Overview
overview
10Static
static
51b94ce5e3f...bd.exe
windows7_x64
101b94ce5e3f...bd.exe
windows10_x64
103be0e1472a...c1.exe
windows7_x64
103be0e1472a...c1.exe
windows10_x64
104f9036848d...2c.exe
windows7_x64
104f9036848d...2c.exe
windows10_x64
10d33647e9d0...5a.exe
windows7_x64
10d33647e9d0...5a.exe
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-06-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a.exe
Resource
win7v20210408
General
-
Target
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
-
Size
3.8MB
-
MD5
9094886e98dfabe1e5ad8489e08069e2
-
SHA1
69120139b6195741210d89e963538014190bfa8e
-
SHA256
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c
-
SHA512
ccef13646bceaf423db355743b0213d834520ea5091fe46acc95deb794b59695703161a782a7cf24707cdfa28696333f2218202a9bec7c351d34686cce67f337
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exeflow pid process 9 420 WScript.exe 34 420 WScript.exe 36 420 WScript.exe 40 420 WScript.exe 43 420 WScript.exe 44 420 WScript.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
amtemu.exekey.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exedata.datbb.exebb.exeputtty.exeereds.exepid process 1784 amtemu.exe 3844 key.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2812 data.dat 4248 bb.exe 4296 bb.exe 4440 puttty.exe 4692 ereds.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
data.datpid process 2812 data.dat -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedata.datdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run data.dat Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe\"" data.dat -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
data.datputtty.execmd.exeereds.exekey.execmd.exebb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.dat Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA puttty.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ereds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA key.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bb.exe -
Maps connected drives based on registry 3 TTPs 16 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
data.datdw20.exekey.exeereds.execmd.exeputtty.execmd.exedw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 data.dat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum dw20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ereds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum data.dat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum puttty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 ereds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 dw20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 puttty.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum dw20.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
Processes:
bb.exeexplorer.exedata.datputtty.exeereds.exedw20.exekey.execmd.exedw20.exepid process 4296 bb.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 2812 data.dat 2812 data.dat 2812 data.dat 2812 data.dat 4440 puttty.exe 4440 puttty.exe 4440 puttty.exe 4440 puttty.exe 4368 explorer.exe 4368 explorer.exe 4692 ereds.exe 4692 ereds.exe 4692 ereds.exe 4692 ereds.exe 4832 dw20.exe 4832 dw20.exe 4832 dw20.exe 4832 dw20.exe 3844 key.exe 2192 cmd.exe 3844 key.exe 3844 key.exe 3844 key.exe 2192 cmd.exe 2192 cmd.exe 2192 cmd.exe 1296 dw20.exe 1296 dw20.exe 1296 dw20.exe 1296 dw20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bb.exedescription pid process target process PID 4248 set thread context of 4296 4248 bb.exe bb.exe -
Drops file in Windows directory 4 IoCs
Processes:
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exedescription ioc process File opened for modification C:\Windows\AcrobatDC.js 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe File created C:\Windows\amtemu.exe 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe File opened for modification C:\Windows\amtemu.exe 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe File created C:\Windows\AcrobatDC.js 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bb.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 1296 timeout.exe 3400 timeout.exe 4264 timeout.exe 4456 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 1 IoCs
Processes:
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
Microsoft.VisualStudio.Package.LanguageService.11.0.exedata.datexplorer.exedw20.exedw20.exepid process 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 2812 data.dat 2812 data.dat 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 4368 explorer.exe 4368 explorer.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 4368 explorer.exe 4368 explorer.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe 4832 dw20.exe 4832 dw20.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 1296 dw20.exe 1296 dw20.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe -
