Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 12:20
Static task
static1
Behavioral task
behavioral1
Sample
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe
Resource
win7v20210408
General
-
Target
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe
-
Size
1.2MB
-
MD5
11367c0c2fa926fafd1b72ae2cdb5c6c
-
SHA1
23a9dc526e54a5b88470aa0b228e6b58b916fe47
-
SHA256
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915
-
SHA512
034abd8024b66bd504e6f2771cc5c29c8fc45ff2a19678777bb9e1b267cecdb5652119475bd5a3ea97259406cf59c84347012919121a248dc9aa4aa7fe71a12e
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe:*:enabled:@shell32.dll,-1" ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe -
Executes dropped EXE 2 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeDesktopLayer.exepid process 1536 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe 1796 DesktopLayer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe upx behavioral2/memory/1536-123-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px25CD.tmp ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe -
Drops file in Windows directory 1 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exedescription ioc process File opened for modification C:\Windows\ftpcache\ ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886337" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "424484565" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "416827600" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886337" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327920703" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327888711" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886337" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "416827600" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327872118" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{443F7E6D-B5B4-11EB-A11C-CE9B817779E4} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exeDesktopLayer.exepid process 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe 1796 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2812 iexplore.exe -
Suspicious behavior: MapViewOfSection 61 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exepid process 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exedescription pid process Token: SeDebugPrivilege 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exeiexplore.exepid process 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 2812 iexplore.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exepid process 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
iexplore.exece771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exeIEXPLORE.EXEpid process 2812 iexplore.exe 2812 iexplore.exe 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe 3944 IEXPLORE.EXE 3944 IEXPLORE.EXE 3944 IEXPLORE.EXE 3944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exece771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exedescription pid process target process PID 3724 wrote to memory of 1536 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe PID 3724 wrote to memory of 1536 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe PID 3724 wrote to memory of 1536 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 552 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe winlogon.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 632 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe lsass.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 716 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 1536 wrote to memory of 1796 1536 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe DesktopLayer.exe PID 1536 wrote to memory of 1796 1536 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe DesktopLayer.exe PID 1536 wrote to memory of 1796 1536 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe DesktopLayer.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 720 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe fontdrvhost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 736 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 804 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 856 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 896 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 984 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe dwm.exe PID 3724 wrote to memory of 348 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 348 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 348 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe PID 3724 wrote to memory of 348 3724 ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe"C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe"2⤵
- Modifies firewall policy service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeC:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c41⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a0a5a4d72ad62fd610b043c84033deaf
SHA1aa5c3deaba3b479e004880b369f63f2b59b23b9a
SHA25635d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6
SHA51220dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
b5a4750cb327172f28c7ca1aafc854e6
SHA1fb6976206e506150d385740465dffb34196dd391
SHA25686da543ddba3127d4fa3d0b78e633c1d13ba9864f85c5d1c3d5c9f87b68bf52b
SHA512ea30191f6efface51cbd2d72964623e86c102c1dd22d076bc5dc68c29efb30653aac433501795c81de20e207c0aaf9397d44bcab330c572b2d79b9e3786f3877
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B4Y2JWK3.cookieMD5
093402755f6cf64dd71ab4c6f6214b9b
SHA16f2c469e5422777f491dad39c9e78b5310b2f0a3
SHA25600372c325e0d408f2cc9d7dc405d03e01893f545b474191548d7837ca3d9186f
SHA512c4fd95a14213687327e101a28c334862a52b453f313e64837b3aabde9a0a9e6bed72c82dd7cf8c2be9bed27f1155c28a879fdb59255fb5fc6dd317af63fefaa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Z900S8S7.cookieMD5
81d4a56fec0e2d346d4b4a6aea09fc90
SHA114ece75c2bb279d0116939374727401b3e465cc4
SHA25657b62cb9cf3b1e0c91dfe03f2ed66b10e9d0606d1434817ac39f7bfca96f024b
SHA5127e05eb2f88a5535d960b2f5379fb2b40d9386b9e776fb176f39995ba9b1129104b1059850616ab7a098bbd65db44b0ad5877173156a146303f0eb2a38662c102
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
memory/1536-121-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/1536-123-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1796-120-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1796-117-0x0000000000000000-mapping.dmp
-
memory/2812-122-0x0000000000000000-mapping.dmp
-
memory/2812-126-0x00007FFA58150000-0x00007FFA581BB000-memory.dmpFilesize
428KB
-
memory/3724-128-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/3944-127-0x0000000000000000-mapping.dmp