Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-09-2024 21:23
General
-
Target
84450ece99d5ebe3557daa586d2d1650N.exe
-
Size
4.9MB
-
MD5
84450ece99d5ebe3557daa586d2d1650
-
SHA1
9241cf6c4f37fcc63732c728cedb408afd3d8369
-
SHA256
6ff9d724f6dfa99f6a30343e9dc543fc864da291eff05a391850329f94be6f9e
-
SHA512
eb9cd446fc1735a9a0ebafcd04e64903708e84baab0ee465290752bb2d5ee32fb7fe209e8621dce8ed8ebd12b90351a01fe07e7a81789780edef0892a49ec6c4
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Score
10/10
Malware Config
Extracted
Family
colibri
Version
1.2.0
Botnet
Build1
C2
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 33 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 11 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84450ece99d5ebe3557daa586d2d1650N.exe"C:\Users\Admin\AppData\Local\Temp\84450ece99d5ebe3557daa586d2d1650N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp9A1E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A1E.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9A1E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A1E.tmp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98e0dd7-51a7-435b-b777-78bcefd3b964.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca5b26b0-62e6-4a75-a51a-a14486355081.vbs"6⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e265620-2320-405f-8e70-da056cb2bfbe.vbs"8⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd7878a8-da63-447f-87f9-a94cc0bad665.vbs"10⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03ac4541-db2f-47e4-8cca-0e32ab17e568.vbs"12⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1fac6c7-e498-4bde-825d-eacea6931595.vbs"14⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bc5ee66-35a5-4622-ab2c-36ed5d440ec9.vbs"16⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\884f9f4b-86ee-4e09-8056-c862879fe536.vbs"18⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd04ac2-e51d-4e54-9341-48b5be0734fb.vbs"20⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\203484a1-63e4-48b3-b30f-18739e5bcd5b.vbs"22⤵
-
C:\Program Files (x86)\Google\RuntimeBroker.exe"C:\Program Files (x86)\Google\RuntimeBroker.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313440a6-4003-47d6-b15f-e87b510709f7.vbs"22⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp4E74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4E74.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp4E74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4E74.tmp.exe"23⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54964590-08c3-421a-99db-fd68f0fcc6ea.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09920477-a008-4680-aef6-9ffa8714c1b7.vbs"18⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD1.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpD1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD1.tmp.exe"19⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9bc416-8231-4d24-b8a2-676785c0d29d.vbs"16⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE2AA.tmp.exe"18⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca06cbc-50ae-48fe-9b8a-9243de951293.vbs"14⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp.exe"15⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d292e8b1-83e3-4fce-9379-72bca5f66d20.vbs"12⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp7E72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E72.