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
bb.exeexplorer.exepid process 4296 bb.exe 4296 bb.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe 4368 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Microsoft.VisualStudio.Package.LanguageService.11.0.exewmic.exebb.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe Token: 34 812 wmic.exe Token: 35 812 wmic.exe Token: 36 812 wmic.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe Token: 34 812 wmic.exe Token: 35 812 wmic.exe Token: 36 812 wmic.exe Token: SeDebugPrivilege 4296 bb.exe Token: SeRestorePrivilege 4296 bb.exe Token: SeBackupPrivilege 4296 bb.exe Token: SeLoadDriverPrivilege 4296 bb.exe Token: SeCreatePagefilePrivilege 4296 bb.exe Token: SeShutdownPrivilege 4296 bb.exe Token: SeTakeOwnershipPrivilege 4296 bb.exe Token: SeChangeNotifyPrivilege 4296 bb.exe Token: SeCreateTokenPrivilege 4296 bb.exe Token: SeMachineAccountPrivilege 4296 bb.exe Token: SeSecurityPrivilege 4296 bb.exe Token: SeAssignPrimaryTokenPrivilege 4296 bb.exe Token: SeCreateGlobalPrivilege 4296 bb.exe Token: 33 4296 bb.exe Token: SeDebugPrivilege 4368 explorer.exe Token: SeRestorePrivilege 4368 explorer.exe Token: SeBackupPrivilege 4368 explorer.exe Token: SeLoadDriverPrivilege 4368 explorer.exe Token: SeCreatePagefilePrivilege 4368 explorer.exe Token: SeShutdownPrivilege 4368 explorer.exe Token: SeTakeOwnershipPrivilege 4368 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
data.datpid process 2812 data.dat -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exeWScript.exeamtemu.execmd.exekey.execmd.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exebb.exebb.exeexplorer.exedescription pid process target process PID 1808 wrote to memory of 420 1808 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe WScript.exe PID 1808 wrote to memory of 420 1808 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe WScript.exe PID 1808 wrote to memory of 1784 1808 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe amtemu.exe PID 1808 wrote to memory of 1784 1808 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe amtemu.exe PID 1808 wrote to memory of 1784 1808 4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe amtemu.exe PID 420 wrote to memory of 3516 420 WScript.exe schtasks.exe PID 420 wrote to memory of 3516 420 WScript.exe schtasks.exe PID 1784 wrote to memory of 1632 1784 amtemu.exe cmd.exe PID 1784 wrote to memory of 1632 1784 amtemu.exe cmd.exe PID 1784 wrote to memory of 1632 1784 amtemu.exe cmd.exe PID 1632 wrote to memory of 3844 1632 cmd.exe key.exe PID 1632 wrote to memory of 3844 1632 cmd.exe key.exe PID 1632 wrote to memory of 3844 1632 cmd.exe key.exe PID 1632 wrote to memory of 1296 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 1296 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 1296 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 1640 1632 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 1632 wrote to memory of 1640 1632 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 1632 wrote to memory of 1640 1632 cmd.exe Microsoft.VisualStudio.Package.LanguageService.11.0.exe PID 3844 wrote to memory of 2192 3844 key.exe cmd.exe PID 3844 wrote to memory of 2192 3844 key.exe cmd.exe PID 3844 wrote to memory of 2192 3844 key.exe cmd.exe PID 1632 wrote to memory of 3400 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 3400 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 3400 1632 cmd.exe timeout.exe PID 2192 wrote to memory of 1972 2192 cmd.exe attrib.exe PID 2192 wrote to memory of 1972 2192 cmd.exe attrib.exe PID 2192 wrote to memory of 1972 2192 cmd.exe attrib.exe PID 2192 wrote to memory of 296 2192 cmd.exe find.exe PID 2192 wrote to memory of 296 2192 cmd.exe find.exe PID 2192 wrote to memory of 296 2192 cmd.exe find.exe PID 2192 wrote to memory of 1296 2192 cmd.exe find.exe PID 2192 wrote to memory of 1296 2192 cmd.exe find.exe PID 2192 wrote to memory of 1296 2192 cmd.exe find.exe PID 2192 wrote to memory of 2812 2192 cmd.exe data.dat PID 2192 wrote to memory of 2812 2192 cmd.exe data.dat PID 2192 wrote to memory of 2812 2192 cmd.exe data.dat PID 1640 wrote to memory of 812 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 1640 wrote to memory of 812 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 1640 wrote to memory of 812 1640 Microsoft.VisualStudio.Package.LanguageService.11.0.exe wmic.exe PID 1632 wrote to memory of 4248 1632 cmd.exe bb.exe PID 1632 wrote to memory of 4248 1632 cmd.exe bb.exe PID 1632 wrote to memory of 4248 1632 cmd.exe bb.exe PID 1632 wrote to memory of 4264 