Analysis
-
max time kernel
61s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
CLIENT_C.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CLIENT_C.EXE
Resource
win10v20201028
Behavioral task
behavioral3
Sample
NON_DISC.EXE
Resource
win7v20201028
Behavioral task
behavioral4
Sample
NON_DISC.EXE
Resource
win10v20201028
Behavioral task
behavioral5
Sample
TENDER_N.EXE
Resource
win7v20201028
Behavioral task
behavioral6
Sample
TENDER_N.EXE
Resource
win10v20201028
General
-
Target
NON_DISC.EXE
-
Size
948KB
-
MD5
5a26073186d5cd797817ab71676082c1
-
SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf
-
SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
-
SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1
Malware Config
Extracted
asyncrat
0.5.7B
hpdndbnb.duckdns.org:3040
hpdndbnb.duckdns.org:2020
hpdndbnb.duckdns.org:4040
gpmaw.duckdns.org:3040
gpmaw.duckdns.org:2020
gpmaw.duckdns.org:4040
AsyncMutex_6SI8OkPnk
-
aes_key
8pSblfEIKGwvU0W68bmEKGa3zB2hqd4t
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
hpdndbnb.duckdns.org,gpmaw.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
3040,2020,4040
-
version
0.5.7B
Extracted
azorult
http://eurodata1988.it/asy/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
NON_DISC.EXEDfnder windows.exepxjvhi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE\"" NON_DISC.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe\"" Dfnder windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe\"" pxjvhi.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral4/memory/1336-49-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral4/memory/1336-50-0x000000000040C79E-mapping.dmp asyncrat behavioral4/memory/4292-179-0x000000000040C79E-mapping.dmp asyncrat behavioral4/memory/4292-268-0x0000000006BC0000-0x0000000006BDB000-memory.dmp asyncrat -
Executes dropped EXE 4 IoCs
Processes:
Dfnder windows.exeDfnder windows.exepxjvhi.exepxjvhi.exepid process 4712 Dfnder windows.exe 4292 Dfnder windows.exe 4972 pxjvhi.exe 4660 pxjvhi.exe -
Drops startup file 6 IoCs
Processes:
NON_DISC.EXEDfnder windows.exepxjvhi.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE NON_DISC.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe Dfnder windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe Dfnder windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe pxjvhi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe pxjvhi.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE NON_DISC.EXE -
Loads dropped DLL 4 IoCs
Processes:
pxjvhi.exepid process 4660 pxjvhi.exe 4660 pxjvhi.exe 4660 pxjvhi.exe 4660 pxjvhi.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Dfnder windows.exeNON_DISC.EXEpxjvhi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe = "0" Dfnder windows.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE = "0" NON_DISC.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" NON_DISC.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Dfnder windows.exe = "0" Dfnder windows.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe = "0" pxjvhi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE = "0" NON_DISC.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" NON_DISC.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe = "0" pxjvhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths NON_DISC.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions NON_DISC.EXE -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Dfnder windows.exepxjvhi.exeNON_DISC.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe" Dfnder windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dfnder windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe" Dfnder windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe" pxjvhi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\pxjvhi.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pxjvhi.exe" pxjvhi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE" NON_DISC.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\NON_DISC.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE" NON_DISC.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll js -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