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7E72.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E72.tmp.exe"13⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62409629-b344-4cfe-82f2-e6a81625c385.vbs"10⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp600D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp600D.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp600D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp600D.tmp.exe"11⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ad574da-cf41-4263-b8b8-5934d311ead9.vbs"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp42B1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp42B1.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp42B1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp42B1.tmp.exe"9⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dff2d95-1223-4f44-9f8b-905beb0d045e.vbs"6⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26352bc7-ed1f-4161-9096-ccdc2a8a908f.vbs"4⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF54.tmp.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\84450ece99d5ebe3557daa586d2d1650N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\84450ece99d5ebe3557daa586d2d1650N.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Mail\services.exeFilesize
4.9MB
MD584450ece99d5ebe3557daa586d2d1650
SHA19241cf6c4f37fcc63732c728cedb408afd3d8369
SHA2566ff9d724f6dfa99f6a30343e9dc543fc864da291eff05a391850329f94be6f9e
SHA512eb9cd446fc1735a9a0ebafcd04e64903708e84baab0ee465290752bb2d5ee32fb7fe209e8621dce8ed8ebd12b90351a01fe07e7a81789780edef0892a49ec6c4
-
C:\Program Files\Windows Sidebar\84450ece99d5ebe3557daa586d2d1650N.exeFilesize
4.9MB
MD5f693276a8db6ed1e20da8f014540e34b
SHA17fd391c9a0a340c2ad4c886f98d8cb9ba5ef4577
SHA2561f847152bcff80b626648cf0e4225fc5fd1a5b01e10a3a6ef611280292a145a7
SHA5126af3a244104d2bc110302bc00d0d7bef7bb52fe4886eb768c45a74bdfd9f0755046e1f64c40d1a4e162a8d012c7c5dbffe575bd9a6c4cb63b8fd8d477b320ae2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.logFilesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD542cc9ff3509672894beabcd392a00c43
SHA1c12dc74a6c8a8e1f8f4033d31495ebb09d70e9ab
SHA256352d90b619218e7bf297219c1468e9ea487c9002e28984ec70a963088dff3579
SHA512c876de012d1b237463b2c2a4195e050c2ddbdf5725aa2553313525ecb6a4a3f0cda9a289f257b886395da6407b5173451e95df89665ae1c727c6be3753a89271
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5588e5b3406537204588ef39f4c84259f
SHA1c6056b8139c0796cc6272b7b71fca2085f62b785
SHA2563b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0
SHA512f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Temp\03ac4541-db2f-47e4-8cca-0e32ab17e568.vbsFilesize
723B
MD537bf5cbb07bda124306770ca8e12f62c
SHA10cdd5d182a4e034ec9d4a6ffb090b432c867752b
SHA2562c5d4ca623b9f752e4d6a4fa1da15b19d118df216e933841f938d87599c12f95
SHA5127c06c28933cb443ed38bcac7c365bc64b6ac7f6e70abf6bd9f4be14aba61e2d8cb0fe80856eb9e402e760c285b1646058a057ee6ea4eb146f824b266dc5f91f7
-
C:\Users\Admin\AppData\Local\Temp\0bc5ee66-35a5-4622-ab2c-36ed5d440ec9.vbsFilesize
723B
MD53c138d254bd577784030903f025045ac
