Analysis
-
max time kernel
150s -
max time network
82s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-03-2021 09:24
Static task
static1
Behavioral task
behavioral1
Sample
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
Resource
win10v20201028
General
-
Target
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
-
Size
380KB
-
MD5
a1ef511c6b47307948465fe6e1af6997
-
SHA1
103f8cc1af6581b4be3f606fd86940d632a450d1
-
SHA256
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
-
SHA512
8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
GetDecoding@zimbabwe.su
getdecoding@msgsafe.io
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
NS2.exewinhost.exepid process 3988 NS2.exe 1012 winhost.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CopyUnblock.tiff winhost.exe File opened for modification C:\Users\Admin\Pictures\StopResolve.tiff winhost.exe -
Deletes itself 1 IoCs
Processes:
winhost.exepid process 1012 winhost.exe -
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI winhost.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\Functions.fx winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Toolkit\Images\DefaultProfileImage.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.Sequence.dll winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-100.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js winhost.exe File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.png winhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\THMBNAIL.PNG.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons.png winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INF.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_20x20x32.png winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Microsoft.CameraApp.Native.winmd winhost.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1s.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\brush_bristles.png winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\SmallSpiderTile.jpg winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page1_alternate.jpg winhost.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.Tests.ps1 winhost.exe File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5478_32x32x32.png winhost.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\ui-strings.js winhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_20x20x32.png winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.id-0A458B4E.[GetDecoding@zimbabwe.su].get winhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-1985363256-3005190890-1182679451-1000.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2056 vssadmin.exe 2264 vssadmin.exe 2508 vssadmin.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\BaseUri = "https://fs.microsoft.com/fs/windows/fonts" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "132601922594810124" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exewinhost.exepid process 188 powershell.exe 188 powershell.exe 188 powershell.exe 196 powershell.exe 196 powershell.exe 196 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe 1012 winhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
powershell.exepowershell.exevssvc.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 188 powershell.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeBackupPrivilege 2292 vssvc.exe Token: SeRestorePrivilege 2292 vssvc.exe Token: SeAuditPrivilege 2292 vssvc.exe Token: SeIncBasePriorityPrivilege 188 powershell.exe Token: SeDebugPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeSecurityPrivilege 3208 powershell.exe Token: SeBackupPrivilege 3208 powershell.exe Token: SeBackupPrivilege 1308 vssvc.exe Token: SeRestorePrivilege 1308 vssvc.exe Token: SeAuditPrivilege 1308 vssvc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exepowershell.execsc.exewinhost.execmd.exepowershell.exeNS2.execmd.exedescription pid process target process PID 640 wrote to memory of 188 640 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 640 wrote to memory of 188 640 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 640 wrote to memory of 188 640 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 188 wrote to memory of 3844 188 powershell.exe csc.exe PID 188 wrote to memory of 3844 188 powershell.exe csc.exe PID 188 wrote to memory of 3844 188 powershell.exe csc.exe PID 3844 wrote to memory of 3984 3844 csc.exe cvtres.exe PID 3844 wrote to memory of 3984 3844 csc.exe cvtres.exe PID 3844 wrote to memory of 3984 3844 csc.exe cvtres.exe PID 188 wrote to memory of 196 188 powershell.exe powershell.exe PID 188 wrote to memory of 196 188 powershell.exe powershell.exe PID 188 wrote to memory of 196 188 powershell.exe