Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 07:19
Static task
static1
Behavioral task
behavioral1
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win10v20201028
General
-
Target
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
-
Size
271KB
-
MD5
f8ca42285e4979fc25e1e358aaaf3ee3
-
SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8
-
SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
threesixnine@ctemplar.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
smss.exesmss.exepid process 968 smss.exe 1304 smss.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1500 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exepid process 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smss.exedescription ioc process File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\F: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01148_.WMF.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.82E-43B-05A smss.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos smss.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.82E-43B-05A smss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.82E-43B-05A smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EST smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF.82E-43B-05A smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01361_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 916 vssadmin.exe 744 vssadmin.exe -
Processes:
smss.exed76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Token: SeDebugPrivilege 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1844 WMIC.exe Token: SeSecurityPrivilege 1844 WMIC.exe Token: SeTakeOwnershipPrivilege 1844 WMIC.exe Token: SeLoadDriverPrivilege 1844 WMIC.exe Token: SeSystemProfilePrivilege 1844 WMIC.exe Token: SeSystemtimePrivilege 1844 WMIC.exe Token: SeProfSingleProcessPrivilege 1844 WMIC.exe Token: SeIncBasePriorityPrivilege 1844 WMIC.exe Token: SeCreatePagefilePrivilege 1844 WMIC.exe Token: SeBackupPrivilege 1844 WMIC.exe Token: SeRestorePrivilege 1844 WMIC.exe Token: SeShutdownPrivilege 1844 WMIC.exe Token: SeDebugPrivilege 1844 WMIC.exe Token: SeSystemEnvironmentPrivilege 1844 WMIC.exe Token: SeRemoteShutdownPrivilege 1844 WMIC.exe Token: SeUndockPrivilege 1844 WMIC.exe Token: SeManageVolumePrivilege 1844 WMIC.exe Token: 33 1844 WMIC.exe Token: 34 1844 WMIC.exe Token: 35 1844 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1844 WMIC.exe Token: SeSecurityPrivilege 1844 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exesmss.execmd.execmd.execmd.exedescription pid process target process PID 544 wrote to memory of 968 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe smss.exe PID 544 wrote to memory of 968 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe smss.exe PID 544 wrote to memory of 968 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe smss.exe PID 544 wrote to memory of 968 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe smss.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 544 wrote to memory of 1500 544 d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe notepad.exe PID 968 wrote to memory of 1684 968 smss.exe cmd.exe PID 968 wrote to memory of 1684 968 smss.exe cmd.exe PID 968 wrote to memory of 1684 968 smss.exe cmd.exe PID 968 wrote to memory of 1684 968 smss.exe cmd.exe PID 968 wrote to memory of 1816 968 smss.exe cmd.exe PID 968 wrote to memory of 1816 968 smss.exe cmd.exe PID 968 wrote to memory of 1816 968 smss.exe cmd.exe PID 968 wrote to memory of 1816 968 smss.exe cmd.exe PID 968 wrote to memory of 1748 968 smss.exe cmd.exe PID 968 wrote to memory of 1748 968 smss.exe cmd.exe PID 968 wrote to memory of 1748 968 smss.exe cmd.exe PID 968 wrote to memory of 1748 968 smss.exe cmd.exe PID 968 wrote to memory of 600 968 smss.exe cmd.exe PID 968 wrote to memory of 600 968 smss.exe cmd.exe PID 968 wrote to memory of 600 968 smss.exe cmd.exe PID 968 wrote to memory of 600 968 smss.exe cmd.exe PID 968 wrote to memory of 940 968 smss.exe cmd.exe PID 968 wrote to memory of 940 968 smss.exe cmd.exe PID 968 wrote to memory of 940 968 smss.exe cmd.exe PID 968 wrote to memory of 940 968 smss.exe cmd.exe PID 968 wrote to memory of 1460 968 smss.exe cmd.exe PID 968 wrote to memory of 1460 968 smss.exe cmd.exe PID 968 wrote to memory of 1460 968 smss.exe cmd.exe PID 968 wrote to memory of 1460 968 smss.exe cmd.exe PID 1684 wrote to memory of 1592 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1592 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1592 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1592 1684 cmd.exe WMIC.exe PID 968 wrote to memory of 1304 968 smss.exe smss.exe PID 968 wrote to memory of 1304 968 smss.exe smss.exe PID 968 wrote to memory of 1304 968 smss.exe