Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v20201028
General
-
Target
Setup.exe
-
Size
4.2MB
-
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5
-
SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38
-
SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
-
SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418
Malware Config
Signatures
-
Nirsoft 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1615015744623.exe Nirsoft C:\Users\Admin\AppData\Roaming\1615015744623.exe Nirsoft C:\Users\Admin\AppData\Roaming\1615015749608.exe Nirsoft C:\Users\Admin\AppData\Roaming\1615015749608.exe Nirsoft C:\Users\Admin\AppData\Roaming\1615015755014.exe Nirsoft C:\Users\Admin\AppData\Roaming\1615015755014.exe Nirsoft -
Executes dropped EXE 7 IoCs
Processes:
C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe1615015744623.exe1615015749608.exe1615015755014.exeThunderFW.exeMiniThunderPlatform.exepid process 1768 C0CA61A12E4C8B38.exe 1860 C0CA61A12E4C8B38.exe 3948 1615015744623.exe 2664 1615015749608.exe 3264 1615015755014.exe 4088 ThunderFW.exe 2276 MiniThunderPlatform.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gdiview.msi office_xlm_macros -
Loads dropped DLL 11 IoCs
Processes:
MsiExec.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exepid process 3636 MsiExec.exe 1768 C0CA61A12E4C8B38.exe 1768 C0CA61A12E4C8B38.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe 2276 MiniThunderPlatform.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exedescription ioc process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Setup.exepid process 1152 Setup.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
C0CA61A12E4C8B38.exedescription pid process target process PID 1768 set thread context of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 set thread context of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 set thread context of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2036 taskkill.exe -
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1615015744623.exe1615015749608.exe1615015755014.exepid process 3948 1615015744623.exe 3948 1615015744623.exe 2664 1615015749608.exe 2664 1615015749608.exe 3264 1615015755014.exe 3264 1615015755014.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3420 msiexec.exe Token: SeIncreaseQuotaPrivilege 3420 msiexec.exe Token: SeSecurityPrivilege 2524 msiexec.exe Token: SeCreateTokenPrivilege 3420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3420 msiexec.exe Token: SeLockMemoryPrivilege 3420 msiexec.exe Token: SeIncreaseQuotaPrivilege 3420 msiexec.exe Token: SeMachineAccountPrivilege 3420 msiexec.exe Token: SeTcbPrivilege 3420 msiexec.exe Token: SeSecurityPrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeLoadDriverPrivilege 3420 msiexec.exe Token: SeSystemProfilePrivilege 3420 msiexec.exe Token: SeSystemtimePrivilege 3420 msiexec.exe Token: SeProfSingleProcessPrivilege 3420 msiexec.exe Token: SeIncBasePriorityPrivilege 3420 msiexec.exe Token: SeCreatePagefilePrivilege 3420 msiexec.exe Token: SeCreatePermanentPrivilege 3420 msiexec.exe Token: SeBackupPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeShutdownPrivilege 3420 msiexec.exe Token: SeDebugPrivilege 3420 msiexec.exe Token: SeAuditPrivilege 3420 msiexec.exe Token: SeSystemEnvironmentPrivilege 3420 msiexec.exe Token: SeChangeNotifyPrivilege 3420 msiexec.exe Token: SeRemoteShutdownPrivilege 3420 msiexec.exe Token: SeUndockPrivilege 3420 msiexec.exe Token: SeSyncAgentPrivilege 3420 msiexec.exe Token: SeEnableDelegationPrivilege 3420 msiexec.exe Token: SeManageVolumePrivilege 3420 msiexec.exe Token: SeImpersonatePrivilege 3420 msiexec.exe Token: SeCreateGlobalPrivilege 3420 msiexec.exe Token: SeCreateTokenPrivilege 3420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3420 msiexec.exe Token: SeLockMemoryPrivilege 3420 msiexec.exe Token: SeIncreaseQuotaPrivilege 3420 msiexec.exe Token: SeMachineAccountPrivilege 3420 msiexec.exe Token: SeTcbPrivilege 3420 msiexec.exe Token: SeSecurityPrivilege 3420 msiexec.exe Token: SeTakeOwnershipPrivilege 3420 msiexec.exe Token: SeLoadDriverPrivilege 3420 msiexec.exe Token: SeSystemProfilePrivilege 3420 msiexec.exe Token: SeSystemtimePrivilege 3420 msiexec.exe Token: SeProfSingleProcessPrivilege 3420 msiexec.exe Token: SeIncBasePriorityPrivilege 3420 msiexec.exe Token: SeCreatePagefilePrivilege 3420 msiexec.exe Token: SeCreatePermanentPrivilege 3420 msiexec.exe Token: SeBackupPrivilege 3420 msiexec.exe Token: SeRestorePrivilege 3420 msiexec.exe Token: SeShutdownPrivilege 3420 msiexec.exe Token: SeDebugPrivilege 3420 msiexec.exe Token: SeAuditPrivilege 3420 msiexec.exe Token: SeSystemEnvironmentPrivilege 3420 msiexec.exe Token: SeChangeNotifyPrivilege 3420 msiexec.exe Token: SeRemoteShutdownPrivilege 3420 msiexec.exe Token: SeUndockPrivilege 3420 msiexec.exe Token: SeSyncAgentPrivilege 3420 msiexec.exe Token: SeEnableDelegationPrivilege 3420 msiexec.exe Token: SeManageVolumePrivilege 3420 msiexec.exe Token: SeImpersonatePrivilege 3420 msiexec.exe Token: SeCreateGlobalPrivilege 3420 msiexec.exe Token: SeCreateTokenPrivilege 3420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3420 msiexec.exe Token: SeLockMemoryPrivilege 3420 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3420 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
