbe04d4b4cbcaff41a2ab337bf49493dd1057a0193576b0ed84d3acdfe23285db883e7773f05b3610a1aa508b6365561cbbbe1ac06589d28f4ec
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/436-101-0x0000000003EF0000-0x00000000047DB000-memory.dmpFilesize
8.9MB
-
memory/436-102-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/436-99-0x00000000039F0000-0x0000000003DEB000-memory.dmpFilesize
4.0MB
-
memory/436-182-0x00000000039F0000-0x0000000003DEB000-memory.dmpFilesize
4.0MB
-
memory/676-527-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/676-464-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1216-458-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1276-135-0x00000000074C0000-0x00000000074DE000-memory.dmpFilesize
120KB
-
memory/1276-138-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/1276-49-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/1276-105-0x0000000007910000-0x0000000007F8A000-memory.dmpFilesize
6.5MB
-
memory/1276-122-0x0000000007480000-0x00000000074B2000-memory.dmpFilesize
200KB
-
memory/1276-123-0x000000007F090000-0x000000007F0A0000-memory.dmpFilesize
64KB
-
memory/1276-124-0x000000006F440000-0x000000006F48C000-memory.dmpFilesize
304KB
-
memory/1276-125-0x000000006F490000-0x000000006F7E4000-memory.dmpFilesize
3.3MB
-
memory/1276-98-0x0000000007020000-0x0000000007064000-memory.dmpFilesize
272KB
-
memory/1276-136-0x00000000074E0000-0x0000000007583000-memory.dmpFilesize
652KB
-
memory/1276-137-0x00000000075D0000-0x00000000075DA000-memory.dmpFilesize
40KB
-
memory/1276-103-0x0000000007210000-0x0000000007286000-memory.dmpFilesize
472KB
-
memory/1276-106-0x00000000072C0000-0x00000000072DA000-memory.dmpFilesize
104KB
-
memory/1276-76-0x0000000005F30000-0x0000000005F7C000-memory.dmpFilesize
304KB
-
memory/1276-75-0x0000000005EE0000-0x0000000005EFE000-memory.dmpFilesize
120KB
-
memory/1276-66-0x0000000005B40000-0x0000000005E94000-memory.dmpFilesize
3.3MB
-
memory/1276-51-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/1276-50-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/1276-52-0x0000000005110000-0x0000000005738000-memory.dmpFilesize
6.2MB
-
memory/1276-53-0x0000000004F40000-0x0000000004F62000-memory.dmpFilesize
136KB
-
memory/1276-54-0x00000000057B0000-0x0000000005816000-memory.dmpFilesize
408KB
-
memory/1276-57-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/1276-48-0x00000000025C0000-0x00000000025F6000-memory.dmpFilesize
216KB
-
memory/1676-161-0x0000000005540000-0x0000000005550000-memory.dmpFilesize
64KB
-
memory/1676-162-0x0000000005540000-0x0000000005550000-memory.dmpFilesize
64KB
-
memory/1676-160-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/1852-605-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-607-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-609-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-611-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-613-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-614-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-615-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-616-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1852-630-0x00007FF6DD850000-0x00007FF6DDF8A000-memory.dmpFilesize
7.2MB
-
memory/1972-394-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1972-181-0x0000000003B10000-0x0000000003F0D000-memory.dmpFilesize
4.0MB
-
memory/2212-80-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/2212-100-0x00000000051C0000-0x00000000051D0000-memory.dmpFilesize
64KB
-
memory/2212-1-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/2212-0-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2212-2-0x00000000051C0000-0x00000000051D0000-memory.dmpFilesize
64KB
-
memory/3104-144-0x000000006F440000-0x000000006F48C000-memory.dmpFilesize
304KB
-
memory/3104-157-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/3104-108-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/3104-109-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/3104-178-0x00000000747B0000-0x0000000074F60000-memory.dmpFilesize
7.7MB
-
memory/3104-110-0x0000000004B00000-0x0000000004B10000-memory.dmpFilesize
64KB
-
memory/3104-175-0x0000000007620000-0x0000000007628000-memory.dmpFilesize
32KB
-
memory/3104-174-0x0000000007630000-0x000000000764A000-memory.dmpFilesize
104KB
-
memory/3104-173-0x00000000075E0000-0x00000000075F4000-memory.dmpFilesize
80KB
-
memory/3104-143-0x000000007F510000-0x000000007F520000-memory.dmpFilesize
64KB
-
memory/3104-172-0x00000000075C0000-0x00000000075CE000-memory.dmpFilesize
56KB
-
memory/3104-159-0x0000000007580000-0x0000000007591000-memory.dmpFilesize
68KB
-
memory/3104-158-0x0000000007680000-0x0000000007716000-memory.dmpFilesize
600KB
-
memory/3104-145-0x000000006F490000-0x000000006F7E4000-memory.dmpFilesize
3.3MB
-
memory/3104-156-0x0000000007480000-0x0000000007523000-memory.dmpFilesize
652KB
-
memory/3168-30-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/3168-104-0x0000000001C70000-0x0000000001D70000-memory.dmpFilesize
1024KB
-
memory/3168-29-0x0000000001BC0000-0x0000000001C2E000-memory.dmpFilesize
440KB
-
memory/3168-107-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/3168-28-0x0000000001C70000-0x0000000001D70000-memory.dmpFilesize
1024KB
-
memory/3168-663-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/3312-82-0x0000000001B30000-0x0000000001B57000-memory.dmpFilesize
156KB
-
memory/3312-121-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/3312-93-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/3312-81-0x0000000001C40000-0x0000000001D40000-memory.dmpFilesize
1024KB
-
memory/3524-142-0x0000000003AE0000-0x0000000003EE4000-memory.dmpFilesize
4.0MB
-
memory/3524-335-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3524-146-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-649-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-603-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-643-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-448-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-629-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-460-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-465-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-524-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3768-635-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3932-141-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3932-45-0x0000000003B40000-0x0000000003F40000-memory.dmpFilesize
4.0MB
-
memory/3932-46-0x0000000003F40000-0x000000000482B000-memory.dmpFilesize
8.9MB
-
memory/3932-47-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3932-111-0x0000000003B40000-0x0000000003F40000-memory.dmpFilesize
4.0MB