SHA1cecde807f02b039e207a0b04c62b6cc33b42279b
SHA2561f1bd025cab75746850a1e7b5a0b97c7a4a26f28cd16d88b68512bcb132fe227
SHA512d33677fca6249d4cc101281851279e27c68cef834f4a22df8517b277714d9fdd093c1fc51d5ef1ac2f89b7bca73eeefcb9377a509e19b22b18390d3973db7230
-
C:\Users\Admin\AppData\Local\Temp\26352bc7-ed1f-4161-9096-ccdc2a8a908f.vbsFilesize
499B
MD5f356db182dcdffe08273fe3864639d74
SHA16d5b011f143164921e776ff5573db8a2b93e6a9f
SHA2563abad19cf5e79b97c082e7a71256dbf5715f8c27dad45725fa80fc215f610a36
SHA512de8c627076c715c2266563558f408c242302331b1744fe702d0ee2090ad9d95b64efefe8d83133c2b5e4c4684319ed1e271768be7435e7b6e8d14a1e8f208cf9
-
C:\Users\Admin\AppData\Local\Temp\7e265620-2320-405f-8e70-da056cb2bfbe.vbsFilesize
723B
MD53e47db2b1b64498a8f66e3ad5c3818ff
SHA13740783d2ebf97e95155e495f906709109758749
SHA256a98bb1b2bc0638090d11b14517e2ba76182a34ef6b96457a3176ff7c96a21c76
SHA51201f241e532492a2d4145f172996aa688bb8cc00848914de417f59822820b7a07db9a391cef56169a0e974ea3c2be4d3b8bbfa6064e8ed9892125610eaa02ce70
-
C:\Users\Admin\AppData\Local\Temp\Dg5wW3gSHs.batFilesize
212B
MD5f3e1a7906305340fcf1d7fbcd5327885
SHA145e08f008dcb0aa8e3ab8f901a96485048368e16
SHA256a5a8c230ac3e8db58e28178a86b1672a754955ad1c5d0efd9aad015b09c08cfa
SHA512387ba2a1fc7348cc69897c4540760efaa0a5896c96d81654280cdf6e55249af75c8250eab9487d6e57b502f18ee9efffec8b84a38b3f84edfa9a942e931e76f0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq3qhdmz.4uz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b1fac6c7-e498-4bde-825d-eacea6931595.vbsFilesize
723B
MD5d078b81620a8bf8532222476ccc95e22
SHA10e4130554d678c13b2d810348e195e9e948df7ac
SHA256db54476b21456803b619397a0747ffbe432f064df9f44055ebc47b02264c835d
SHA512dd0fe2703be5080184e47ff4d7c14f539eb94bc397e4cf4ff22be35f43b95fc275114956c68b72c60873e5685050440cc8eb9ef00908911e6e0fd4b48db8d208
-
C:\Users\Admin\AppData\Local\Temp\ca5b26b0-62e6-4a75-a51a-a14486355081.vbsFilesize
723B
MD5547ff57e848dffec2640945095f03319
SHA17621380371b12326171086ae4d629462d4682235
SHA256d5c0fb41cb1af7575413133a89904b00e386ac1f04d37ef65dc29d480b2657d8
SHA5125d44310e5e54b915e833102a07b5adee75580efc8f142abcf75ff1009b35c5159ec0653282806caffdae7b32a5160c1b90eb7cbbcea39310fc5e2d7852038e32
-
C:\Users\Admin\AppData\Local\Temp\f98e0dd7-51a7-435b-b777-78bcefd3b964.vbsFilesize
723B
MD53e6f71771b5646303039f4c78911328a
SHA1bdde6ea44f0332fb478807aa1448bc5ea0c53bdb
SHA256092b4a30ed23b2c66fcacaa2641001826d55dd50cedfc084e7149299e51489f4
SHA5126b3fcf2fea06ae5b8334d690b31c60dcdee63a069fe8658885724972661824885f773c1ba4ae53c33e7771784f79485bb2644357910d641ae0363eab3e5d3836
-
C:\Users\Admin\AppData\Local\Temp\fd7878a8-da63-447f-87f9-a94cc0bad665.vbsFilesize
723B
MD5f4adc020e56944aa20eda9d8c0f31ec4
SHA109caab88a643b821657bbf9b32c6779a600bb72e
SHA256d43b46894a15530d1c66da8c7326e2d3e932689cc2f65ea44b5ce421c6f5c107
SHA51221e6486a3a5f355adcfee0fd3637952912547da12941361ab5fbd04b66097b14bcfa789b9d97f1dd8af54b29ba0e2c31c9fb2b495e6b7f0876bf49cce1e70412
-
C:\Users\Admin\AppData\Local\Temp\tmp9A1E.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
memory/408-279-0x000001B5A3590000-0x000001B5A36FA000-memory.dmpFilesize
1.4MB
-
memory/1332-423-0x000000001DF00000-0x000000001E002000-memory.dmpFilesize
1.0MB
-