NON_DISC.EXEDfnder windows.exepxjvhi.exedescription pid process target process PID 756 set thread context of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 4712 set thread context of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4972 set thread context of 4660 4972 pxjvhi.exe pxjvhi.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pxjvhi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pxjvhi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pxjvhi.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepxjvhi.exepid process 216 powershell.exe 2348 powershell.exe 1020 powershell.exe 556 powershell.exe 216 powershell.exe 2348 powershell.exe 1020 powershell.exe 556 powershell.exe 216 powershell.exe 2348 powershell.exe 1020 powershell.exe 556 powershell.exe 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 1336 NON_DISC.EXE 4820 powershell.exe 4840 powershell.exe 4960 powershell.exe 4900 powershell.exe 4820 powershell.exe 4840 powershell.exe 4900 powershell.exe 4960 powershell.exe 4820 powershell.exe 4840 powershell.exe 4900 powershell.exe 4960 powershell.exe 4292 Dfnder windows.exe 508 powershell.exe 508 powershell.exe 508 powershell.exe 4316 powershell.exe 4280 powershell.exe 4140 powershell.exe 4044 powershell.exe 4316 powershell.exe 4280 powershell.exe 4044 powershell.exe 4140 powershell.exe 4316 powershell.exe 4280 powershell.exe 4044 powershell.exe 4140 powershell.exe 4660 pxjvhi.exe 4660 pxjvhi.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
NON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEDfnder windows.exepowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exepxjvhi.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 756 NON_DISC.EXE Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1336 NON_DISC.EXE Token: SeDebugPrivilege 4712 Dfnder windows.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 4292 Dfnder windows.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 4972 pxjvhi.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe -
Suspicious use of WriteProcessMemory 87 IoCs
Processes:
NON_DISC.EXENON_DISC.EXEcmd.execmd.exeDfnder windows.exeDfnder windows.execmd.exepowershell.exedescription pid process target process PID 756 wrote to memory of 216 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 216 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 216 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 1020 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 1020 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 1020 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 2348 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 2348 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 2348 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 556 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 556 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 556 756 NON_DISC.EXE powershell.exe PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 756 wrote to memory of 1336 756 NON_DISC.EXE NON_DISC.EXE PID 1336 wrote to memory of 4472 1336 NON_DISC.EXE cmd.exe PID 1336 wrote to memory of 4472 1336 NON_DISC.EXE cmd.exe PID 1336 wrote to memory of 4472 1336 NON_DISC.EXE cmd.exe PID 1336 wrote to memory of 4484 1336 NON_DISC.EXE cmd.exe PID 1336 wrote to memory of 4484 1336 NON_DISC.EXE cmd.exe PID 1336 wrote to memory of 4484 1336 NON_DISC.EXE cmd.exe PID 4472 wrote to memory of 4556 4472 cmd.exe schtasks.exe PID 4472 wrote to memory of 4556 4472 cmd.exe schtasks.exe PID 4472 wrote to memory of 4556 4472 cmd.exe schtasks.exe PID 4484 wrote to memory of 4588 4484 cmd.exe timeout.exe PID 4484 wrote to memory of 4588 4484 cmd.exe timeout.exe PID 4484 wrote to memory of 4588 4484 cmd.exe timeout.exe PID 4484 wrote to memory of 4712 4484 cmd.exe Dfnder windows.exe PID 4484 wrote to memory of 4712 4484 cmd.exe Dfnder windows.exe PID 4484 wrote to memory of 4712 4484 cmd.exe Dfnder windows.exe PID 4712 wrote to memory of 4820 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4820 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4820 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4840 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4840 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4840 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4900 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4900 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4900 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4960 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4960 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4960 4712 Dfnder windows.exe powershell.