Analysis
-
max time kernel
44s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16-05-2024 20:34
Errors
General
-
Target
b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe
-
Size
1.5MB
-
MD5
7f5800f336ab3e718a8621b07b54ea14
-
SHA1
358914195e96ed04954bdb52f3388ba2075489a8
-
SHA256
b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c
-
SHA512
be0813ddeda3648bf69ad947c24f588030d5f9cb9ab00aab4b70246a7d96c3d82ca11c58074b65e8213ea5cf70e966b530d1f048ab7457fd5a96e28a18985e98
-
SSDEEP
24576:Gz/nQKPDuahwSbEk+vQS70ziXOAo9trt4on6ntx3fz4WIhmswsMVkDw56/Xkouw5:4/zPDSxQC0ziXOB9xh6tx3fkNpuV76f7
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://headraisepresidensu.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
https://smallelementyjdui.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
XMRig Miner payload 4 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 24 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 44 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 12 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe"C:\Users\Admin\AppData\Local\Temp\b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3526⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService start GameStabilityService7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"5⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe"C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 4528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 4848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 7488⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 7568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 8288⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 8368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 9688⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 10048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 10568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 13728⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "V1WBwCqmYdkoTzuxtwh9YamG.exe" /f & erase "C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "V1WBwCqmYdkoTzuxtwh9YamG.exe" /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 14848⤵
- Program crash
-
C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exe"C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exe" /s7⤵
-
C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exe"C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exe"7⤵
-
C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exe"C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3448 -s 10446⤵
-
C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2112 -ip 21121⤵
-
C:\Program Files (x86)\GameStabilityService\GameService.exe"C:\Program Files (x86)\GameStabilityService\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\795102.exe"C:\Windows\Temp\795102.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Temp\202833.exe"C:\Windows\Temp\202833.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3192 -ip 31921⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameStabilityService\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exeFilesize
6.2MB
MD5c4f2b643c3ff9bb7ae4fd625c9d98154
SHA1bd7c7190e45cbda09be256bee7622bb74f75f00c
SHA25676b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b
SHA5122efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb
-
C:\Program Files (x86)\GameStabilityService\installm.batFilesize
247B
MD5192ae14b572f1bdd164ee67855d5a83a
SHA19cf0757c807a8b834470d216ccd85be9a6b60aa0
SHA2562f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d
SHA51218fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5a0689646fb6c9fee64d4c94b7c639222
SHA162f5c991665e70ff65d6b7d644c061fe6756db08
SHA256d634db075c9c831674f150e3cfd3cc850bfe7620e073ac134f1bfbba87d10812
SHA512ec23048aba2a801c82de19583f5d7883e66588ef2d2fff8211848e3e1be18645caaf35cd7090d7a10a4d292ac8f27386d1a2be23378cec9651086b0087dbbbee
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
2.0MB
MD51d814be25e80fa6739f6f1eec2018102
SHA144353b52a72e3f5c46b3d6078aab1211ce33b4fd
SHA25601862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc
SHA51215732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exeFilesize
1.8MB
MD5c4c98eaf54be1bcc4f60af386194db44
SHA1fc24b98fe5a8df7c0837476c9e7d92aeb827106d
SHA25624af93b0dc559b4e87754ee7f190e3a9f7ad0f1779fea69b75bfb84799ed101f