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 4264 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 4264 1632 cmd.exe timeout.exe PID 4248 wrote to memory of 4296 4248 bb.exe bb.exe PID 4248 wrote to memory of 4296 4248 bb.exe bb.exe PID 4248 wrote to memory of 4296 4248 bb.exe bb.exe PID 4248 wrote to memory of 4296 4248 bb.exe bb.exe PID 4248 wrote to memory of 4296 4248 bb.exe bb.exe PID 4296 wrote to memory of 4368 4296 bb.exe explorer.exe PID 4296 wrote to memory of 4368 4296 bb.exe explorer.exe PID 4296 wrote to memory of 4368 4296 bb.exe explorer.exe PID 1632 wrote to memory of 4440 1632 cmd.exe puttty.exe PID 1632 wrote to memory of 4440 1632 cmd.exe puttty.exe PID 1632 wrote to memory of 4440 1632 cmd.exe puttty.exe PID 1632 wrote to memory of 4456 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 4456 1632 cmd.exe timeout.exe PID 1632 wrote to memory of 4456 1632 cmd.exe timeout.exe PID 4368 wrote to memory of 1784 4368 explorer.exe amtemu.exe PID 4368 wrote to memory of 1784 4368 explorer.exe amtemu.exe PID 4368 wrote to memory of 1632 4368 explorer.exe cmd.exe PID 4368 wrote to memory of 1632 4368 explorer.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe"C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\AcrobatDC.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Windows\AcrobatDC.js3⤵
- Creates scheduled task(s)
-
C:\Windows\amtemu.exe"C:\Windows\amtemu.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.bat" C:\Windows\amtemu.exe"3⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exekey.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.bat" "C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe" "5⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\find.exeFIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts6⤵
-
C:\Windows\SysWOW64\find.exeFIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts6⤵
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datC:\Users\Admin\AppData\Local\Temp\afolder/data.dat6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 14⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMicrosoft.VisualStudio.Package.LanguageService.11.0.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get Caption /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 24⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exebb.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe"C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exeputtty.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 23765⤵
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 44⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exeereds.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15365⤵
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exeMD5
89158e00639d9ef6ee9337b4f19e74f4
SHA1dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8
SHA2569f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d
SHA512c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exeMD5
347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exeMD5
767d99623569552123fb197eead28fca
SHA19f1016e3cce207c6ed707482104ea3ee9034accf
SHA25683340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145
SHA512897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exeMD5
4d50c264c22fd1047a8a3bd8b77b3bd1
SHA1007d3a3b116834e1ef181397dde48108a660a380
SHA2562f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45
SHA5128f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exeMD5
8a40892abb22c314d13d30923f9b96c8
SHA1ff6807c0e8454101746b57fd8cc22105b6d98100
SHA256ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8
SHA5128a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b
-
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.batMD5
f96458f7f2a09565f4b715dba1279633
SHA186e808b7a0d46dcce31c2257f694d57f1391da9e
SHA256e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79
SHA5128da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78
-
C:\Users\Admin\AppData\Local\Temp\afolder\data.datMD5
8abdc20f619641e29aa9ad2b999a0dcc
SHA1caad125358d2ae6d217e74cfcd175ac81c43c729
SHA256cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96
SHA51290999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e
-
C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.batMD5
7924b9cf2a621e979dfbdecc7abc5b8b
SHA11477d9c23f7e42bfb4121f2c59bb7cdd9ba34c78
SHA25606db46f2d9ba954de03cda1ef98e2f4a014e699db40311364a21a5a46453fe80
SHA512dec6089bc2f912b6364409bda5c709453745af2cf410728abed071040fe009aea8941efdb8673eb0ae53c81396cbcfbc04077b582913a342db3cc5ae2c695d65
-
C:\Windows\AcrobatDC.jsMD5
9369231125c086e3761ec5238ce71020
SHA1e92d312f660e360a460b9eb182ea68a2f5068f95
SHA256600b88a21f553bd0e719af4601bde53de7bd7e7e09dfe56032f88ac54e34d58f