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4712 wrote to memory of 4292 4712 Dfnder windows.exe Dfnder windows.exe PID 4292 wrote to memory of 2172 4292 Dfnder windows.exe cmd.exe PID 4292 wrote to memory of 2172 4292 Dfnder windows.exe cmd.exe PID 4292 wrote to memory of 2172 4292 Dfnder windows.exe cmd.exe PID 2172 wrote to memory of 508 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 508 2172 cmd.exe powershell.exe PID 2172 wrote to memory of 508 2172 cmd.exe powershell.exe PID 508 wrote to memory of 4972 508 powershell.exe pxjvhi.exe PID 508 wrote to memory of 4972 508 powershell.exe pxjvhi.exe PID 508 wrote to memory of 4972 508 powershell.exe pxjvhi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D08.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Dfnder windows.exe" -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxjvhi.exe" -Force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe" -Force9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"C:\Users\Admin\AppData\Local\Temp\pxjvhi.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dfnder windows.exe.logMD5
f99aea5f6c27b28f1947f9c0a3b1997e
SHA124bf9767fe9964eb1c24ebfe4f8bcd443c5b3f55
SHA25603e142d8f7e350ba57b5db8861ddcb5a6ece9aeb54093d2a34ec7dcaadc4d454
SHA512d9a6252e5848762fefdbc172eda0408a0f907a4a13c14fc9ef609066259981b446c0a087cf7d2196723cbdc9fe2528bd56068f2f6b56c6ac75136ee30fe40cdd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NON_DISC.EXE.logMD5
f99aea5f6c27b28f1947f9c0a3b1997e
SHA124bf9767fe9964eb1c24ebfe4f8bcd443c5b3f55
SHA25603e142d8f7e350ba57b5db8861ddcb5a6ece9aeb54093d2a34ec7dcaadc4d454
SHA512d9a6252e5848762fefdbc172eda0408a0f907a4a13c14fc9ef609066259981b446c0a087cf7d2196723cbdc9fe2528bd56068f2f6b56c6ac75136ee30fe40cdd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8eb9fe73abdc80f1d7de816b112f50d1
SHA110f3741f1ea2446685463d45c08ebb64b0dc1424
SHA2565ce1c1d0c274d116c5b0c421654448dab49054824fef293f8220b9346093be2c
SHA51269924b71406c80b20f7cea0fe0bcdd43f6b0663006216a612c29952079a3480bc1e123c304d3f5e5bb05ca5be6ecd8721c228cf72c93eb218bac550c249a82d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1b15f07b52090d180adcd68bcff27205
SHA19ed313332a72b0b1b2388ab65ad8c974812a3a57
SHA2561a52df3d7c5ce00e8a4d05bedf1eb5037665ed617adfe406ee286cf0ddf79942
SHA51292563ca8b55515d945ea42917494b277d9b3b2a52dff21592c718ee67a17f2e0255819c6fcadc7e6b4120a710714cb899fbd36d57230879928c2797bb028dfd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e827d1cdd08a41246a3f4b7061caee0c
SHA1c709bf6c3ac91bdcfab680a73bbc50450621bbdf
SHA2566e23b4fc1fe6a76b3ac4519fdf6c78ab0e4151c57d3cc4661922976a135c787d
SHA512fde84fcef9365ca7ecbbed37343f069cd81cc33c6c22c8cce4f11855a71c477004d2c477180bc45bcbfe5a45f7ecc5be8efa29f598770ff7a74e5af1bd8445d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d81adfe1d5f4fd8757d40afc82eeb5a9
SHA110267fc5b24eca9c5f495e9c5a081037cb38dd5e
SHA25640a8c7f8fb9eab701fa875e9fb2af87004afac4fbcf3d6c4b2648d9357fba4f0
SHA512c5901ae079c8b2e39af1d8fa40fd5ab79cac0eb0f3a18aa5a029aed99aeede2d66355ac300de416d0d8ee54dd66867cd407a0f21abf82797c2503867137bb894
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9fdbde1d2067bcbd94ae70b5f50b01fb
SHA1f5fe3626235520d6ef3c07e62af71c70522f616c
SHA256298d6f3c9254cfaf143a79b6ae9b86fa88e02ae27efe5a66afd410ce6f5e75fe
SHA5120e2f8053ff858e12fa19d68897a7d4ad87b9af7583c9c7043625429b522fef6fa796bc28962fb3af934d6e241686f516cbc13188b9ec3c0cd5a969964dc9e36d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
45489f73bd30d4681cf6993ccc11ece4
SHA1269cf705f44a1220fea7e5273f5eb80159ab1521
SHA256bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde
SHA51244f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
45489f73bd30d4681cf6993ccc11ece4
SHA1269cf705f44a1220fea7e5273f5eb80159ab1521