SHA5120b2b422e2fe2dd2177f01a238a4d061c1e60d57af4a4e21060c5dabb21130e9ed73c164cfa733e219225f53b05df437f7a3c293f450ed7bc5950d0569b3dd746
-
C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exeFilesize
2.2MB
MD5b3d7da359c2aef9e2ec11bf9fc1a226e
SHA12a26c446ad9726d6306f23b07c3fbb3a22000615
SHA2562db74885883ece9645e088c1e3b94c9407aa483edc5c5db137ea331e5735d29d
SHA5122b340f49c837fd01cbc83eb5540d8a5c4c0cec31372cf545a424aea40ea7852d098241c79c3672f21d86a689f0ce35cc71a980a3be77b6b6b80300c92c089ecb
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
379KB
MD5009669d63111ff8efad651efac7333af
SHA1d0ebf3a228e2d44e094aa3b1b056176bc05c8f40
SHA2564736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b
SHA512dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
208B
MD52dbc71afdfa819995cded3cc0b9e2e2e
SHA160e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA2565a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA5120c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeFilesize
1.5MB
MD57f5800f336ab3e718a8621b07b54ea14
SHA1358914195e96ed04954bdb52f3388ba2075489a8
SHA256b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c
SHA512be0813ddeda3648bf69ad947c24f588030d5f9cb9ab00aab4b70246a7d96c3d82ca11c58074b65e8213ea5cf70e966b530d1f048ab7457fd5a96e28a18985e98
-
C:\Users\Admin\AppData\Local\Temp\TmpBC4B.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oopwcyif.exh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{7A490DC9-786A-44a4-B6B6-CB8B595138C8}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\76b53b3ec448f7ccdda2063b15d2bfc3_468f6343-c0e6-4931-9703-30c6539573cbFilesize
2KB
MD55586ebd0313bb1fda515656b29c05e75
SHA1f2c9b91ba06b7dc8110ec326ec8fd7cc694376ff
SHA256b25c83a729a7d6b4569996beb94e47af4b7281243785488148967cbaa91bff9f
SHA51277cea1f85a04f0e132d9854a5e862b41078f1f81796222a074c009566cb4f8dc8fc7301cda30c8015c47ff08b86567efa89bd235ead2e582b532b3f09097f2b6
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5bd5698465057c205e04f0d915150ea84
SHA1212935831427bb2a33101491c99e926104639b6e
SHA256ca3e904b19a7801c1fd3ce21c1b8a11583f3ea2ebca03b468d227e944b311b67
SHA5127212f0344561fa147e27c1455f5179e58b72e4f2846c898050d1315ca9697c7407d2575043b907a4074b40e2b280304f1fd1e69494ad6e7ba12f595321becef2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD510cfd4b82d089911d5cddebc5755247d
SHA1ae1f89726fce76e48740872571380234dc71b7be
SHA256b42b26a10f32f723718240596786a34f15bff4e79db1c14f9e69c3a74ae6305c
SHA512f194efb6fdfcaa4833adfd03b5c1ac261872d73d6f5a4f4744dab2c48ef4ded62592fe9bee94fbb6cf5692fe5d15481f94dd13c0e460e4922c51fe6819e8954a
-
C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exeFilesize
4.1MB
MD51eee28bc105cbbd364cca7b2db042a8c
SHA1ee4370c95fdc7ac05b80bf69fdbb555c96e1b728
SHA256a23c303215aaf509077321343e5de6fcdc1d1f6ba7f752e316452818899beeab
SHA512330230ba0c892bf6b37fd103ee323d931bd5c980f2506dfe603b3f9d5f582005d069309026534c3a5be7231806a173be2a111b38ea8189ae1298db26430489a0
-
C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exeFilesize
6.2MB
MD5382307497abd634a05135b72690f8b2a
SHA187e587c8fc92e93cc5742ec3ba461ed2f28e4ad6
SHA25645ab37527b51f17c6665856e1266f916a1ddf8609c9e3106904219c909c78cb9
SHA5128021605db06782b311e530e929c8b9de144bbf778f651f90892821e7ecc854820556330afcfbfb4637e1db456cb0c6ab8bbacfbd90ba4a802d55066521df1c60
-
C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exeFilesize
901KB
MD5bbb6e29319908e684a34df5cd053b1d6
SHA10c8bad1f0d5737189a35984a87eae40931284a81
SHA2561a752bac587013dc8d249b80b400d5b23ad8d7c6a54a5795143aa4b71718bc21
SHA512207c6293f8fd1fcc9fd5710c511285cdba25c736f7053a2f2999d4245ce89bdb09d4d0f32543417eeeaf453291079ca2c11ccbb0989613fe4e546fc5039c70c6
-
C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exeFilesize
280KB
MD53e612b39c8ee2bc5c4fa3a75cdc34d3f
SHA1233d9d109bc3e03412e2af6f7cba8253e6ba79d4
SHA2560e1b23c1a2b3a9ddb5b89ae0485d94f9ec725bf007e6a86f83e8f58d8d8d82fe
SHA512e7e945679a0407c4eb357ec510e11a3631ddfaa47c8386f3ff342ae0b159d2bff181e51e2e99030dd8e91e55c7b2058d8c56fcd80ec4d6e68786b214d5c9a07f
-
C:\Users\Admin\Pictures\l2Aheu08xISKmygm1f2ngCaO.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5298e3f21a9acb2ce740e063daf930624
SHA12566fd2fb1707adbc37a638a3e81b31d055bffcf
SHA2561de9941ecf837f5143fbd920c0fd117aa73a1bacd0e89696bb61879f6eae140a
