Analysis

  • max time kernel
    78s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 04:22

General

  • Target

    249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe

  • Size

    875KB

  • MD5

    249dbef48619781b75f151813e0acbd2

  • SHA1

    52b12d1d695f19b8074b117802d4caa9d0f7fd6d

  • SHA256

    6ea5c80473298c65dfb9cbe106aa440e725be596c910eab729182c5d3d87ad4e

  • SHA512

    ac1b6cc4c540e916fcf404a6c2eb5c93948b7fc217dfbce38b4dabda2fd010d4bf53f702070fccd49c96f4ad5782ffe510ca642f7c5900758ce07359825bb0ad

  • SSDEEP

    24576:B5T0kUJQDdHVFQlyOW8oooiAhYJWtA7q:B53UEHVFQAp5iAOgtAG

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • ModiLoader Second Stage 9 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 50 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Users\Admin\AppData\Local\Temp\249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
      249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\Ww9OoYLk.exe
        C:\Users\Admin\Ww9OoYLk.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\kkjeey.exe
          "C:\Users\Admin\kkjeey.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:432
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4004
      • C:\Users\Admin\athost.exe
        C:\Users\Admin\athost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Users\Admin\athost.exe
          athost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4844
      • C:\Users\Admin\bthost.exe
        C:\Users\Admin\bthost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Users\Admin\bthost.exe
          bthost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2792
      • C:\Users\Admin\cthost.exe
        C:\Users\Admin\cthost.exe
        3⤵
        • Modifies security service
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4396
        • C:\Users\Admin\cthost.exe
          C:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\35D1E\F646C.exe%C:\Users\Admin\AppData\Roaming\35D1E
          4⤵
          • Executes dropped EXE
          PID:2284
        • C:\Users\Admin\cthost.exe
          C:\Users\Admin\cthost.exe startC:\Program Files (x86)\1E435\lvvm.exe%C:\Program Files (x86)\1E435
          4⤵
          • Executes dropped EXE
          PID:5048
        • C:\Program Files (x86)\LP\6CA3\D0CD.tmp
          "C:\Program Files (x86)\LP\6CA3\D0CD.tmp"
          4⤵
          • Executes dropped EXE
          PID:2816
      • C:\Users\Admin\dthost.exe
        C:\Users\Admin\dthost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:2140
        • C:\Users\Admin\ethost.exe
          C:\Users\Admin\ethost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 249dbef48619781b75f151813e0acbd2_JaffaCakes118.exe
          3⤵
            PID:4668
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1416
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4732
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5044
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:984
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4920
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:4184
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3692
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2948
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:3368
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:692
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3032
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3848
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4492
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:884
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1440
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4304
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5116
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1080
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1772
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1692
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4264
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5100
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2828
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4408
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3852
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3968
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3468
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3236
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4036
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:2992
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:1412
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:1084
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:1992
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:1892
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:1472
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:1096
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:452
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:1956
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:3044
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:4384
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:3300
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:1848
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:4000
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:1084
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:2876
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:4228
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:4252
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:4976
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:1216
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:1380
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:3964
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:4652
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:3684
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:4556
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                  PID:4068
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                    PID:3692
                                                                  • C:\Windows\explorer.exe
                                                                    explorer.exe
                                                                    1⤵
                                                                      PID:4780
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                        PID:1380
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:2528
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                            PID:1016
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                            1⤵
                                                                              PID:3728
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                              1⤵
                                                                                PID:3676
                                                                              • C:\Windows\explorer.exe
                                                                                explorer.exe
                                                                                1⤵
                                                                                  PID:3720
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                    PID:1848
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                    1⤵
                                                                                      PID:1080
                                                                                    • C:\Windows\explorer.exe
                                                                                      explorer.exe
                                                                                      1⤵
                                                                                        PID:3256
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                        1⤵
                                                                                          PID:2440
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                          1⤵
                                                                                            PID:1380
                                                                                          • C:\Windows\explorer.exe
                                                                                            explorer.exe
                                                                                            1⤵
                                                                                              PID:2912

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Program Files (x86)\LP\6CA3\D0CD.tmp

