Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-07-2021 13:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe
-
Size
750KB
-
MD5
2fa9185ceeb1d25e8bde77a4cf3f70d4
-
SHA1
8106940df3869cbea44a8221a6ac313c054090b0
-
SHA256
d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160
-
SHA512
2f0845ce6d19abf16300ffb599fc2b90f150114031e9cea21050792d302a5714108b1bdf42fa8ca499d2c3834e8dd7281e0a0dd3836b06e06f596e278d74ac5e
Malware Config
Extracted
cryptbot
smarew72.top
moriwi07.top
-
payload_url
http://guruzo10.top/download.php?file=lv.exe
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
CryptBot Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/912-115-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/912-114-0x0000000002320000-0x0000000002401000-memory.dmp family_cryptbot -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 40 852 WScript.exe 42 852 WScript.exe 44 852 WScript.exe 46 852 WScript.exe 49 1456 rundll32.exe 50 2844 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
WaGSE.exevpn.exe4.exeSorridente.exe.comSorridente.exe.comSmartClock.exedutugmeg.exepid process 2452 WaGSE.exe 656 vpn.exe 3864 4.exe 2320 Sorridente.exe.com 2828 Sorridente.exe.com 2052 SmartClock.exe 3156 dutugmeg.exe -
Drops startup file 1 IoCs
Processes:
4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 4 IoCs
Processes:
WaGSE.exerundll32.exeRUNDLL32.EXEpid process 2452 WaGSE.exe 1456 rundll32.exe 1456 rundll32.exe 2844 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vpn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vpn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2844 set thread context of 2872 2844 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
WaGSE.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll WaGSE.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll WaGSE.exe File created C:\Program Files (x86)\foler\olader\acledit.dll WaGSE.exe File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 31 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXESecuriteInfo.com.W32.AIDetect.malware2.530.7025.exeSorridente.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sorridente.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sorridente.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1468 timeout.exe -
Modifies registry class 1 IoCs
Processes:
Sorridente.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Sorridente.exe.com -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0B2738515CC3EB9951780698C4317A86AAB35AEC RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0B2738515CC3EB9951780698C4317A86AAB35AEC\Blob = 0300000001000000140000000b2738515cc3eb9951780698c4317a86aab35aec2000000001000000620200003082025e308201c7a00302010202087838bdb5354a0946300d06092a864886f70d01010b050030513128302606035504030c1f486f347473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b3009060355040613025553301e170d3139303732363135333435335a170d3233303732353135333435335a30513128302606035504030c1f486f347473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100ddbfdc1b345032185da4712ee0cb8b16c42ba444742e0af56d423c0943a961199afff31c4150023