SHA512a49d9bea79f0c00a175a93066ca9f3a50f78eacb9daa0850b7df55fee34241f5846edeb991872d24aef33419af960b40d9ee82c1181a545213e1788dbd781915
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD554ddde25cd28cfe4001cb3be7fcc8dea
SHA1c3d83018ef5c6528856fc4c430c61da3fe8efd28
SHA2566aef66625a30c42ada82a35073390ac6eb41c187e7a161d6b10c76085f9f8453
SHA5121097f6d1043862b7cf8b5730d01e758df7ff4efcb2a807838a5d9e686c5c661c6bd61e9f6ec4e34682387bf5cfedcaf439961835fcecc5dc5d72a5f212d7c5dc
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Temp\795102.exeFilesize
6.0MB
MD55cdb390aaba8caad929f5891f86cf8d7
SHA1324a43fa56dffe541c0414f253faf2bf34ad9fa4
SHA2561dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44
SHA5129e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9
-
memory/1080-100-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-98-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-95-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-99-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-101-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-112-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-94-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-102-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1080-96-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/1888-302-0x0000023861F70000-0x0000023861F90000-memory.dmpFilesize
128KB
-
memory/1920-97-0x00000000009F0000-0x0000000000EA6000-memory.dmpFilesize
4.7MB
-
memory/1920-124-0x00000000009F0000-0x0000000000EA6000-memory.dmpFilesize
4.7MB
-
memory/1940-200-0x0000000006A50000-0x0000000006A8C000-memory.dmpFilesize
240KB
-
memory/1940-413-0x0000000007B50000-0x0000000007D12000-memory.dmpFilesize
1.8MB
-
memory/1940-158-0x0000000000980000-0x00000000009D2000-memory.dmpFilesize
328KB
-
memory/1940-160-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/1940-163-0x0000000005450000-0x000000000545A000-memory.dmpFilesize
40KB
-
memory/1940-303-0x0000000006D00000-0x0000000006D66000-memory.dmpFilesize
408KB
-
memory/1940-360-0x0000000006F10000-0x0000000006F60000-memory.dmpFilesize
320KB
-
memory/1940-181-0x0000000005F00000-0x0000000005F76000-memory.dmpFilesize
472KB
-
memory/1940-414-0x0000000008250000-0x000000000877C000-memory.dmpFilesize
5.2MB
-
memory/1940-186-0x00000000067E0000-0x00000000067FE000-memory.dmpFilesize
120KB
-
memory/1940-211-0x0000000006BC0000-0x0000000006C0C000-memory.dmpFilesize
304KB
-
memory/1940-198-0x0000000006AB0000-0x0000000006BBA000-memory.dmpFilesize
1.0MB
-
memory/1940-159-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/1940-199-0x00000000069F0000-0x0000000006A02000-memory.dmpFilesize
72KB
-
memory/1940-189-0x0000000006F60000-0x0000000007578000-memory.dmpFilesize
6.1MB
-
memory/1980-1-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-6-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-2-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-3-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-7-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-5-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-0-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-8-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-4-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/1980-21-0x0000000000CD0000-0x00000000011B2000-memory.dmpFilesize
4.9MB
-
memory/2092-357-0x000000001F070000-0x000000001F232000-memory.dmpFilesize
1.8MB
-
memory/2092-296-0x000000001C5A0000-0x000000001C5BE000-memory.dmpFilesize
120KB
-
memory/2092-295-0x000000001E920000-0x000000001E996000-memory.dmpFilesize
472KB
-
memory/2092-164-0x00000000009E0000-0x0000000000AA0000-memory.dmpFilesize
768KB
-
memory/2092-289-0x000000001E510000-0x000000001E61A000-memory.dmpFilesize
1.0MB
-
memory/2092-358-0x000000001F770000-0x000000001FC98000-memory.dmpFilesize
5.2MB
-
memory/2092-291-0x000000001C5E0000-0x000000001C61C000-memory.dmpFilesize
240KB
-
memory/2092-290-0x000000001B7F0000-0x000000001B802000-memory.dmpFilesize
72KB
-
memory/2112-287-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/2560-636-0x00000000009F0000-0x0000000000EA6000-memory.dmpFilesize
4.7MB
-
memory/2560-261-0x00000000009F0000-0x0000000000EA6000-memory.dmpFilesize
4.7MB
-
memory/2560-64-0x00000000009F0000-0x0000000000EA6000-memory.dmpFilesize
4.7MB
-