                                                                                              Filesize

                                                                                              95KB

                                                                                              MD5

                                                                                              a1d80ed250788260ffd66258555a4876

                                                                                              SHA1

                                                                                              10b81c2cdc4a7d645f9058c220587fac79281351

                                                                                              SHA256

                                                                                              d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3

                                                                                              SHA512

                                                                                              fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                              Filesize

                                                                                              471B

                                                                                              MD5

                                                                                              0ec8b3bf05b8b9b5840fcb91bd68dfa4

                                                                                              SHA1

                                                                                              70ea552c865a283ce68c8442fd4e5004a876c22b

                                                                                              SHA256

                                                                                              5619d4ad38425cbfe75ca55c4ec5a6174f26ce64fcf59cafc0f0f6863ed47877

                                                                                              SHA512

                                                                                              fe994b5ec43eeb6356febe25356485a3fbb0d91e04d9ce4354228afdb9e7511427eebe79fcb8503956aa6f436bcd14319aa40e8ef8ae4caccb6ef7db87fed436

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                                                              Filesize

                                                                                              420B

                                                                                              MD5

                                                                                              ab7af1c5bdc5d9af2c3b07eb14000350

                                                                                              SHA1

                                                                                              058c85f92640ec4a868e51a465f25fd59b5192ad

                                                                                              SHA256

                                                                                              98959d08ef899a33c8febf46a4b14e5ee7cee60887de4c38028f58291b4ae061

                                                                                              SHA512

                                                                                              3087575edfe575a28d824926eed7f4b3d3f0717a8df36311973e0009bc2d0980b9dbd84d639ac927bebd848fbcfdfe05ce2272ad6106ca31ba9ff2daaa672cbc

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              94c8acfedee181a1c34446c628e3dea8

                                                                                              SHA1

                                                                                              2daa17894b6da8bed805d426c60de5afb8ea294c

                                                                                              SHA256

                                                                                              fda74b2579b1ac5a874711fcabc1741ccb8671d706ad5afd55114defbc589027

                                                                                              SHA512

                                                                                              c3a8b73f13d9915beda59a4cb98aab808b94e219b16e6cbc6628933f1f384e3e12510aa1911980f1d27f3e4f83ab59c52a3dadafaf5175f0a1cc6248da9669de

                                                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645406009803551.txt

                                                                                              Filesize

                                                                                              75KB

                                                                                              MD5

                                                                                              ec861d1b31e9e99a4a6548f1e0b504e1

                                                                                              SHA1

                                                                                              8bf1243597aba54793caf29c5e6c258507f15652

                                                                                              SHA256

                                                                                              9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

                                                                                              SHA512

                                                                                              30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

                                                                                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\329B0Q5Q\microsoft.windows[1].xml

                                                                                              Filesize

                                                                                              96B

                                                                                              MD5

                                                                                              0223f9592c8a3d874dd3694eddcee076

                                                                                              SHA1

                                                                                              c8fbd22ad34b843ced6dc2a2deff6fd581040b32

                                                                                              SHA256

                                                                                              bc5594da816931b2e06c63b738ec5f7e851b7a95da5dabc30bcf9260bb265944

                                                                                              SHA512

                                                                                              7713aae208fe63974de42fa0e839fe7cf8a222713014c9022c4907a39bc70428b3898728b72a9a7fdce6e9f438d0fd50a75aa43d043eea0edf65280a4a4022ba

                                                                                            • C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

                                                                                              Filesize

                                                                                              600B

                                                                                              MD5

                                                                                              042fe85f3f97efef81d595bf94d96664

                                                                                              SHA1

                                                                                              f4a4cf53ed7b9b962fa8bc4a88d44d653a3ef64e

                                                                                              SHA256

                                                                                              9d99c2aa7c466e90581e71fdf68d98fdf4ae0cb66892382d356ca1a362492afd

                                                                                              SHA512

                                                                                              2cdba774b3089ee6296d8694cb8552e72afe1d1efd2e8445c149c76a538d03d7a12684f21bd4f2c1402d04f559f68c5bcba0b3f01addda9fdb2bdb5bda149282