975e302ab96d8fae56292a3aa00a1bef056427d595ad0e8b61b4f8d11662cf81cb4c10f07ee9bac7d57e4ceb2246848de583207b70960f83dd879015d8678500e130c80f104f7fd4af4d7e702b6d139650c277e54432b58950203010001a33f303d300f0603551d130101ff040530030101ff302a0603551d1104233021821f486f347473706f7420322e3020547275737420526f6f74204341202d203033300d06092a864886f70d01010b05000381810005a8aeefcf7142258bb3a761f1501360cfd87b6f755da761792b592ce0eca57a8c57ec4c387f009cd25a84c6e5a48b8314e74c36464e04c7365ec78a04dda6a1a6a6f127edb78f9d74fbf5d8024f240ce895075b049e2d575eb169a9ce238836b4ddf1811228436b60c7c5e4c4f967b002ca88f0aa47badd1eb54c0cf1affcc2 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 2052 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
RUNDLL32.EXEpowershell.exepid process 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 2844 RUNDLL32.EXE 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 2844 RUNDLL32.EXE Token: SeDebugPrivilege 3664 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exepid process 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.530.7025.execmd.exeWaGSE.exevpn.execmd.execmd.exeSorridente.exe.comcmd.exe4.exeSorridente.exe.comdutugmeg.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 912 wrote to memory of 528 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 912 wrote to memory of 528 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 912 wrote to memory of 528 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 528 wrote to memory of 2452 528 cmd.exe WaGSE.exe PID 528 wrote to memory of 2452 528 cmd.exe WaGSE.exe PID 528 wrote to memory of 2452 528 cmd.exe WaGSE.exe PID 2452 wrote to memory of 656 2452 WaGSE.exe vpn.exe PID 2452 wrote to memory of 656 2452 WaGSE.exe vpn.exe PID 2452 wrote to memory of 656 2452 WaGSE.exe vpn.exe PID 2452 wrote to memory of 3864 2452 WaGSE.exe 4.exe PID 2452 wrote to memory of 3864 2452 WaGSE.exe 4.exe PID 2452 wrote to memory of 3864 2452 WaGSE.exe 4.exe PID 656 wrote to memory of 3792 656 vpn.exe cmd.exe PID 656 wrote to memory of 3792 656 vpn.exe cmd.exe PID 656 wrote to memory of 3792 656 vpn.exe cmd.exe PID 656 wrote to memory of 3892 656 vpn.exe cmd.exe PID 656 wrote to memory of 3892 656 vpn.exe cmd.exe PID 656 wrote to memory of 3892 656 vpn.exe cmd.exe PID 3892 wrote to memory of 3664 3892 cmd.exe cmd.exe PID 3892 wrote to memory of 3664 3892 cmd.exe cmd.exe PID 3892 wrote to memory of 3664 3892 cmd.exe cmd.exe PID 3664 wrote to memory of 584 3664 cmd.exe findstr.exe PID 3664 wrote to memory of 584 3664 cmd.exe findstr.exe PID 3664 wrote to memory of 584 3664 cmd.exe findstr.exe PID 3664 wrote to memory of 2320 3664 cmd.exe Sorridente.exe.com PID 3664 wrote to memory of 2320 3664 cmd.exe Sorridente.exe.com PID 3664 wrote to memory of 2320 3664 cmd.exe Sorridente.exe.com PID 3664 wrote to memory of 1116 3664 cmd.exe PING.EXE PID 3664 wrote to memory of 1116 3664 cmd.exe PING.EXE PID 3664 wrote to memory of 1116 3664 cmd.exe PING.EXE PID 912 wrote to memory of 2212 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 912 wrote to memory of 2212 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 