Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 15:21
Static task
static1
Behavioral task
behavioral1
Sample
fb660cd8294a2f697bc610d746833d91.exe
Resource
win7v20210408
General
-
Target
fb660cd8294a2f697bc610d746833d91.exe
-
Size
760KB
-
MD5
fb660cd8294a2f697bc610d746833d91
-
SHA1
e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
-
SHA256
28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
-
SHA512
10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
Malware Config
Extracted
cryptbot
ewaisg12.top
morvay01.top
-
payload_url
http://winezo01.top/download.php?file=lv.exe
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
CryptBot Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3920-114-0x0000000002120000-0x0000000002201000-memory.dmp family_cryptbot behavioral2/memory/3920-115-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 40 3272 WScript.exe 42 3272 WScript.exe 44 3272 WScript.exe 46 3272 WScript.exe 48 2788 rundll32.exe 49 4092 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
ZgoSo.exevpn.exe4.exeConsumato.exe.comConsumato.exe.comSmartClock.exeooerfrdb.exepid process 3860 ZgoSo.exe 2488 vpn.exe 2796 4.exe 3324 Consumato.exe.com 1368 Consumato.exe.com 3080 SmartClock.exe 2124 ooerfrdb.exe -
Drops startup file 1 IoCs
Processes:
4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 4 IoCs
Processes:
ZgoSo.exerundll32.exeRUNDLL32.EXEpid process 3860 ZgoSo.exe 2788 rundll32.exe 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vpn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vpn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 4092 set thread context of 1456 4092 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ZgoSo.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll ZgoSo.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll ZgoSo.exe File created C:\Program Files (x86)\foler\olader\acledit.dll ZgoSo.exe File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Consumato.exe.comRUNDLL32.EXEfb660cd8294a2f697bc610d746833d91.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Consumato.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fb660cd8294a2f697bc610d746833d91.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fb660cd8294a2f697bc610d746833d91.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Consumato.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4064 timeout.exe -
Modifies registry class 1 IoCs
Processes:
Consumato.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Consumato.exe.com -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\89F515AF0EB9587E06FFAB5322174F06E63D18DC RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\89F515AF0EB9587E06FFAB5322174F06E63D18DC\Blob = 03000000010000001400000089f515af0eb9587e06ffab5322174f06e63d18dc2000000001000000300200003082022c30820195a0030201020208228393f530658bcb300d06092a864886f70d01010b050030403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e301e170d3139303732373135313935335a170d3233303732363135313935335a30403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e30819f300d06092a864886f70d010101050003818d0030818902818100ca433701c6ce9b5dc0b9db99190361fa9ed77592e489e448240893c5757ef9d38ab825c7fb083a06816c289ae516b22c0f70caaa877c41e7a5204340ab45d4b4da33022c3bbdc301dc16b127105ec9ed0ec38602a455c2fce525f2bbb881beb7ad3012589a889b7ac43e07ba8662e7be2f3931addb5efe958858b08f0889fd4b0203010001a32f302d300f0603551d130101ff040530030101ff301a0603551d1104133011820f4453305420526f6f74204341205833300d06092a864886f70d01010b0500038181009c52dcbd41fa8816a8839c0da96279dde319fba50f02b7dbe2968a861f9569152a5cdc46a58f82e9a3583d50ff66cedcb970476f74e6020805e527b3b830975b07ddc9ffb77bba4902e29259e3f55486ea026409c3eafcc6c2eb9abd5678bccdd3e3c77398042ab790b89701e7951a93b8bd05a416693efd15c70d775ab9a098 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 3080 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 1544 powershell.exe 1544 powershell.exe 1544 powershell.exe 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4092 RUNDLL32.EXE Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91.exeRUNDLL32.EXEpid process 3920 fb660cd8294a2f697bc610d746833d91.exe 3920 fb660cd8294a2f697bc610d746833d91.exe 4092 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91.execmd.exeZgoSo.exevpn.execmd.execmd.exeConsumato.exe.comcmd.exe4.exeConsumato.exe.comooerfrdb.