Setup.exemsiexec.execmd.exeC0CA61A12E4C8B38.execmd.exeC0CA61A12E4C8B38.execmd.exedescription pid process target process PID 1152 wrote to memory of 3420 1152 Setup.exe msiexec.exe PID 1152 wrote to memory of 3420 1152 Setup.exe msiexec.exe PID 1152 wrote to memory of 3420 1152 Setup.exe msiexec.exe PID 2524 wrote to memory of 3636 2524 msiexec.exe MsiExec.exe PID 2524 wrote to memory of 3636 2524 msiexec.exe MsiExec.exe PID 2524 wrote to memory of 3636 2524 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 1768 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 1768 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 1768 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 1860 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 1860 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 1860 1152 Setup.exe C0CA61A12E4C8B38.exe PID 1152 wrote to memory of 640 1152 Setup.exe cmd.exe PID 1152 wrote to memory of 640 1152 Setup.exe cmd.exe PID 1152 wrote to memory of 640 1152 Setup.exe cmd.exe PID 640 wrote to memory of 1000 640 cmd.exe PING.EXE PID 640 wrote to memory of 1000 640 cmd.exe PING.EXE PID 640 wrote to memory of 1000 640 cmd.exe PING.EXE PID 1860 wrote to memory of 2756 1860 C0CA61A12E4C8B38.exe cmd.exe PID 1860 wrote to memory of 2756 1860 C0CA61A12E4C8B38.exe cmd.exe PID 1860 wrote to memory of 2756 1860 C0CA61A12E4C8B38.exe cmd.exe PID 2756 wrote to memory of 2036 2756 cmd.exe taskkill.exe PID 2756 wrote to memory of 2036 2756 cmd.exe taskkill.exe PID 2756 wrote to memory of 2036 2756 cmd.exe taskkill.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1748 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 3948 1768 C0CA61A12E4C8B38.exe 1615015744623.exe PID 1768 wrote to memory of 3948 1768 C0CA61A12E4C8B38.exe 1615015744623.exe PID 1768 wrote to memory of 3948 1768 C0CA61A12E4C8B38.exe 1615015744623.exe PID 1860 wrote to memory of 3676 1860 C0CA61A12E4C8B38.exe cmd.exe PID 1860 wrote to memory of 3676 1860 C0CA61A12E4C8B38.exe cmd.exe PID 1860 wrote to memory of 3676 1860 C0CA61A12E4C8B38.exe cmd.exe PID 3676 wrote to memory of 2768 3676 cmd.exe PING.EXE PID 3676 wrote to memory of 2768 3676 cmd.exe PING.EXE PID 3676 wrote to memory of 2768 3676 cmd.exe PING.EXE PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1944 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 2664 1768 C0CA61A12E4C8B38.exe 1615015749608.exe PID 1768 wrote to memory of 2664 1768 C0CA61A12E4C8B38.exe 1615015749608.exe PID 1768 wrote to memory of 2664 1768 C0CA61A12E4C8B38.exe 1615015749608.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 1568 1768 C0CA61A12E4C8B38.exe firefox.exe PID 1768 wrote to memory of 3264 1768 C0CA61A12E4C8B38.exe 1615015755014.exe PID 1768 wrote to memory of 3264 1768 C0CA61A12E4C8B38.exe 1615015755014.exe PID 1768 wrote to memory of 3264 1768 C0CA61A12E4C8B38.exe 1615015755014.exe PID 1768 wrote to memory of 4088 1768 C0CA61A12E4C8B38.exe ThunderFW.exe PID 1768 wrote to memory of 4088 1768 C0CA61A12E4C8B38.exe ThunderFW.exe PID 1768 wrote to memory of 4088 1768 C0CA61A12E4C8B38.exe ThunderFW.exe PID 1768 wrote to memory of 2276 1768 C0CA61A12E4C8B38.exe MiniThunderPlatform.exe PID 1768 wrote to memory of 2276 1768 C0CA61A12E4C8B38.exe MiniThunderPlatform.exe PID 1768 wrote to memory of 2276 1768 C0CA61A12E4C8B38.exe MiniThunderPlatform.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp12⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1615015744623.exe"C:\Users\Admin\AppData\Roaming\1615015744623.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615015744623.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1615015749608.exe"C:\Users\Admin\AppData\Roaming\1615015749608.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615015749608.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1615015755014.exe"C:\Users\Admin\AppData\Roaming\1615015755014.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615015755014.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D25F3E6BB330CE25543233118F22110E C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeMD5