912 wrote to memory of 2212 912 SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe cmd.exe PID 2320 wrote to memory of 2828 2320 Sorridente.exe.com Sorridente.exe.com PID 2320 wrote to memory of 2828 2320 Sorridente.exe.com Sorridente.exe.com PID 2320 wrote to memory of 2828 2320 Sorridente.exe.com Sorridente.exe.com PID 2212 wrote to memory of 1468 2212 cmd.exe timeout.exe PID 2212 wrote to memory of 1468 2212 cmd.exe timeout.exe PID 2212 wrote to memory of 1468 2212 cmd.exe timeout.exe PID 3864 wrote to memory of 2052 3864 4.exe SmartClock.exe PID 3864 wrote to memory of 2052 3864 4.exe SmartClock.exe PID 3864 wrote to memory of 2052 3864 4.exe SmartClock.exe PID 2828 wrote to memory of 3156 2828 Sorridente.exe.com dutugmeg.exe PID 2828 wrote to memory of 3156 2828 Sorridente.exe.com dutugmeg.exe PID 2828 wrote to memory of 3156 2828 Sorridente.exe.com dutugmeg.exe PID 2828 wrote to memory of 584 2828 Sorridente.exe.com WScript.exe PID 2828 wrote to memory of 584 2828 Sorridente.exe.com WScript.exe PID 2828 wrote to memory of 584 2828 Sorridente.exe.com WScript.exe PID 3156 wrote to memory of 1456 3156 dutugmeg.exe rundll32.exe PID 3156 wrote to memory of 1456 3156 dutugmeg.exe rundll32.exe PID 3156 wrote to memory of 1456 3156 dutugmeg.exe rundll32.exe PID 2828 wrote to memory of 852 2828 Sorridente.exe.com WScript.exe PID 2828 wrote to memory of 852 2828 Sorridente.exe.com WScript.exe PID 2828 wrote to memory of 852 2828 Sorridente.exe.com WScript.exe PID 1456 wrote to memory of 2844 1456 rundll32.exe RUNDLL32.EXE PID 1456 wrote to memory of 2844 1456 rundll32.exe RUNDLL32.EXE PID 1456 wrote to memory of 2844 1456 rundll32.exe RUNDLL32.EXE PID 2844 wrote to memory of 2872 2844 RUNDLL32.EXE rundll32.exe PID 2844 wrote to memory of 2872 2844 RUNDLL32.EXE rundll32.exe PID 2844 wrote to memory of 2872 2844 RUNDLL32.EXE rundll32.exe PID 2844 wrote to memory of 3664 2844 RUNDLL32.EXE powershell.exe PID 2844 wrote to memory of 3664 2844 RUNDLL32.EXE powershell.exe PID 2844 wrote to memory of 3664 2844 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\WaGSE.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WaGSE.exe"C:\Users\Admin\AppData\Local\Temp\WaGSE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c YJktxkgm5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Sfinge.vsdm5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^XvFshFVovrUIndZSFBxxytnrIUNDETWbxfrjHpPpZeHGABxnUuWmzuATXBIzSaECibhojMlvLkxevSDiAfIbXvrhOlfyAvsHntnrhkkoWANoMbvyXATDKiFKzqz$" Vorrei.vsdm7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.comSorridente.exe.com E7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.com E8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dutugmeg.exe"C:\Users\Admin\AppData\Local\Temp\dutugmeg.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMP,S C:\Users\Admin\AppData\Local\Temp\dutugmeg.exe10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMP,q1ZVYw==11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 1789412⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp97C7.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fhyqoiby.vbs"9⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pjbdlidvg.vbs"9⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping GFBFPSXA -n 307⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.530.7025.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
