Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Analysis
-
max time kernel
1798s -
max time network
1814s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
General
-
Target
42f972925508a82236e8533567487761.exe
Malware Config
Extracted
Family
warzonerat
C2
sandyclark255.hopto.org:5200
Extracted
Family
asyncrat
Version
0.5.6A
C2
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
Attributes
-
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds56332
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
aes.plain
Signatures
-
Modifies WinLogon for persistence ⋅ 2 TTPs 3 IoCs
Processes:
svbhost.exeeIUVS8yneJWQc7wK.exesvuhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\0V73UcVDnHUl.exe\",explorer.exe" svbhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\ZjuLIBviNzqy.exe\",explorer.exe" eIUVS8yneJWQc7wK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload ⋅ 1 IoCs
Processes:
resource yara_rule behavioral9/memory/2388-80-0x0000000002890000-0x000000000289D000-memory.dmp asyncrat -
Warzone RAT Payload ⋅ 3 IoCs
Processes:
resource yara_rule behavioral9/memory/716-31-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral9/memory/716-32-0x0000000000405CE2-mapping.dmp warzonerat behavioral9/memory/716-35-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory ⋅ 1 IoCs
Processes:
svuhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts svuhost.exe -
Executes dropped EXE ⋅ 21 IoCs
Processes:
Q84NaqkUOz1eNKMu.exeeIUVS8yneJWQc7wK.exeC5LXgE2NTeA6vaqf.exeVliD6S25vjFhrcLj.exeRktTKislQvYnnKdo.exeYKbXlrzv2bnCPERW.exesvthost.exeeridjeht.exesvrhost.exesvehosts.exesvbhost.exesvbhost.exesvbhost.exesvuhost.exesvuhost.exesvuhost.exeexcelsl.exesvuhost.exesvbhost.exesvbhost.exeprndrvest.exepid process 2684 Q84NaqkUOz1eNKMu.exe 184 eIUVS8yneJWQc7wK.exe 1800 C5LXgE2NTeA6vaqf.exe 2388 VliD6S25vjFhrcLj.exe 1312 RktTKislQvYnnKdo.exe 1352 YKbXlrzv2bnCPERW.exe 3804 svthost.exe 716 eridjeht.exe 3932 svrhost.exe 1620 svehosts.exe 1248 svbhost.exe 2856 svbhost.exe 1204 svbhost.exe 1308 svuhost.exe 1220 svuhost.exe 2968 svuhost.exe 3296 excelsl.exe 996 svuhost.exe 1088 svbhost.exe 1608 svbhost.exe 3536 prndrvest.exe -
Modifies Windows Firewall ⋅ 1 TTPs
TTPs:
-
Checks computer location settings ⋅ 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svuhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation svuhost.exe -
Drops startup file ⋅ 2 IoCs
Processes:
svehosts.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe -
Adds Run key to start application ⋅ 2 TTPs 4 IoCs
Processes:
svuhost.exesvehosts.exesvuhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe -
Suspicious use of SetThreadContext ⋅ 7 IoCs
Processes:
42f972925508a82236e8533567487761.exeRktTKislQvYnnKdo.exeYKbXlrzv2bnCPERW.exeeIUVS8yneJWQc7wK.exeC5LXgE2NTeA6vaqf.exeexcelsl.exesvbhost.exedescription pid process target process PID 576 set thread context of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 1312 set thread context of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1352 set thread context of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 184 set thread context of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 1800 set thread context of 2968 1800 C5LXgE2NTeA6vaqf.exe svuhost.exe PID 3296 set thread context of 996 3296 excelsl.exe svuhost.exe PID 1204 set thread context of 1608 1204 svbhost.exe svbhost.exe -
Drops file in Windows directory ⋅ 1 IoCs
Processes:
Q84NaqkUOz1eNKMu.exedescription ioc process File created C:\Windows\svehosts.exe Q84NaqkUOz1eNKMu.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash ⋅ 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2204 576 WerFault.exe 42f972925508a82236e8533567487761.exe 3424 1312 WerFault.exe RktTKislQvYnnKdo.exe 3172 1352 WerFault.exe YKbXlrzv2bnCPERW.exe 492 1800 WerFault.exe C5LXgE2NTeA6vaqf.exe 3820 3296 WerFault.exe excelsl.exe -
Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe ⋅ 1 IoCs
Processes:
timeout.exepid process 188 timeout.exe -
Modifies registry class ⋅ 1 IoCs
Processes:
svuhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance svuhost.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