                                                                                            • C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

                                                                                              Filesize

                                                                                              996B

                                                                                              MD5

                                                                                              24fadf7b5526a9396af14ffeaf7e7cee

                                                                                              SHA1

                                                                                              8b45597af48c1c809ca9973c1a1b68d06c0bdcd7

                                                                                              SHA256

                                                                                              393bf5f614337e07c288920fca26e52ce6b356a91cc16e1972859434b2693006

                                                                                              SHA512

                                                                                              5247a5f92db3c0f038b89c95697ed3adb5a981c8911ad3d67585cef64b84cd97e83af4d92bcc48e7201a72fa5a6c54928c4a45c0468ba2491c7c57e14cf7c5a4

                                                                                            • C:\Users\Admin\AppData\Roaming\35D1E\E435.5D1

                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              c243f7daf2b4df752efb2e585affb8c8

                                                                                              SHA1

                                                                                              b57832f270d29b3af50cefe24ee2145f853b0d40

                                                                                              SHA256

                                                                                              8c4038ad6de3baad523df1bf06c1558fa784bd96003e174ba7b61c179ab07ea9

                                                                                              SHA512

                                                                                              db01a187a09732db640a037a659020e79dece90fa80eb56ac26773a3608b56ca79584feed8cf49f8cf63f3b64e4a95c186f0d3562a67ca2aa1e3390f489ccc84