b2b4ed93d5effe209d9613e446f4bce3
SHA12ba57bce3da8428eb8b43e6e2ac2732d3f0ca0b6
SHA256c33d4b03437068364751cee9c802c0639b471e555aa9c03a383c0385ecab1545
SHA5120c0b1b4b339c2ecdb368d8f1d4078eabe27ffef5aff5ab0ba1c2fad2b3791b9132a6404c75cf1b5f4ad95185c9530049ebd7235d034a6602535285397fc7e080
-
C:\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EMD5
4c5c7f3e7362720b4241f8efbb2be752
SHA1be23ecf084cbf60b0f7bab86701cff9dfb1c2760
SHA256c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3
SHA5122c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensato.vsdmMD5
4c5e138f22c752587d27c5047f1c9adc
SHA164549847c05c5a08e2c66fc5591a5b1103714bd2
SHA256e260b4bb610bb0ddfa0889f497430539bd85a7928fc37002114e87091f2ead62
SHA5128c00eb836c230ae57465b1cde318c3d441327853d1685066fe91caa2ad7fef3c3be9cda549f5bb753e2fea5a41f798fec3d22075589144365b95eb9f64ad1011
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.vsdmMD5
4c5c7f3e7362720b4241f8efbb2be752
SHA1be23ecf084cbf60b0f7bab86701cff9dfb1c2760
SHA256c7b5fdd83644097869d2979a3827a210bed48967bbc56e3e64d6f88d0ae26ed3
SHA5122c3fdadb53319b6e64274b2d34026818539d227af86caa1440edd5b85e5158ce34489e6361590ff2ec6137da089b717d2c1010c2bee3bdb9f97a1ead68469e76
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sfinge.vsdmMD5
2330ab365da0a8cf6c766b2c38b3704b
SHA1faded741162dc8c18b2fdb870b07d956ffb1558b
SHA25661342f8e9ea670d0d3f73273288ee0d67a10e0560e6a455cbf8d585a4119ec11
SHA512d3acac95e7fbbd47f5c45cde0737fdea200e4aa97f1e4fdad0d8e8b41b2c163e71798656eafe42338f018ca0d8507739841e5f39603e3d556ca452c46e72ded3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorrei.vsdmMD5
88b40e7263e5a4a08f6e097581a400ad
SHA167fdbd36361a85edb562fd1dbb9227916a4a09c4
SHA2564f36363fb3bc37dc1fb6af3f450f509f47e201285b4815ef2e9bbba540fdf2fc
SHA512edf8da6848baf6f5e939be35bd7e27f3b2939b519b6d9c8388f6d5af68920c46b3c90a13a91041b0bd0b65b121ddda6554f10f387fd03655d7c9d7652e7ee51f
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
6920fbce65a27b266a4ec04701058b77
SHA184025c33fafe38ec283de2a1ba86559f5145803e
SHA256f939c2046597fba34eb1df21e9ffb71f140f01ef7b2e25ed266ed0939ab737c1
SHA51290f712f0545400122fd15fef9d85023f041fcf3a798f501374cb14c5306e7626d9ab3d2db0ccbd0a386e5e33dbd262007f805d8815146f446cc2994b870e1dbb
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
6920fbce65a27b266a4ec04701058b77
SHA184025c33fafe38ec283de2a1ba86559f5145803e
SHA256f939c2046597fba34eb1df21e9ffb71f140f01ef7b2e25ed266ed0939ab737c1
SHA51290f712f0545400122fd15fef9d85023f041fcf3a798f501374cb14c5306e7626d9ab3d2db0ccbd0a386e5e33dbd262007f805d8815146f446cc2994b870e1dbb
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
51aebb77c703d0ee1f9246828af5105f
SHA1fe0710ab9e6663f2b76c5fe5ff76c9c9f7e741d2
SHA25653f273aa3da76fc6b2f4293bf11b2c4695f0afd777ee7467b1f67af65b0b61ff