Processes:
42f972925508a82236e8533567487761.exeWerFault.exeRktTKislQvYnnKdo.exeYKbXlrzv2bnCPERW.exeWerFault.exeWerFault.exeeIUVS8yneJWQc7wK.exeC5LXgE2NTeA6vaqf.exepid process 576 42f972925508a82236e8533567487761.exe 576 42f972925508a82236e8533567487761.exe 576 42f972925508a82236e8533567487761.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 1312 RktTKislQvYnnKdo.exe 1312 RktTKislQvYnnKdo.exe 1312 RktTKislQvYnnKdo.exe 1352 YKbXlrzv2bnCPERW.exe 1352 YKbXlrzv2bnCPERW.exe 1352 YKbXlrzv2bnCPERW.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe -
Suspicious behavior: GetForegroundWindowSpam ⋅ 2 IoCs
Processes:
svrhost.exesvbhost.exepid process 3932 svrhost.exe 2856 svbhost.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
Processes:
42f972925508a82236e8533567487761.exeWerFault.exeQ84NaqkUOz1eNKMu.exeRktTKislQvYnnKdo.exeYKbXlrzv2bnCPERW.exeWerFault.exeWerFault.exeVliD6S25vjFhrcLj.exeeIUVS8yneJWQc7wK.exeC5LXgE2NTeA6vaqf.exesvbhost.exesvehosts.exesvuhost.exeWerFault.exeexcelsl.exesvbhost.exesvuhost.exedescription pid process Token: SeDebugPrivilege 576 42f972925508a82236e8533567487761.exe Token: SeDebugPrivilege 576 42f972925508a82236e8533567487761.exe Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2684 Q84NaqkUOz1eNKMu.exe Token: SeDebugPrivilege 2684 Q84NaqkUOz1eNKMu.exe Token: SeDebugPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 1312 RktTKislQvYnnKdo.exe Token: SeDebugPrivilege 1352 YKbXlrzv2bnCPERW.exe Token: SeDebugPrivilege 3424 WerFault.exe Token: SeDebugPrivilege 3172 WerFault.exe Token: SeDebugPrivilege 2388 VliD6S25vjFhrcLj.exe Token: SeDebugPrivilege 184 eIUVS8yneJWQc7wK.exe Token: SeDebugPrivilege 184 eIUVS8yneJWQc7wK.exe Token: SeDebugPrivilege 1800 C5LXgE2NTeA6vaqf.exe Token: SeShutdownPrivilege 2856 svbhost.exe Token: SeDebugPrivilege 2856 svbhost.exe Token: SeTcbPrivilege 2856 svbhost.exe Token: SeDebugPrivilege 1620 svehosts.exe Token: SeDebugPrivilege 1620 svehosts.exe Token: SeIncreaseQuotaPrivilege 2968 svuhost.exe Token: SeSecurityPrivilege 2968 svuhost.exe Token: SeTakeOwnershipPrivilege 2968 svuhost.exe Token: SeLoadDriverPrivilege 2968 svuhost.exe Token: SeSystemProfilePrivilege 2968 svuhost.exe Token: SeSystemtimePrivilege 2968 svuhost.exe Token: SeProfSingleProcessPrivilege 2968 svuhost.exe Token: SeIncBasePriorityPrivilege 2968 svuhost.exe Token: SeCreatePagefilePrivilege 2968 svuhost.exe Token: SeBackupPrivilege 2968 svuhost.exe Token: SeRestorePrivilege 2968 svuhost.exe Token: SeShutdownPrivilege 2968 svuhost.exe Token: SeDebugPrivilege 2968 svuhost.exe Token: SeSystemEnvironmentPrivilege 2968 svuhost.exe Token: SeChangeNotifyPrivilege 2968 svuhost.exe Token: SeRemoteShutdownPrivilege 2968 svuhost.exe Token: SeUndockPrivilege 2968 svuhost.exe Token: SeManageVolumePrivilege 2968 svuhost.exe Token: SeImpersonatePrivilege 2968 svuhost.exe Token: SeCreateGlobalPrivilege 2968 svuhost.exe Token: 33 2968 svuhost.exe Token: 34 2968 svuhost.exe Token: 35 2968 svuhost.exe Token: 36 2968 svuhost.exe Token: SeDebugPrivilege 492 WerFault.exe Token: SeDebugPrivilege 3296 excelsl.exe Token: SeDebugPrivilege 1204 svbhost.exe Token: SeIncreaseQuotaPrivilege 996 svuhost.exe Token: SeSecurityPrivilege 996 svuhost.exe Token: SeTakeOwnershipPrivilege 996 svuhost.exe Token: SeLoadDriverPrivilege 996 svuhost.exe Token: SeSystemProfilePrivilege 996 svuhost.exe Token: SeSystemtimePrivilege 996 svuhost.exe Token: SeProfSingleProcessPrivilege 996 svuhost.exe Token: SeIncBasePriorityPrivilege 996 svuhost.exe Token: SeCreatePagefilePrivilege 996 svuhost.exe Token: SeBackupPrivilege 996 svuhost.exe Token: SeDebugPrivilege 1204 svbhost.exe Token: SeRestorePrivilege 996 svuhost.exe Token: SeShutdownPrivilege 996 svuhost.exe Token: SeDebugPrivilege 996 svuhost.exe Token: SeSystemEnvironmentPrivilege 996 svuhost.exe Token: SeChangeNotifyPrivilege 996 svuhost.exe Token: SeRemoteShutdownPrivilege 996 svuhost.exe -
Suspicious use of SetWindowsHookEx ⋅ 2 IoCs
Processes:
svbhost.exesvuhost.exepid process 2856 svbhost.exe 996 svuhost.exe -
Suspicious use of WriteProcessMemory ⋅ 64 IoCs
Processes:
42f972925508a82236e8533567487761.exeRktTKislQvYnnKdo.exeYKbXlrzv2bnCPERW.exeQ84NaqkUOz1eNKMu.exeeIUVS8yneJWQc7wK.exedescription pid process target process PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe Q84NaqkUOz1eNKMu.exe PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe Q84NaqkUOz1eNKMu.exe PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe Q84NaqkUOz1eNKMu.exe PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe eIUVS8yneJWQc7wK.exe PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe eIUVS8yneJWQc7wK.exe PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe eIUVS8yneJWQc7wK.exe PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe C5LXgE2NTeA6vaqf.exe PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe C5LXgE2NTeA6vaqf.exe PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe C5LXgE2NTeA6vaqf.exe PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe VliD6S25vjFhrcLj.exe PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe VliD6S25vjFhrcLj.exe PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe VliD6S25vjFhrcLj.exe PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe RktTKislQvYnnKdo.exe PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe RktTKislQvYnnKdo.exe PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe RktTKislQvYnnKdo.exe PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe YKbXlrzv2bnCPERW.exe PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe YKbXlrzv2bnCPERW.exe PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe YKbXlrzv2bnCPERW.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe svthost.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe eridjeht.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe svrhost.exe PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe svehosts.exe PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe svehosts.exe PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe svehosts.exe PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe svbhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exePID:576"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exePID:2684"C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exe"Executes dropped EXEDrops file in Windows directorySuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\svehosts.exePID:1620"C:\Windows\svehosts.exe"Executes dropped EXEDrops startup fileAdds Run key to start applicationSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exePID:3560netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
-
C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exePID:184"C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exe"Modifies WinLogon for persistenceExecutes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exePID:1248"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exePID:2856"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"Executes dropped EXESuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exePID:1204"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 2856Modifies WinLogon for persistenceExecutes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exePID:1088"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exePID:1608"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exePID:1800"C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exePID:1308"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exePID:1220"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exePID:2968"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"Modifies WinLogon for persistenceDrops file in Drivers directoryExecutes dropped EXEChecks computer location settingsAdds Run key to start applicationModifies registry classSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exePID:3532notepad
-
C:\Users\Admin\Documents\excelsl.exePID:3296"C:\Users\Admin\Documents\excelsl.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exePID:996"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"Executes dropped EXEAdds Run key to start applicationSuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exePID:580notepad
-