smss.exe PID 968 wrote to memory of 1304 968 smss.exe smss.exe PID 940 wrote to memory of 916 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 916 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 916 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 916 940 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1844 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 1844 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 1844 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 1844 1460 cmd.exe WMIC.exe PID 1460 wrote to memory of 744 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 744 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 744 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 744 1460 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
d8b0ff3ef0cac177c2f16157834442b1
SHA183504ee29a466c5b6412b7e72c131cd8f975d536
SHA256667366e5abac32446a226d1cfaef36ebd721bf00334e26b984b477f5c146789c
SHA5125dafefa8e8677369dca0241512b8b6667f14595770b2f2f1ea7b7ee1717b70f42079c85b1edcea4a45f6fd4896b7a0040264d9b1f63188aba2dd0e5bc25a7eea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c105de5d82dc4fa359f03f82cb0bf797
SHA178ec4e7c84b5b941c6ef4814d7eab379d2a7a12b
SHA256ada540f3499dc0ec44782e7b52f064fc3ae96159a98d34f130deed0fa1dc8ccc
SHA512c9251ad48cda6ea6b455f99e162040cecdc934eb73f0bda14ad8c32b0458119f0f90f509da942207d87618933dbe3555cfc414d116f7be9d8eb54b259d583e07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
e92176b0889cc1bb97114beb2f3c1728
SHA1ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443
SHA25658a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3
SHA512cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8f5dcc04731e23047a7e0609731c468
SHA15f4b7ec761c1d2f3a24417c06e20619216a9678e
SHA256de35f9bd437d0839a51b5c3cb5c4e2d6c6f586e703b99bfe63e60bea054b0a97
SHA5122ca4ab3cd0937f82d6e2eecbd9a21c4fc1a73ec1f19dcc8b635ad96b0cbf25383b3e2a552b9f20b59ef671af6c20f21bfcca99b48733f6bd3a9ebf140ac22caa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a9bc6e2ca20ae5ea99d0575653497770
SHA1b0c94bd1c061824afafc8cc126c6147790a34853
SHA256d24361630c7a14af147aee884d9f56f8b28a3936eac84f96065f8fda00ffed15
SHA51283c3c8e1fce70dd9b477e36e107459ac01daa31e460b5aa092748b0528b6e1e35023ffaead4b9ac27905d056b2750966d2c05ead4a9a3ec52e1e90a4a8ff6dd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c1ec00a6144fa3c6ac2b6b6cc28cd44e
SHA1b3b8663767dbeb03114c4ad28689451f2dc7d834
SHA256b1a2f7b261f2646417b55193c691915e296f19a1c8f0e571168b21183133a243
SHA5123deb0c5d1700d638b95101c8e9f2cfae70b2d59e7dde2621c50035e0ed6f0ad525e112c0be2b92bb2825a0390d96c3665cafcdc05ca2e561a31814bb56327f2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f6f83cd3e7be9adc584c57b9d3a350a1
SHA17af9b75a531ed1903a34943f275c797e4fde6ce3
SHA2562debfb5aac9299c4c1702fd73604cff2231ac3a8dd512681ceab59da89294ec4
SHA512f66ad747d9f2b257066ebea75d3cf023ee5d61bab2ef1970f6967290caf53d98fe79421f860d292d70f8c04c2438524d9524187c88a4489e99e0a551898fda59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
e504925e5ba810682cfea154499eec62
SHA1f3f15f8f07ca781d718c88f7088b76e22063e30c
SHA25629b91af48883fc17814405b93e99e461238b8620070c5b73d464d086ec1d7734
SHA51236910237990a284caff9486943cb5c77abb93f75a74093822502c2156c317a95fccadb0d2f989c345e1cb9e1cbe2cca30f4c8b4e1ce937451b5d11a85e96692c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\QMFEPFPV.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\5DZGALCF.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
memory/544-2-0x00000000008E0000-0x00000000008F1000-memory.dmpFilesize
68KB
-
memory/544-3-0x0000000076881000-0x0000000076883000-memory.dmpFilesize
8KB
-
memory/544-4-0x00000000003C0000-0x00000000003F7000-memory.dmpFilesize
220KB
-
memory/544-5-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/600-33-0x0000000000000000-mapping.dmp
-
memory/744-43-0x0000000000000000-mapping.dmp
-
memory/916-41-0x0000000000000000-mapping.dmp
-
memory/940-34-0x0000000000000000-mapping.dmp
-
memory/968-16-0x0000000000B40000-0x0000000000B51000-memory.dmpFilesize
68KB
-
memory/968-21-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/968-9-0x0000000000000000-mapping.dmp
-
memory/1304-44-0x0000000000B80000-0x0000000000B91000-memory.dmpFilesize
68KB
-
memory/1304-38-0x0000000000000000-mapping.dmp
-
memory/1460-35-0x0000000000000000-mapping.dmp
-
memory/1480-6-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmpFilesize
2.5MB
-
memory/1500-12-0x0000000000000000-mapping.dmp
-
memory/1500-11-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1592-36-0x0000000000000000-mapping.dmp
-
memory/1684-30-0x0000000000000000-mapping.dmp
-
memory/1748-32-0x0000000000000000-mapping.dmp
-
memory/1816-31-0x0000000000000000-mapping.dmp
-
memory/1844-42-0x0000000000000000-mapping.dmp