powershell.exe PID 188 wrote to memory of 3988 188 powershell.exe NS2.exe PID 188 wrote to memory of 3988 188 powershell.exe NS2.exe PID 188 wrote to memory of 3988 188 powershell.exe NS2.exe PID 188 wrote to memory of 1012 188 powershell.exe winhost.exe PID 188 wrote to memory of 1012 188 powershell.exe winhost.exe PID 188 wrote to memory of 1012 188 powershell.exe winhost.exe PID 1012 wrote to memory of 2332 1012 winhost.exe cmd.exe PID 1012 wrote to memory of 2332 1012 winhost.exe cmd.exe PID 2332 wrote to memory of 3912 2332 cmd.exe mode.com PID 2332 wrote to memory of 3912 2332 cmd.exe mode.com PID 196 wrote to memory of 2056 196 powershell.exe vssadmin.exe PID 196 wrote to memory of 2056 196 powershell.exe vssadmin.exe PID 196 wrote to memory of 2056 196 powershell.exe vssadmin.exe PID 2332 wrote to memory of 2264 2332 cmd.exe vssadmin.exe PID 2332 wrote to memory of 2264 2332 cmd.exe vssadmin.exe PID 3988 wrote to memory of 2584 3988 NS2.exe cmd.exe PID 3988 wrote to memory of 2584 3988 NS2.exe cmd.exe PID 3988 wrote to memory of 2584 3988 NS2.exe cmd.exe PID 196 wrote to memory of 3208 196 powershell.exe powershell.exe PID 196 wrote to memory of 3208 196 powershell.exe powershell.exe PID 196 wrote to memory of 3208 196 powershell.exe powershell.exe PID 1012 wrote to memory of 260 1012 winhost.exe cmd.exe PID 1012 wrote to memory of 260 1012 winhost.exe cmd.exe PID 1012 wrote to memory of 204 1012 winhost.exe mshta.exe PID 1012 wrote to memory of 204 1012 winhost.exe mshta.exe PID 1012 wrote to memory of 3872 1012 winhost.exe mshta.exe PID 1012 wrote to memory of 3872 1012 winhost.exe mshta.exe PID 260 wrote to memory of 1532 260 cmd.exe mode.com PID 260 wrote to memory of 1532 260 cmd.exe mode.com PID 260 wrote to memory of 2508 260 cmd.exe vssadmin.exe PID 260 wrote to memory of 2508 260 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F7.tmp" "c:\Users\Admin\AppData\Local\Temp\5q3ruqys\CSCE41A1056887A4B30B78BE0D347B207D.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NS2.exe"C:\Users\Admin\AppData\Local\Temp\NS2.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s FontCache1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
962418b7a9d994c8c4a535bc49a2d349
SHA1a398b9f24cea070ea1917e4aaa3d99be4ed4fe70
SHA25669dd336d94cce517632c9f1f7432c5d24d03d4d2f4e5fce45056d4e64a2f2d8f
SHA5128ee4d0e6064dd7dbdb0b9ee5c85113a3960e7f86888f9d41e54f985bd7420a903b2848d94c85301e50f0804d0b1581a4b36af89998c683a2eb8b660074183cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
a1bc63feab712c2486f1aa40b551818c
SHA11ecda30d5f5f3bcfdf94785629b5a65265b73ee5
SHA2569fd47d7d1a98ef6ccdadbfa9d63a909363655b9cee08a1a513bfecad3029f48f
SHA512001b75aad5261795ff57169d571c4d020c891536e33ed7ebc3128a1682d30828d666513e50fa10bd497094ae8f51128ed7191f05aa9e32a0294da0ed36ae7a9a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
a1bc63feab712c2486f1aa40b551818c
SHA11ecda30d5f5f3bcfdf94785629b5a65265b73ee5
SHA2569fd47d7d1a98ef6ccdadbfa9d63a909363655b9cee08a1a513bfecad3029f48f
SHA512001b75aad5261795ff57169d571c4d020c891536e33ed7ebc3128a1682d30828d666513e50fa10bd497094ae8f51128ed7191f05aa9e32a0294da0ed36ae7a9a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.dllMD5
7be575c48e33ec0b07550b71221a5cfa
SHA1c5ff1b2b30fa35b2aab202b48e590dcf85ba0287
SHA25667aea155121d8eae80fc16b17801732ab99f65f65dd835f45ce39cae6ba17bf1
SHA5124a1c6e8f14eced589a893717d30837f43bc56fc5332cf14231426496f86246fd92fb6539279beb98ca839d428204f64715d78dbe73d7dca191dc0bbc6dbf870e
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\RES74F7.tmpMD5
b34c566a009efc9f1f890c0fb3fd6b62
SHA15a883b16cc16ed4531554dfc90e82810bb4af9f7
SHA25667cddd999add1e57fe095c4028fba5e1d9bd257b897c9e134d3f33a6bed28788
SHA51229ca18b7912119a1741648644d4378ff9d24cb621a0a5ec1611754377c48d46f200fcb5724b55153013a908801f88fc92258ea480188c246a40c9bfebf75591f
-
C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1MD5
31e22820cba11f6c7670854ed65f09ed
SHA19ab447c539234e75b56b3e180f3541580ffa0cea
SHA2566a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035
SHA512fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe
-
C:\Users\Admin\AppData\Local\Temp\takeaway.ps1MD5
08c0963ddf483e5c233026380de1b6d0
SHA11e3a06d038a48c76a6ad0c400cf145109e7179b7
SHA256488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59
SHA512a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
76966bf51067f84cffd1c38362fba489
SHA10f9da407f993054582613d31d881f45524727721
SHA256c01310d8fc80c08e0b7cebd36605f5cb228d0d3aef3153201676e0eabbca4621
SHA512b3e132173bbc08efedc9d279ae76a814290eaf3b21b7c3bfca8620e7d5e2612c86e496c752bfc43ca7d9a5641c72bd2991f04fe46eb8460f4cf5b3146ee5ce33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