                                                                                            • C:\Users\Admin\Ww9OoYLk.exe

                                                                                              Filesize

                                                                                              256KB

                                                                                              MD5

                                                                                              77e425fe955cbc4b6245cf8a3ed645b3

                                                                                              SHA1

                                                                                              921dad95a28283f2138e8c36d4cbf295572d33ac

                                                                                              SHA256

                                                                                              86b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809

                                                                                              SHA512

                                                                                              ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b

                                                                                            • C:\Users\Admin\athost.exe

                                                                                              Filesize

                                                                                              263KB

                                                                                              MD5

                                                                                              6b7d559166467ef651497836feef65e3

                                                                                              SHA1

                                                                                              9edda6cd07a1960ba52abe17fc7402ff93d44ce6

                                                                                              SHA256

                                                                                              6151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0

                                                                                              SHA512

                                                                                              d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356

                                                                                            • C:\Users\Admin\bthost.exe

                                                                                              Filesize

                                                                                              153KB

                                                                                              MD5

                                                                                              f28e94ce33674d8cf13f31bb5f20f745

                                                                                              SHA1

                                                                                              e79332b18af7b31caa195956c23303d35c2808c8

                                                                                              SHA256

                                                                                              42f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f

                                                                                              SHA512

                                                                                              8bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112

                                                                                            • C:\Users\Admin\cthost.exe

                                                                                              Filesize

                                                                                              278KB

                                                                                              MD5

                                                                                              d0bf4ea3b6fc02afd2c6ed5f4b0d142e

                                                                                              SHA1

                                                                                              2187968df184c18f945497dd410f90f4b6ff186d

                                                                                              SHA256

                                                                                              3c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0

                                                                                              SHA512

                                                                                              e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4

                                                                                            • C:\Users\Admin\dthost.exe

                                                                                              Filesize

                                                                                              227KB

                                                                                              MD5

                                                                                              d39d17b38909180b0c65cb4081154100

                                                                                              SHA1

                                                                                              b7a11d389d940273b91dd9ddb11137404eedceea

                                                                                              SHA256

                                                                                              590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3

                                                                                              SHA512

                                                                                              5a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6

                                                                                            • C:\Users\Admin\ethost.exe

                                                                                              Filesize

                                                                                              24KB

                                                                                              MD5

                                                                                              b38b2a8c25efb39b245dbfa6c1ccc29b

                                                                                              SHA1

                                                                                              62fda766006bfbccbfaade649ceb29764c216ea4

                                                                                              SHA256

                                                                                              1fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d

                                                                                              SHA512

                                                                                              8cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d

                                                                                            • C:\Users\Admin\kkjeey.exe

                                                                                              Filesize

                                                                                              256KB

                                                                                              MD5

                                                                                              113280a67a3ef98841ae3d9783a1ecfa

                                                                                              SHA1

                                                                                              9c8610a9c22012b026320ae794de49dd0d910f87

                                                                                              SHA256

                                                                                              c014e625b936025cd50ee6a7899d9e7cf52577552df3802130dd54fa04670911

                                                                                              SHA512

                                                                                              2bec0791616f06426cea1676d70d7386e75e681d7d4c591f6372078f306c806c5e046020f238d358b4392b556e03f8539329bed279fba4bb1e9585fba753cc82

                                                                                            • memory/572-69-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                              Filesize

                                                                                              120KB

                                                                                            • memory/928-8-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                              Filesize

                                                                                              124KB

                                                                                            • memory/984-293-0x00000000032D0000-0x00000000032D1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                            • memory/2284-96-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                              Filesize

                                                                                              428KB

                                                                                            • memory/2792-72-0x0000000000400000-0x0000000000427000-memory.dmp

                                                                                              Filesize

                                                                                              156KB

                                                                                            • memory/2792-71-0x0000000000400000-0x0000000000427000-memory.dmp

                                                                                              Filesize

                                                                                              156KB

                                                                                            • memory/2792-66-0x0000000000400000-0x0000000000427000-memory.dmp

                                                                                              Filesize

                                                                                              156KB

                                                                                            • memory/2792-65-0x0000000000400000-0x0000000000427000-memory.dmp

                                                                                              Filesize

                                                                                              156KB

                                                                                            • memory/2792-103-0x0000000000400000-0x0000000000427000-memory.dmp

                                                                                              Filesize

                                                                                              156KB

                                                                                            • memory/2816-284-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                              Filesize

                                                                                              108KB

                                                                                            • memory/2896-300-0x00000240440D0000-0x00000240440F0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/2896-296-0x0000024043370000-0x0000024043470000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/2896-297-0x0000024043370000-0x0000024043470000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/2896-331-0x00000240448A0000-0x00000240448C0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/2896-321-0x0000024044090000-0x00000240440B0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/2948-484-0x000002196C750000-0x000002196C770000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/2948-497-0x000002196CB60000-0x000002196CB80000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/2948-465-0x000002196B640000-0x000002196B740000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/2948-467-0x000002196B640000-0x000002196B740000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/2948-466-0x000002196B640000-0x000002196B740000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/2948-470-0x000002196C790000-0x000002196C7B0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/3032-608-0x000002364A520000-0x000002364A620000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/3032-609-0x000002364A520000-0x000002364A620000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                            • memory/3032-613-0x000002364B670000-0x000002364B690000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/3032-628-0x000002364BA40000-0x000002364BA60000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/3032-621-0x000002364B630000-0x000002364B650000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                            • memory/3368-606-0x00000000044E0000-0x00000000044E1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                            • memory/3584-420-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-7-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-1-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-0-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-5-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-4-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3584-82-0x0000000000400000-0x0000000000535000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                            • memory/3848-749-0x0000000004050000-0x0000000004051000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                            • memory/4184-461-0x00000000042E0000-0x00000000042E1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                            • memory/4204-60-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                              Filesize

                                                                                              120KB

                                                                                            • memory/4396-104-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                              Filesize

                                                                                              428KB

                                                                                            • memory/4396-289-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                              Filesize

                                                                                              428KB

                                                                                            • memory/4396-173-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                              Filesize

                                                                                              428KB

                                                                                            • memory/4600-81-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                              Filesize

                                                                                              408KB

                                                                                            • memory/4600-85-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                              Filesize

                                                                                              408KB

                                                                                            • memory/4844-54-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/4844-56-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/4844-61-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/4844-57-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/4844-55-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/4844-102-0x0000000000400000-0x0000000000437000-memory.dmp

                                                                                              Filesize

                                                                                              220KB

                                                                                            • memory/5048-170-0x0000000000400000-0x000000000046B000-memory.dmp

                                                                                              Filesize

                                                                                              428KB