SHA51257874d89812731a5daf656965c7ed86b37143265f53a5bad27716d12b38bc675d4fd31d3e360fc744d5d868483033bd0a514fca94afac7ee6ce3a2277a166ce4
-
C:\Windows\amtemu.exeMD5
88124e4aba906259af28a466774431ea
SHA1fbc1c27e0d7177238ec99481ffa7d839d1f51594
SHA2561b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd
SHA512cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d
-
C:\Windows\amtemu.exeMD5
88124e4aba906259af28a466774431ea
SHA1fbc1c27e0d7177238ec99481ffa7d839d1f51594
SHA2561b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd
SHA512cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d
-
C:\Windows\system32\drivers\etc\hostsMD5
336e4a90c6f8fa6b544a19457d63b7ed
SHA11b99a8bfd814f281f27aeb36be1fe06df454ef4a
SHA256598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4
SHA512b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690
-
\Users\Admin\AppData\Local\Temp\spc_player.dllMD5
41afbf49ba7f6ee164f31faa2cd38e15
SHA14a9aeebf6e2a3c459629662b4e3d72fe210da63f
SHA25650d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387
SHA512a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe
-
memory/296-134-0x0000000000000000-mapping.dmp
-
memory/420-114-0x0000000000000000-mapping.dmp
-
memory/812-140-0x0000000000000000-mapping.dmp
-
memory/1296-136-0x0000000000000000-mapping.dmp
-
memory/1296-124-0x0000000000000000-mapping.dmp
-
memory/1296-203-0x0000000000000000-mapping.dmp
-
memory/1296-204-0x0000000005910000-0x0000000005A12000-memory.dmpFilesize
1.0MB
-
memory/1632-120-0x0000000000000000-mapping.dmp
-
memory/1632-184-0x00000000039C0000-0x0000000003AC2000-memory.dmpFilesize
1.0MB
-
memory/1632-186-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/1640-141-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/1640-177-0x00000000079C0000-0x0000000007AC2000-memory.dmpFilesize
1.0MB
-
memory/1640-146-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/1640-142-0x00000000073B3000-0x00000000073B5000-memory.dmpFilesize
8KB
-
memory/1640-126-0x0000000000000000-mapping.dmp
-
memory/1640-133-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1640-155-0x00000000073B5000-0x00000000073B6000-memory.dmpFilesize
4KB
-
memory/1784-188-0x0000000003170000-0x0000000003272000-memory.dmpFilesize
1.0MB
-
memory/1784-116-0x0000000000000000-mapping.dmp
-
memory/1972-132-0x0000000000000000-mapping.dmp
-
memory/2192-128-0x0000000000000000-mapping.dmp
-
memory/2192-200-0x0000000003D10000-0x0000000003E12000-memory.dmpFilesize
1.0MB
-
memory/2812-144-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/2812-145-0x0000000074BC0000-0x0000000074BC1000-memory.dmpFilesize
4KB
-
memory/2812-143-0x0000000077490000-0x0000000077491000-memory.dmpFilesize
4KB
-
memory/2812-174-0x0000000004840000-0x0000000004942000-memory.dmpFilesize
1.0MB
-
memory/2812-176-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB
-
memory/2812-138-0x0000000000000000-mapping.dmp
-
memory/3400-129-0x0000000000000000-mapping.dmp
-
memory/3516-119-0x0000000000000000-mapping.dmp
-
memory/3844-197-0x0000000003AF0000-0x0000000003BF2000-memory.dmpFilesize
1.0MB
-
memory/3844-122-0x0000000000000000-mapping.dmp
-
memory/4248-148-0x0000000000000000-mapping.dmp
-
memory/4264-150-0x0000000000000000-mapping.dmp
-
memory/4296-160-0x0000000000B00000-0x0000000000B0C000-memory.dmpFilesize
48KB
-
memory/4296-152-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4296-153-0x00000000004015C6-mapping.dmp
-
memory/4296-156-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4296-157-0x00000000006D0000-0x0000000000736000-memory.dmpFilesize
408KB
-
memory/4296-158-0x0000000000440000-0x000000000058A000-memory.dmpFilesize
1.3MB
-
memory/4296-159-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/4368-189-0x0000000004B50000-0x0000000004CDE000-memory.dmpFilesize
1.6MB
-
memory/4368-164-0x0000000002C50000-0x0000000002C5D000-memory.dmpFilesize
52KB
-
memory/4368-161-0x0000000000000000-mapping.dmp
-
memory/4368-162-0x0000000000380000-0x00000000007BF000-memory.dmpFilesize
4.2MB
-
memory/4368-167-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/4368-163-0x0000000003000000-0x0000000003102000-memory.dmpFilesize
1.0MB
-
memory/4440-181-0x0000000005160000-0x0000000005262000-memory.dmpFilesize
1.0MB
-
memory/4440-169-0x0000000000000000-mapping.dmp
-
memory/4440-173-0x0000000000EB0000-0x0000000000F5E000-memory.dmpFilesize
696KB
-
memory/4456-171-0x0000000000000000-mapping.dmp
-
memory/4692-191-0x0000000005920000-0x0000000005A22000-memory.dmpFilesize
1.0MB
-
memory/4692-178-0x0000000000000000-mapping.dmp
-
memory/4692-187-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/4832-194-0x0000000005910000-0x0000000005A12000-memory.dmpFilesize
1.0MB
-
memory/4832-190-0x0000000000000000-mapping.dmp