SHA256bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde
SHA51244f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
45489f73bd30d4681cf6993ccc11ece4
SHA1269cf705f44a1220fea7e5273f5eb80159ab1521
SHA256bde63e7fdc366b979dce7e0e082ba1a5edafc81eb5d6ce9a8f535c34f014fcde
SHA51244f6df5a9c756daea95a114f25286a1e63e7f2c104a31a78288c1786e3de8e535763443ca5597d159f27ae21934d3685c4926b14410cd3c5faa45569b67fa79e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
63a6e2b54743ef9a91330ca704ce3731
SHA10aa576f4e98394b73cbd03f73675a5c11f53c018
SHA256e170616987e9c6b322ed3f1879ad419390154b10221c4d15f4072a076571f027
SHA512acf92b78f2b5ced5da2fb024550d1faa3fc3aac35fba40ec1ff6bfbcab44bc26365c0fcd60a824b06bde0cf62beb5648cd4968d7966c28c59f123587ea94869c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
7e2a3dadb9cdde046044dafeb6cb4063
SHA165bfce36e750038fdaac1050e0061d2a0bd96342
SHA2565e2afbaea90100f3fbe69c744cdaf8d6d132374adb3d8a4ced73e5ca001e5e8f
SHA5127390daa172248d250ae81024b23b91a3a23820e82130d340c6093feae9608a5c8e5bb8cb4a01c538828f906257f1f54c878d9147d1e944ae14da26cbd8ad8516
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a154fc61d943c9c0e9de17ccce969aa7
SHA192a2e903b550b985ebf39d7a97f2b9901b5a7c32
SHA2567e895e646d19f776078157ae335c9661eba4b98a6d0c2409c8154df4f3b6d556
SHA512886a426dbf4558140c2e280d3601df1ee9a0e312bf97d87644bfdae506a26b5e90157a674d44f930ea39a3e686c142a3f4ec8fd7c8ce0db58fd216a8a293b50c
-
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exeMD5
30f2b3760a00e7b0dd99a092e5c81fdd
SHA14908acf9594ec65e75a1dbcb94760417400b9ace
SHA25621b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c
SHA51219ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8
-
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exeMD5
30f2b3760a00e7b0dd99a092e5c81fdd
SHA14908acf9594ec65e75a1dbcb94760417400b9ace
SHA25621b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c
SHA51219ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8
-
C:\Users\Admin\AppData\Local\Temp\pxjvhi.exeMD5
30f2b3760a00e7b0dd99a092e5c81fdd
SHA14908acf9594ec65e75a1dbcb94760417400b9ace
SHA25621b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c
SHA51219ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8
-
C:\Users\Admin\AppData\Local\Temp\tmp6D08.tmp.batMD5
e9b4c7772fd1d2d1b4cd6c5616a021eb
SHA1aa5a90ee0a76ff0562afdf411fd77a643ed5820f
SHA256dbea7548498f111901474bec9477af33ae6f1e25f09ffc70aa27db0e43c79ed8
SHA51233f5d38679801b15f3dc5d0a8bd4b9aa96b97475d96e25b37a7613b8764f55144e0d6d5f4d2de1798136d449c92b52ad4d25fe1db2e6da420cc3d289d0fb3570
-
C:\Users\Admin\AppData\Roaming\Dfnder windows.exeMD5
5a26073186d5cd797817ab71676082c1
SHA1eba609ba96514ea94b9bf91f24ecf4b450c3faaf
SHA25652bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
SHA51279c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1
-
C:\Users\Admin\AppData\Roaming\Dfnder windows.exeMD5
5a26073186d5cd797817ab71676082c1
SHA1eba609ba96514ea94b9bf91f24ecf4b450c3faaf
SHA25652bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
SHA51279c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1
-
C:\Users\Admin\AppData\Roaming\Dfnder windows.exeMD5
5a26073186d5cd797817ab71676082c1
SHA1eba609ba96514ea94b9bf91f24ecf4b450c3faaf
SHA25652bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
SHA51279c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1
-
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/216-17-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/216-15-0x0000000004880000-0x0000000004881000-memory.dmpFilesize
4KB
-
memory/216-60-0x0000000009330000-0x0000000009363000-memory.dmpFilesize
204KB
-
memory/216-70-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/216-72-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/216-94-0x0000000009650000-0x0000000009651000-memory.dmpFilesize
4KB
-
memory/216-46-0x00000000083F0000-0x00000000083F1000-memory.dmpFilesize
4KB
-
memory/216-43-0x0000000008320000-0x0000000008321000-memory.dmpFilesize
4KB
-
memory/216-42-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/216-29-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/216-28-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/216-27-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/216-110-0x0000000009600000-0x0000000009601000-memory.dmpFilesize