SHA512d16449b33c43354bd082f9e37faf566f3a570445836227f104c99518c5ad8788ad5d5aa8db5e9fd0d7f9a2a48df381a6ec85a4fcba2f682a33295abaeff18012
-
C:\Users\Admin\AppData\Local\Temp\WaGSE.exeMD5
524220d9fa50ceb873c11be81f388391
SHA14bb4da511b5198c0246a7a38477de60ed79602fa
SHA25617f76c4326657a2e98267c4fc98e4a97207b2f52f4c2da129a77d419fd99b621
SHA5123fcae42ce2e84529e3708a5ae48a12be04c079dbaa234311ea901d31a8608fb920608bf219efa3e96b0e5a893fe390c5162101cb55c79fa7bafb1ccdf706b6eb
-
C:\Users\Admin\AppData\Local\Temp\WaGSE.exeMD5
524220d9fa50ceb873c11be81f388391
SHA14bb4da511b5198c0246a7a38477de60ed79602fa
SHA25617f76c4326657a2e98267c4fc98e4a97207b2f52f4c2da129a77d419fd99b621
SHA5123fcae42ce2e84529e3708a5ae48a12be04c079dbaa234311ea901d31a8608fb920608bf219efa3e96b0e5a893fe390c5162101cb55c79fa7bafb1ccdf706b6eb
-
C:\Users\Admin\AppData\Local\Temp\dutugmeg.exeMD5
7de6b9f424ca164dfa9f0a704d0fcf6d
SHA17288840b3edb1b8fc7077db84c224b82699b122a
SHA256cba20e7e9384c6a8fb9e94cfb417c2b0c757c6ee8618980c6e1fc9054e6d5dd7
SHA5125b7a80d51a886ec3f02d5e57acdc80e4ad936ba8eb439746d0e7457c0977bdc368db6bfe2496af600d3f1776d1b73e6e9e6049e79b577a9a99be029a0cd378ca
-
C:\Users\Admin\AppData\Local\Temp\dutugmeg.exeMD5
7de6b9f424ca164dfa9f0a704d0fcf6d
SHA17288840b3edb1b8fc7077db84c224b82699b122a
SHA256cba20e7e9384c6a8fb9e94cfb417c2b0c757c6ee8618980c6e1fc9054e6d5dd7
SHA5125b7a80d51a886ec3f02d5e57acdc80e4ad936ba8eb439746d0e7457c0977bdc368db6bfe2496af600d3f1776d1b73e6e9e6049e79b577a9a99be029a0cd378ca
-
C:\Users\Admin\AppData\Local\Temp\fhyqoiby.vbsMD5
ad18b349a77aa3614843272649ac8f65
SHA1ab0864152b304b8f484947069d44f20d7ff3b431
SHA2563d9e2407251deafd27476afceed9cfd117ccd28bef788c3667f58c9b4e503348
SHA512295c5a249035cef86eeab7ac32960f9a43eb2f1c434f8c97e46de3a032b4b216d829f2ffb5b95346ea0f7f2bad845684a51ac06acf7d41e0f10000a401ae00e5
-
C:\Users\Admin\AppData\Local\Temp\pjbdlidvg.vbsMD5
c5a81f55c20d66af3410cace9d30e5cd
SHA1cf005f0da97948095b231b030611cf137913d91e
SHA256a3ac74aeb504a75c4ad67206ccd3b697b63f42fae6e97ac066c8b5376a8990f0
SHA512fd0855884889598db63b4b07d523ef95a692889bb34984ec28a615b86831acbc03eb037dae58e75dc09e4f1ae7943a218e88624507595de69f3ae2b620458395
-
C:\Users\Admin\AppData\Local\Temp\tmp97C7.tmp.ps1MD5
9858ad92ba92c40b8d96731a57a1e37b
SHA181cc906030f656fc804773e57c44052d722fe4be
SHA2561140d76b3fc0d3b6203fd0b75e6426e85977b4e8505b042ff627016aa9a7e00c
SHA512250ebbbc20a5dad55b1c93f6491c61c4291a7ea236eb17cb6dd286975ddc610d89b916182210a02740e3b94faef755b31f880fe215289b5a4e91a07f89601cae
-
C:\Users\Admin\AppData\Local\Temp\tmp97C8.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\QOOXTO~1.ZIPMD5
217f4c737c2f34cc786463b1931615c1
SHA1513c4639b3512c70c8f1764169deb3719d0041b4
SHA2562ce5406f0ac7bbdec8468ad2d60efc9e208c27676f88c3a5becb8c3d156a7538
SHA512f9665ba48bd002a4be4f09ee06a4e3cdb4f2db636bbad2162de128b8bdd1c5488f26d0dc322b307a4f2e385ba1f65ffc77d76a4b436fbf4c5380e7e4ccd53732
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\ZDJPOI~1.ZIPMD5
f57fd5666a08e59a554f5ed6e2979124
SHA1b833f058b482f499144359777c75dd7e493636ab
SHA256011230d2724ca9dd7d6456307e5fc1d31828b4bfdad8c88c0fa38989c6e7ca20
SHA512d1012d2fa8ffeeefc645401453a6bfce06fc7344e455dbf1664309b1da8d48759a5dc6cf7a8d6bc645f0420b3325740d421b0f3db2f0284d13b10d70af7c18f3