C:\Windows\SysWOW64\WerFault.exePID:3820C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 1072Program crash
-
C:\Windows\SysWOW64\WerFault.exePID:492C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1084Program crashSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exePID:2388"C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exe"Executes dropped EXESuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exePID:3936"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exePID:1320C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.bat""
-
C:\Windows\SysWOW64\timeout.exePID:188timeout 3Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\prndrvest.exePID:3536"C:\Users\Admin\AppData\Roaming\prndrvest.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exePID:1312"C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exePID:716"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exePID:3424C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1068Program crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exePID:1352"C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exePID:3932"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"Executes dropped EXESuspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\WerFault.exePID:3172C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1068Program crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exePID:3804"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exePID:2204C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1576Program crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
-
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
-
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
-
C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exe
-
C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exe
-
C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exe
-
C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
-
C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exe
-
C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exe
-
C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exe
-
C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exe
-
C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exe
-
C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exe
-
C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exe
-
C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exe
-
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
-
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.bat
-
C:\Users\Admin\AppData\Roaming\prndrvest.exe
-
C:\Users\Admin\AppData\Roaming\prndrvest.exe
-
C:\Users\Admin\Documents\excelsl.exe
-
C:\Users\Admin\Documents\excelsl.exe
-
C:\Windows\svehosts.exe
-
C:\Windows\svehosts.exe
-
memory/184-3-0x0000000000000000-mapping.dmp
-
memory/188-198-0x0000000000000000-mapping.dmp
-
memory/492-153-0x0000000004860000-0x0000000004861000-memory.dmp
-
memory/492-162-0x0000000005490000-0x0000000005491000-memory.dmp
-
memory/492-151-0x0000000004860000-0x0000000004861000-memory.dmp
-
memory/580-179-0x0000000000000000-mapping.dmp
-
memory/580-182-0x0000000000000000-mapping.dmp
-
memory/580-181-0x00000000004A0000-0x00000000004A1000-memory.dmp
-
memory/716-35-0x0000000000400000-0x0000000000554000-memory.dmp
-
memory/716-32-0x0000000000405CE2-mapping.dmp
-
memory/716-31-0x0000000000400000-0x0000000000554000-memory.dmp
-
memory/996-175-0x000000000048F888-mapping.dmp
-
memory/996-177-0x0000000000400000-0x00000000004BA000-memory.dmp
-
memory/1204-140-0x0000000000000000-mapping.dmp
-
memory/1312-48-0x0000000000000000-mapping.dmp
-
memory/1312-43-0x0000000000000000-mapping.dmp
-
memory/1312-49-0x0000000000000000-mapping.dmp
-
memory/1312-44-0x0000000000000000-mapping.dmp
-
memory/1312-47-0x0000000000000000-mapping.dmp
-
memory/1312-45-0x0000000000000000-mapping.dmp
-
memory/1312-63-0x0000000000000000-mapping.dmp
-
memory/1312-65-0x0000000000000000-mapping.dmp
-
memory/1312-61-0x0000000000000000-mapping.dmp
-
memory/1312-67-0x0000000000000000-mapping.dmp
-
memory/1312-68-0x0000000000000000-mapping.dmp
-
memory/1312-10-0x0000000000000000-mapping.dmp
-