962418b7a9d994c8c4a535bc49a2d349
SHA1a398b9f24cea070ea1917e4aaa3d99be4ed4fe70
SHA25669dd336d94cce517632c9f1f7432c5d24d03d4d2f4e5fce45056d4e64a2f2d8f
SHA5128ee4d0e6064dd7dbdb0b9ee5c85113a3960e7f86888f9d41e54f985bd7420a903b2848d94c85301e50f0804d0b1581a4b36af89998c683a2eb8b660074183cc2
-
\??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.0.csMD5
9c478287d8b4ad6cd34ac20bdac9577c
SHA173965974950d1be20682abc2f716e5070f2c7097
SHA2568bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f
SHA512b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2
-
\??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.cmdlineMD5
df457047995cc0ecc31eb5579b1b3d9a
SHA149c91dc108eaf9f3c4c4c9fd12067b1e4bb84577
SHA2567d0d203114f29d785b135b33b4ef49dceb699889eaf3f0acd07acbea8a97275d
SHA512bb53cd83c9af17d1b44941205e5bca1afb6b0377e051e24febda186e177ad8c0f598f223a912bdeba17916dd1fa130f198c35b71159920d833e35ececbce8dac
-
\??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\CSCE41A1056887A4B30B78BE0D347B207D.TMPMD5
43f98d5f821e92fb05338075c1ffc8bc
SHA1e93ea52b42ad862579913a388e37e0964a21390e
SHA25660f37b4f4be790006832291397cfd00a0743900a0b7565d6834b12e98327f03e
SHA512884a4f7240bce6b5290e7867854cb9936c66ab1d4bbf55fd7895cc482e0d563c1b5a92eb52cc0cca7342910c9656d5287ec85c516623855fd365072fde1855a2
-
memory/188-13-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/188-9-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/188-17-0x0000000009C40000-0x0000000009C41000-memory.dmpFilesize
4KB
-
memory/188-15-0x00000000084D0000-0x00000000084D1000-memory.dmpFilesize
4KB
-
memory/188-14-0x00000000086F0000-0x00000000086F1000-memory.dmpFilesize
4KB
-
memory/188-12-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/188-26-0x0000000007040000-0x0000000007041000-memory.dmpFilesize
4KB
-
memory/188-27-0x00000000095C0000-0x00000000095C1000-memory.dmpFilesize
4KB
-
memory/188-28-0x00000000094F0000-0x00000000094F1000-memory.dmpFilesize
4KB
-
memory/188-29-0x000000000A2C0000-0x000000000A2C1000-memory.dmpFilesize
4KB
-
memory/188-11-0x0000000007BD0000-0x0000000007BD1000-memory.dmpFilesize
4KB
-
memory/188-10-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/188-33-0x0000000009AA0000-0x0000000009AD3000-memory.dmpFilesize
204KB
-
memory/188-18-0x00000000091F0000-0x00000000091F1000-memory.dmpFilesize
4KB
-
memory/188-44-0x0000000009A80000-0x0000000009A81000-memory.dmpFilesize
4KB
-
memory/188-45-0x0000000009AE0000-0x0000000009AE1000-memory.dmpFilesize
4KB
-
memory/188-8-0x0000000004AE2000-0x0000000004AE3000-memory.dmpFilesize
4KB
-
memory/188-7-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/188-49-0x000000007FBB0000-0x000000007FBB1000-memory.dmpFilesize
4KB
-
memory/188-56-0x0000000004AE3000-0x0000000004AE4000-memory.dmpFilesize
4KB
-
memory/188-6-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/188-60-0x000000000A7C0000-0x000000000A7C1000-memory.dmpFilesize
4KB
-
memory/188-62-0x0000000009C20000-0x0000000009C21000-memory.dmpFilesize
4KB
-
memory/188-5-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/188-4-0x0000000073650000-0x0000000073D3E000-memory.dmpFilesize
6.9MB
-
memory/188-3-0x0000000000000000-mapping.dmp
-
memory/196-51-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/196-52-0x0000000005652000-0x0000000005653000-memory.dmpFilesize
4KB
-
memory/196-40-0x0000000073650000-0x0000000073D3E000-memory.dmpFilesize
6.9MB
-
memory/196-30-0x0000000000000000-mapping.dmp
-
memory/196-81-0x0000000005654000-0x0000000005656000-memory.dmpFilesize
8KB
-
memory/196-78-0x0000000009DF0000-0x0000000009DF1000-memory.dmpFilesize
4KB
-
memory/196-79-0x0000000005653000-0x0000000005654000-memory.dmpFilesize
4KB
-
memory/204-103-0x0000000000000000-mapping.dmp
-
memory/260-102-0x0000000000000000-mapping.dmp
-
memory/640-2-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/1012-71-0x0000000000000000-mapping.dmp
-
memory/1532-105-0x0000000000000000-mapping.dmp
-
memory/2056-75-0x0000000000000000-mapping.dmp
-
memory/2264-76-0x0000000000000000-mapping.dmp
-
memory/2332-73-0x0000000000000000-mapping.dmp
-
memory/2508-106-0x0000000000000000-mapping.dmp
-
memory/2584-77-0x0000000000000000-mapping.dmp
-
memory/3208-86-0x0000000006982000-0x0000000006983000-memory.dmpFilesize
4KB
-
memory/3208-83-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/3208-82-0x0000000073650000-0x0000000073D3E000-memory.dmpFilesize
6.9MB
-
memory/3208-80-0x0000000000000000-mapping.dmp
-
memory/3844-19-0x0000000000000000-mapping.dmp
-
memory/3872-104-0x0000000000000000-mapping.dmp
-
memory/3912-74-0x0000000000000000-mapping.dmp
-
memory/3984-22-0x0000000000000000-mapping.dmp
-
memory/3988-68-0x0000000000000000-mapping.dmp