4KB
-
memory/216-112-0x00000000095F0000-0x00000000095F1000-memory.dmpFilesize
4KB
-
memory/216-26-0x00000000071D0000-0x00000000071D1000-memory.dmpFilesize
4KB
-
memory/216-10-0x0000000000000000-mapping.dmp
-
memory/216-13-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/508-285-0x0000000008A50000-0x0000000008A51000-memory.dmpFilesize
4KB
-
memory/508-270-0x0000000000000000-mapping.dmp
-
memory/508-271-0x0000000000000000-mapping.dmp
-
memory/508-272-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/508-284-0x0000000008A00000-0x0000000008A01000-memory.dmpFilesize
4KB
-
memory/556-23-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/556-14-0x0000000000000000-mapping.dmp
-
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/756-9-0x0000000005970000-0x0000000005991000-memory.dmpFilesize
132KB
-
memory/756-8-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/756-7-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/756-6-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/756-5-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/756-3-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1020-11-0x0000000000000000-mapping.dmp
-
memory/1020-16-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/1336-50-0x000000000040C79E-mapping.dmp
-
memory/1336-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1336-51-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/2172-269-0x0000000000000000-mapping.dmp
-
memory/2348-12-0x0000000000000000-mapping.dmp
-
memory/2348-19-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/4044-301-0x0000000000000000-mapping.dmp
-
memory/4044-308-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4140-300-0x0000000000000000-mapping.dmp
-
memory/4140-309-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4280-298-0x0000000000000000-mapping.dmp
-
memory/4280-303-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4292-261-0x00000000069A0000-0x0000000006A19000-memory.dmpFilesize
484KB
-
memory/4292-262-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/4292-267-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/4292-268-0x0000000006BC0000-0x0000000006BDB000-memory.dmpFilesize
108KB
-
memory/4292-265-0x0000000006FD0000-0x000000000705D000-memory.dmpFilesize
564KB
-
memory/4292-179-0x000000000040C79E-mapping.dmp
-
memory/4292-266-0x0000000007160000-0x00000000071B9000-memory.dmpFilesize
356KB
-
memory/4292-263-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/4292-264-0x0000000006B80000-0x0000000006B84000-memory.dmpFilesize
16KB
-
memory/4292-184-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4316-302-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4316-363-0x0000000009750000-0x0000000009751000-memory.dmpFilesize
4KB
-
memory/4316-299-0x0000000000000000-mapping.dmp
-
memory/4472-104-0x0000000000000000-mapping.dmp
-
memory/4484-105-0x0000000000000000-mapping.dmp
-
memory/4556-107-0x0000000000000000-mapping.dmp
-
memory/4588-109-0x0000000000000000-mapping.dmp
-
memory/4660-321-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4660-322-0x000000000041A684-mapping.dmp
-
memory/4660-325-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4712-134-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4712-130-0x0000000000000000-mapping.dmp
-
memory/4712-131-0x0000000000000000-mapping.dmp
-
memory/4820-146-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4820-142-0x0000000000000000-mapping.dmp
-
memory/4820-163-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/4820-207-0x00000000093A0000-0x00000000093A1000-memory.dmpFilesize
4KB
-
memory/4840-147-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4840-143-0x0000000000000000-mapping.dmp
-
memory/4900-151-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4900-144-0x0000000000000000-mapping.dmp
-
memory/4960-145-0x0000000000000000-mapping.dmp
-
memory/4960-155-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB
-
memory/4972-297-0x0000000005180000-0x00000000051B2000-memory.dmpFilesize
200KB
-
memory/4972-288-0x0000000000000000-mapping.dmp
-
memory/4972-291-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/4972-290-0x0000000073950000-0x000000007403E000-memory.dmpFilesize
6.9MB