memory/1332-424-0x000000001DF00000-0x000000001E002000-memory.dmpFilesize
1.0MB
-
memory/1340-472-0x000000001D900000-0x000000001DA02000-memory.dmpFilesize
1.0MB
-
memory/1400-283-0x00000291C33E0000-0x00000291C354A000-memory.dmpFilesize
1.4MB
-
memory/1732-298-0x000001C5E6420000-0x000001C5E658A000-memory.dmpFilesize
1.4MB
-
memory/1816-295-0x00000200E9C70000-0x00000200E9DDA000-memory.dmpFilesize
1.4MB
-
memory/1968-327-0x000000001E090000-0x000000001E192000-memory.dmpFilesize
1.0MB
-
memory/2144-286-0x00000237C7D50000-0x00000237C7EBA000-memory.dmpFilesize
1.4MB
-
memory/2448-17-0x000000001C3A0000-0x000000001C3A8000-memory.dmpFilesize
32KB
-
memory/2448-7-0x000000001C1C0000-0x000000001C1D0000-memory.dmpFilesize
64KB
-
memory/2448-5-0x000000001C9C0000-0x000000001CA10000-memory.dmpFilesize
320KB
-
memory/2448-1-0x0000000000F80000-0x0000000001474000-memory.dmpFilesize
5.0MB
-
memory/2448-2-0x00007FF81C160000-0x00007FF81CC21000-memory.dmpFilesize
10.8MB
-
memory/2448-163-0x00007FF81C160000-0x00007FF81CC21000-memory.dmpFilesize
10.8MB
-
memory/2448-150-0x00007FF81C160000-0x00007FF81CC21000-memory.dmpFilesize
10.8MB
-
memory/2448-3-0x000000001C210000-0x000000001C33E000-memory.dmpFilesize
1.2MB
-
memory/2448-136-0x00007FF81C163000-0x00007FF81C165000-memory.dmpFilesize
8KB
-
memory/2448-4-0x0000000001D80000-0x0000000001D9C000-memory.dmpFilesize
112KB
-
memory/2448-18-0x000000001CB10000-0x000000001CB1C000-memory.dmpFilesize
48KB
-
memory/2448-9-0x000000001C1F0000-0x000000001C200000-memory.dmpFilesize
64KB
-
memory/2448-16-0x000000001C390000-0x000000001C398000-memory.dmpFilesize
32KB
-
memory/2448-0-0x00007FF81C163000-0x00007FF81C165000-memory.dmpFilesize
8KB
-
memory/2448-12-0x000000001CF40000-0x000000001D468000-memory.dmpFilesize
5.2MB
-
memory/2448-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmpFilesize
32KB
-
memory/2448-13-0x000000001C360000-0x000000001C36A000-memory.dmpFilesize
40KB
-
memory/2448-14-0x000000001C370000-0x000000001C37E000-memory.dmpFilesize
56KB
-
memory/2448-15-0x000000001C380000-0x000000001C38E000-memory.dmpFilesize
56KB
-
memory/2448-11-0x000000001C350000-0x000000001C362000-memory.dmpFilesize
72KB
-
memory/2448-10-0x000000001C340000-0x000000001C34A000-memory.dmpFilesize
40KB
-
memory/2448-8-0x000000001C1D0000-0x000000001C1E6000-memory.dmpFilesize
88KB
-
memory/2604-514-0x000000001BFF0000-0x000000001C002000-memory.dmpFilesize
72KB
-
memory/2620-399-0x000000001DE20000-0x000000001DF22000-memory.dmpFilesize
1.0MB
-
memory/2704-289-0x0000015B6C2E0000-0x0000015B6C44A000-memory.dmpFilesize
1.4MB
-
memory/3176-66-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3400-448-0x000000001DEF0000-0x000000001DFF2000-memory.dmpFilesize
1.0MB
-
memory/3988-277-0x000002122E510000-0x000002122E67A000-memory.dmpFilesize
1.4MB
-
memory/4500-278-0x000001197D930000-0x000001197DA9A000-memory.dmpFilesize
1.4MB
-
memory/4644-173-0x000001A8ADF00000-0x000001A8ADF22000-memory.dmpFilesize
136KB
-
memory/4644-267-0x000001A8AE3C0000-0x000001A8AE52A000-memory.dmpFilesize
1.4MB
-
memory/5012-280-0x000002E0F75E0000-0x000002E0F774A000-memory.dmpFilesize
1.4MB
-
memory/5032-292-0x00000208FD700000-0x00000208FD86A000-memory.dmpFilesize
1.4MB
-
memory/5096-353-0x000000001BFF0000-0x000000001C002000-memory.dmpFilesize
72KB