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\_Files\_Files\LIMITR~1.TXTMD5
c3ff1081fe2855ac886dadab5bda8ac9
SHA13dc0519ba78b7ed0467c80d66e84c09cffcf7e21
SHA256c07f573801162660fdcbfee07b39dd3bb8986d97e0f2cb3454fde70b7b47af09
SHA512b8f62469ec82e1052d8f789a546c930e9e022ed730c7812e76a30a3d83c5d3a8ebe278967b03817db4acd71769f0176d53a27d1789f712980fad134fb50baf51
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\_Files\_INFOR~1.TXTMD5
fb1378200af4ab6512c0f8d789a62d56
SHA1ac31d71769ce81fdb15012139b3edc3fe224d858
SHA256a9e597b75fa055b2278f3655a76718fde5d04304f68af2284d629dc7bacc5114
SHA5124321429ca330f31eeb5199464f4e6efeb31379152da58449ecfbf0f3ce9bd42a3a8d52c40145de34e66894f51dbb1a5124ff2ee0fd0d923c5fa21998f8252372
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\_Files\_SCREE~1.JPEMD5
a4bb017c71b096994295cacee6a979af
SHA16109bed2dfb7ace29eeae529d4c25dbbb7b9ea3a
SHA2565a5d0a3684089f05a0dd4157615579c594032c57e80a15761a3c09a6bc1bfc8f
SHA512e64b87798025a5afa44a933f7478071f912dd2a911859a980f299bc942197f1d711721503c57fa054a6d308937621ec7fc6b0f563d4d82a31da1a43b47045aef
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\files_\SCREEN~1.JPGMD5
a4bb017c71b096994295cacee6a979af
SHA16109bed2dfb7ace29eeae529d4c25dbbb7b9ea3a
SHA2565a5d0a3684089f05a0dd4157615579c594032c57e80a15761a3c09a6bc1bfc8f
SHA512e64b87798025a5afa44a933f7478071f912dd2a911859a980f299bc942197f1d711721503c57fa054a6d308937621ec7fc6b0f563d4d82a31da1a43b47045aef
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\files_\SYSTEM~1.TXTMD5
313fee62111420ca564b1d2c23ef2a19
SHA13c0d7479dbdb229c045e7c41886e19a591cafd56
SHA2567f3a3c45096ddaaf76c4188c1f68f70865c711099b445fb5b8fc3b81a2ed1566
SHA512418090e113d8e56a1708384ac7f6104b495aaf1ac218e79bb3cf34e9ba9bc73bc392a210aa6fcd7a73165c2ef0f3f49d8430af4e577457cd870e9ac6e7601ffc
-
C:\Users\Admin\AppData\Local\Temp\wrdLhMjyavuHI\files_\files\LIMITR~1.TXTMD5
c3ff1081fe2855ac886dadab5bda8ac9
SHA13dc0519ba78b7ed0467c80d66e84c09cffcf7e21
SHA256c07f573801162660fdcbfee07b39dd3bb8986d97e0f2cb3454fde70b7b47af09
SHA512b8f62469ec82e1052d8f789a546c930e9e022ed730c7812e76a30a3d83c5d3a8ebe278967b03817db4acd71769f0176d53a27d1789f712980fad134fb50baf51
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
6920fbce65a27b266a4ec04701058b77
SHA184025c33fafe38ec283de2a1ba86559f5145803e
SHA256f939c2046597fba34eb1df21e9ffb71f140f01ef7b2e25ed266ed0939ab737c1
SHA51290f712f0545400122fd15fef9d85023f041fcf3a798f501374cb14c5306e7626d9ab3d2db0ccbd0a386e5e33dbd262007f805d8815146f446cc2994b870e1dbb
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
6920fbce65a27b266a4ec04701058b77
SHA184025c33fafe38ec283de2a1ba86559f5145803e
SHA256f939c2046597fba34eb1df21e9ffb71f140f01ef7b2e25ed266ed0939ab737c1
SHA51290f712f0545400122fd15fef9d85023f041fcf3a798f501374cb14c5306e7626d9ab3d2db0ccbd0a386e5e33dbd262007f805d8815146f446cc2994b870e1dbb
-
\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
\Users\Admin\AppData\Local\Temp\DUTUGM~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