afd51e2ff7beac4d0c88d8f872d6d0d5
SHA1185fd4793db912410de63ac7a5a3b1ac9c266b38
SHA256cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
SHA512eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeMD5
afd51e2ff7beac4d0c88d8f872d6d0d5
SHA1185fd4793db912410de63ac7a5a3b1ac9c266b38
SHA256cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
SHA512eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeMD5
afd51e2ff7beac4d0c88d8f872d6d0d5
SHA1185fd4793db912410de63ac7a5a3b1ac9c266b38
SHA256cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
SHA512eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418
-
C:\Users\Admin\AppData\Local\Temp\MSI56EF.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLLMD5
79cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dllMD5
a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeMD5
e2e9483568dc53f68be0b80c34fe27fb
SHA18919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
SHA256205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
SHA512b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeMD5
e2e9483568dc53f68be0b80c34fe27fb
SHA18919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
SHA256205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
SHA512b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dllMD5
1a87ff238df9ea26e76b56f34e18402c
SHA12df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
-
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dllMD5
89f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiMD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
C:\Users\Admin\AppData\Roaming\1615015744623.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015744623.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015744623.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1615015749608.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015749608.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015749608.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1615015755014.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015755014.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1615015755014.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
\Users\Admin\AppData\Local\Temp\MSI56EF.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
\Users\Admin\AppData\Local\Temp\download\atl71.dllMD5
79cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllMD5
dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\download_engine.dllMD5
1a87ff238df9ea26e76b56f34e18402c
SHA12df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
-
\Users\Admin\AppData\Local\Temp\download\msvcp71.dllMD5
a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllMD5
ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\zlib1.dllMD5
89f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
\Users\Admin\AppData\Local\Temp\xldl.dllMD5
208662418974bca6faab5c0ca6f7debf
SHA1db216fc36ab02e0b08bf343539793c96ba393cf1
SHA256a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5
SHA5128a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03
-
\Users\Admin\AppData\Local\Temp\xldl.dllMD5
208662418974bca6faab5c0ca6f7debf
SHA1db216fc36ab02e0b08bf343539793c96ba393cf1
SHA256a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5
SHA5128a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03
-
memory/640-13-0x0000000000000000-mapping.dmp
-
memory/1000-16-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x0000000010000000-0x000000001033E000-memory.dmpFilesize
3.2MB
-
memory/1568-37-0x00007FF7C9868270-mapping.dmp
-
memory/1568-42-0x00000252D4E20000-0x00000252D4E21000-memory.dmpFilesize
4KB
-
memory/1748-23-0x00000231A6B60000-0x00000231A6B61000-memory.dmpFilesize
4KB
-
memory/1748-21-0x00007FF7C9868270-mapping.dmp
-
memory/1748-22-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/1768-8-0x0000000000000000-mapping.dmp
-
memory/1768-17-0x0000000003630000-0x0000000003ADF000-memory.dmpFilesize
4.7MB
-
memory/1860-9-0x0000000000000000-mapping.dmp
-
memory/1860-18-0x0000000002D80000-0x000000000322F000-memory.dmpFilesize
4.7MB
-
memory/1944-35-0x0000025FC7C30000-0x0000025FC7C31000-memory.dmpFilesize
4KB
-
memory/1944-30-0x00007FF7C9868270-mapping.dmp
-
memory/2036-20-0x0000000000000000-mapping.dmp
-
memory/2276-49-0x0000000000000000-mapping.dmp
-
memory/2664-31-0x0000000000000000-mapping.dmp
-
memory/2756-19-0x0000000000000000-mapping.dmp
-
memory/2768-29-0x0000000000000000-mapping.dmp
-
memory/3264-38-0x0000000000000000-mapping.dmp
-
memory/3420-3-0x0000000000000000-mapping.dmp
-
memory/3636-5-0x0000000000000000-mapping.dmp
-
memory/3676-28-0x0000000000000000-mapping.dmp
-
memory/3948-24-0x0000000000000000-mapping.dmp
-
memory/4088-44-0x0000000000000000-mapping.dmp