memory/2964-262-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-86-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-84-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-92-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-83-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-90-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-87-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-85-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-91-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/2964-88-0x00000000007B0000-0x0000000000E3C000-memory.dmpFilesize
6.5MB
-
memory/3068-478-0x00000243ED0D0000-0x00000243ED0F2000-memory.dmpFilesize
136KB
-
memory/3116-596-0x0000000006250000-0x00000000062B6000-memory.dmpFilesize
408KB
-
memory/3116-673-0x0000000008020000-0x000000000802A000-memory.dmpFilesize
40KB
-
memory/3116-595-0x0000000005A70000-0x0000000005A92000-memory.dmpFilesize
136KB
-
memory/3116-662-0x0000000073270000-0x00000000732BC000-memory.dmpFilesize
304KB
-
memory/3116-594-0x0000000005B20000-0x0000000006148000-memory.dmpFilesize
6.2MB
-
memory/3116-679-0x00000000080D0000-0x00000000080D8000-memory.dmpFilesize
32KB
-
memory/3116-674-0x00000000080E0000-0x0000000008176000-memory.dmpFilesize
600KB
-
memory/3116-663-0x000000006EED0000-0x000000006F224000-memory.dmpFilesize
3.3MB
-
memory/3252-212-0x0000000000170000-0x00000000001C2000-memory.dmpFilesize
328KB
-
memory/3448-437-0x00000233A33A0000-0x00000233A33AA000-memory.dmpFilesize
40KB
-
memory/3448-466-0x00000233A50D0000-0x00000233A512C000-memory.dmpFilesize
368KB
-
memory/3688-120-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3752-637-0x0000000140000000-0x0000000140C18000-memory.dmpFilesize
12.1MB
-
memory/4064-400-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4256-468-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4412-185-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4412-183-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4460-661-0x00000000070E0000-0x0000000007183000-memory.dmpFilesize
652KB
-
memory/4460-638-0x0000000007540000-0x0000000007BBA000-memory.dmpFilesize
6.5MB
-
memory/4460-678-0x0000000007330000-0x000000000734A000-memory.dmpFilesize
104KB
-
memory/4460-677-0x0000000007240000-0x0000000007254000-memory.dmpFilesize
80KB
-
memory/4460-593-0x0000000004520000-0x0000000004556000-memory.dmpFilesize
216KB
-
memory/4460-676-0x0000000007230000-0x000000000723E000-memory.dmpFilesize
56KB
-
memory/4460-675-0x00000000071F0000-0x0000000007201000-memory.dmpFilesize
68KB
-
memory/4460-648-0x0000000007080000-0x00000000070B2000-memory.dmpFilesize
200KB
-
memory/4460-615-0x0000000005710000-0x0000000005A64000-memory.dmpFilesize
3.3MB
-
memory/4460-616-0x0000000005AF0000-0x0000000005B0E000-memory.dmpFilesize
120KB
-
memory/4460-617-0x0000000006060000-0x00000000060AC000-memory.dmpFilesize
304KB
-
memory/4460-622-0x00000000060B0000-0x00000000060F4000-memory.dmpFilesize
272KB
-
memory/4460-650-0x000000006EED0000-0x000000006F224000-memory.dmpFilesize
3.3MB
-
memory/4460-660-0x00000000070C0000-0x00000000070DE000-memory.dmpFilesize
120KB
-
memory/4460-649-0x0000000073270000-0x00000000732BC000-memory.dmpFilesize
304KB
-
memory/4460-639-0x0000000006EC0000-0x0000000006EDA000-memory.dmpFilesize
104KB
-
memory/4752-184-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/4752-182-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/4800-49-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-27-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-30-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-28-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-29-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-24-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-26-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-23-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-22-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-260-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4800-25-0x0000000000500000-0x00000000009E2000-memory.dmpFilesize
4.9MB
-
memory/4908-306-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4908-288-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4908-286-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4948-50-0x0000000077204000-0x0000000077206000-memory.dmpFilesize
8KB
-
memory/4948-63-0x0000000000530000-0x00000000009E6000-memory.dmpFilesize
4.7MB
-
memory/4948-48-0x0000000000530000-0x00000000009E6000-memory.dmpFilesize
4.7MB