memory/1320-196-0x0000000000000000-mapping.dmp
-
memory/1352-133-0x0000000000000000-mapping.dmp
-
memory/1352-50-0x0000000000000000-mapping.dmp
-
memory/1352-130-0x0000000000000000-mapping.dmp
-
memory/1352-131-0x0000000000000000-mapping.dmp
-
memory/1352-132-0x0000000000000000-mapping.dmp
-
memory/1352-13-0x0000000000000000-mapping.dmp
-
memory/1352-134-0x0000000000000000-mapping.dmp
-
memory/1352-53-0x0000000000000000-mapping.dmp
-
memory/1352-55-0x0000000000000000-mapping.dmp
-
memory/1352-58-0x0000000000000000-mapping.dmp
-
memory/1352-51-0x0000000000000000-mapping.dmp
-
memory/1352-59-0x0000000000000000-mapping.dmp
-
memory/1608-194-0x0000000000400000-0x00000000004C2000-memory.dmp
-
memory/1608-192-0x000000000046A08C-mapping.dmp
-
memory/1620-95-0x0000000000000000-mapping.dmp
-
memory/1800-160-0x0000000000000000-mapping.dmp
-
memory/1800-167-0x0000000000000000-mapping.dmp
-
memory/1800-168-0x0000000000000000-mapping.dmp
-
memory/1800-165-0x0000000000000000-mapping.dmp
-
memory/1800-164-0x0000000000000000-mapping.dmp
-
memory/1800-6-0x0000000000000000-mapping.dmp
-
memory/1800-163-0x0000000000000000-mapping.dmp
-
memory/1800-161-0x0000000000000000-mapping.dmp
-
memory/1800-158-0x0000000000000000-mapping.dmp
-
memory/1800-159-0x0000000000000000-mapping.dmp
-
memory/1800-156-0x0000000000000000-mapping.dmp
-
memory/1800-157-0x0000000000000000-mapping.dmp
-
memory/2204-27-0x00000000045A0000-0x00000000045A1000-memory.dmp
-
memory/2204-28-0x00000000045A0000-0x00000000045A1000-memory.dmp
-
memory/2204-30-0x0000000005180000-0x0000000005181000-memory.dmp
-
memory/2388-25-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
-
memory/2388-172-0x000000000AF10000-0x000000000AF11000-memory.dmp
-
memory/2388-171-0x000000000ABC0000-0x000000000ABC1000-memory.dmp
-
memory/2388-42-0x0000000009210000-0x000000000922D000-memory.dmp
-
memory/2388-14-0x0000000070AA0000-0x000000007118E000-memory.dmp
-
memory/2388-24-0x0000000005480000-0x0000000005481000-memory.dmp
-
memory/2388-7-0x0000000000000000-mapping.dmp
-
memory/2388-80-0x0000000002890000-0x000000000289D000-memory.dmp
-
memory/2388-26-0x0000000004E90000-0x0000000004E91000-memory.dmp
-
memory/2388-21-0x00000000005F0000-0x00000000005F1000-memory.dmp
-
memory/2684-0-0x0000000000000000-mapping.dmp
-
memory/2856-139-0x0000000000400000-0x00000000004C2000-memory.dmp
-
memory/2856-136-0x0000000000400000-0x00000000004C2000-memory.dmp
-
memory/2856-137-0x000000000046A08C-mapping.dmp
-
memory/2968-148-0x0000000000400000-0x00000000004BA000-memory.dmp
-
memory/2968-146-0x000000000048F888-mapping.dmp
-
memory/2968-145-0x0000000000400000-0x00000000004BA000-memory.dmp
-
memory/3172-46-0x0000000005200000-0x0000000005201000-memory.dmp
-
memory/3172-62-0x0000000005A80000-0x0000000005A81000-memory.dmp
-
memory/3296-189-0x0000000000000000-mapping.dmp
-
memory/3296-188-0x0000000000000000-mapping.dmp
-
memory/3296-184-0x0000000000000000-mapping.dmp
-
memory/3296-183-0x0000000000000000-mapping.dmp
-
memory/3296-166-0x0000000000000000-mapping.dmp
-
memory/3296-186-0x0000000000000000-mapping.dmp
-
memory/3296-187-0x0000000000000000-mapping.dmp
-
memory/3424-52-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
-
memory/3424-37-0x0000000004180000-0x0000000004181000-memory.dmp
-
memory/3532-154-0x0000000000000000-mapping.dmp
-
memory/3532-152-0x00000000009D0000-0x00000000009D1000-memory.dmp
-
memory/3532-150-0x0000000000000000-mapping.dmp
-
memory/3536-200-0x0000000000000000-mapping.dmp
-
memory/3536-199-0x0000000000000000-mapping.dmp
-
memory/3536-203-0x0000000070B60000-0x000000007124E000-memory.dmp
-
memory/3560-173-0x0000000000000000-mapping.dmp
-
memory/3804-20-0x000000000048F888-mapping.dmp
-
memory/3804-19-0x0000000000400000-0x00000000004BA000-memory.dmp
-
memory/3820-185-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
-
memory/3820-180-0x00000000041F0000-0x00000000041F1000-memory.dmp
-
memory/3932-38-0x000000000040715C-mapping.dmp
-
memory/3932-36-0x0000000000400000-0x000000000040F000-memory.dmp
-
memory/3932-41-0x0000000000400000-0x000000000040F000-memory.dmp
-
memory/3936-195-0x0000000000000000-mapping.dmp
Loading data