\Users\Admin\AppData\Local\Temp\nsvC6B2.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/528-116-0x0000000000000000-mapping.dmp
-
memory/584-161-0x0000000000000000-mapping.dmp
-
memory/584-130-0x0000000000000000-mapping.dmp
-
memory/656-121-0x0000000000000000-mapping.dmp
-
memory/852-170-0x0000000000000000-mapping.dmp
-
memory/912-115-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/912-114-0x0000000002320000-0x0000000002401000-memory.dmpFilesize
900KB
-
memory/1116-135-0x0000000000000000-mapping.dmp
-
memory/1456-181-0x00000000046E0000-0x0000000005976000-memory.dmpFilesize
18.6MB
-
memory/1456-163-0x0000000000000000-mapping.dmp
-
memory/1468-148-0x0000000000000000-mapping.dmp
-
memory/2052-155-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2052-150-0x0000000000000000-mapping.dmp
-
memory/2212-136-0x0000000000000000-mapping.dmp
-
memory/2320-133-0x0000000000000000-mapping.dmp
-
memory/2452-117-0x0000000000000000-mapping.dmp
-
memory/2828-156-0x0000000000C90000-0x0000000000D3E000-memory.dmpFilesize
696KB
-
memory/2828-138-0x0000000000000000-mapping.dmp
-
memory/2844-192-0x00000000067B0000-0x00000000067B1000-memory.dmpFilesize
4KB
-
memory/2844-188-0x0000000005190000-0x0000000006426000-memory.dmpFilesize
18.6MB
-
memory/2844-178-0x0000000000000000-mapping.dmp
-
memory/2872-194-0x000002194E200000-0x000002194E3B1000-memory.dmpFilesize
1.7MB
-
memory/2872-189-0x00007FF716665FD0-mapping.dmp
-
memory/2872-193-0x0000000000EC0000-0x0000000001060000-memory.dmpFilesize
1.6MB
-
memory/3156-158-0x0000000000000000-mapping.dmp
-
memory/3156-164-0x00000000023A0000-0x00000000024A0000-memory.dmpFilesize
1024KB
-
memory/3156-165-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/3664-200-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/3664-204-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/3664-217-0x0000000008660000-0x0000000008661000-memory.dmpFilesize
4KB
-
memory/3664-129-0x0000000000000000-mapping.dmp
-
memory/3664-195-0x0000000000000000-mapping.dmp
-
memory/3664-198-0x0000000006CE0000-0x0000000006CE1000-memory.dmpFilesize
4KB
-
memory/3664-199-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/3664-216-0x00000000091E0000-0x00000000091E1000-memory.dmpFilesize
4KB
-
memory/3664-201-0x0000000006D32000-0x0000000006D33000-memory.dmpFilesize
4KB
-
memory/3664-202-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/3664-203-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/3664-215-0x0000000009C60000-0x0000000009C61000-memory.dmpFilesize
4KB
-
memory/3664-205-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/3664-206-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/3664-207-0x00000000081A0000-0x00000000081A1000-memory.dmpFilesize
4KB
-
memory/3664-208-0x0000000008500000-0x0000000008501000-memory.dmpFilesize
4KB
-
memory/3664-210-0x0000000006FE0000-0x0000000006FE1000-memory.dmpFilesize
4KB
-
memory/3792-126-0x0000000000000000-mapping.dmp
-
memory/3864-123-0x0000000000000000-mapping.dmp
-
memory/3864-153-0x0000000002050000-0x0000000002076000-memory.dmpFilesize
152KB
-
memory/3864-154-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3892-127-0x0000000000000000-mapping.dmp