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 3920 wrote to memory of 364 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3920 wrote to memory of 364 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3920 wrote to memory of 364 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 364 wrote to memory of 3860 364 cmd.exe ZgoSo.exe PID 364 wrote to memory of 3860 364 cmd.exe ZgoSo.exe PID 364 wrote to memory of 3860 364 cmd.exe ZgoSo.exe PID 3860 wrote to memory of 2488 3860 ZgoSo.exe vpn.exe PID 3860 wrote to memory of 2488 3860 ZgoSo.exe vpn.exe PID 3860 wrote to memory of 2488 3860 ZgoSo.exe vpn.exe PID 3860 wrote to memory of 2796 3860 ZgoSo.exe 4.exe PID 3860 wrote to memory of 2796 3860 ZgoSo.exe 4.exe PID 3860 wrote to memory of 2796 3860 ZgoSo.exe 4.exe PID 2488 wrote to memory of 2368 2488 vpn.exe cmd.exe PID 2488 wrote to memory of 2368 2488 vpn.exe cmd.exe PID 2488 wrote to memory of 2368 2488 vpn.exe cmd.exe PID 2488 wrote to memory of 812 2488 vpn.exe cmd.exe PID 2488 wrote to memory of 812 2488 vpn.exe cmd.exe PID 2488 wrote to memory of 812 2488 vpn.exe cmd.exe PID 812 wrote to memory of 4092 812 cmd.exe cmd.exe PID 812 wrote to memory of 4092 812 cmd.exe cmd.exe PID 812 wrote to memory of 4092 812 cmd.exe cmd.exe PID 4092 wrote to memory of 744 4092 cmd.exe findstr.exe PID 4092 wrote to memory of 744 4092 cmd.exe findstr.exe PID 4092 wrote to memory of 744 4092 cmd.exe findstr.exe PID 4092 wrote to memory of 3324 4092 cmd.exe Consumato.exe.com PID 4092 wrote to memory of 3324 4092 cmd.exe Consumato.exe.com PID 4092 wrote to memory of 3324 4092 cmd.exe Consumato.exe.com PID 4092 wrote to memory of 2116 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 2116 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 2116 4092 cmd.exe PING.EXE PID 3324 wrote to memory of 1368 3324 Consumato.exe.com Consumato.exe.com PID 3324 wrote to memory of 1368 3324 Consumato.exe.com Consumato.exe.com PID 3324 wrote to memory of 1368 3324 Consumato.exe.com Consumato.exe.com PID 3920 wrote to memory of 748 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3920 wrote to memory of 748 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3920 wrote to memory of 748 3920 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 748 wrote to memory of 4064 748 cmd.exe timeout.exe PID 748 wrote to memory of 4064 748 cmd.exe timeout.exe PID 748 wrote to memory of 4064 748 cmd.exe timeout.exe PID 2796 wrote to memory of 3080 2796 4.exe SmartClock.exe PID 2796 wrote to memory of 3080 2796 4.exe SmartClock.exe PID 2796 wrote to memory of 3080 2796 4.exe SmartClock.exe PID 1368 wrote to memory of 2124 1368 Consumato.exe.com ooerfrdb.exe PID 1368 wrote to memory of 2124 1368 Consumato.exe.com ooerfrdb.exe PID 1368 wrote to memory of 2124 1368 Consumato.exe.com ooerfrdb.exe PID 1368 wrote to memory of 3516 1368 Consumato.exe.com WScript.exe PID 1368 wrote to memory of 3516 1368 Consumato.exe.com WScript.exe PID 1368 wrote to memory of 3516 1368 Consumato.exe.com WScript.exe PID 2124 wrote to memory of 2788 2124 ooerfrdb.exe rundll32.exe PID 2124 wrote to memory of 2788 2124 ooerfrdb.exe rundll32.exe PID 2124 wrote to memory of 2788 2124 ooerfrdb.exe rundll32.exe PID 1368 wrote to memory of 3272 1368 Consumato.exe.com WScript.exe PID 1368 wrote to memory of 3272 1368 Consumato.exe.com WScript.exe PID 1368 wrote to memory of 3272 1368 Consumato.exe.com WScript.exe PID 2788 wrote to memory of 4092 2788 rundll32.exe RUNDLL32.EXE PID 2788 wrote to memory of 4092 2788 rundll32.exe RUNDLL32.EXE PID 2788 wrote to memory of 4092 2788 rundll32.exe RUNDLL32.EXE PID 4092 wrote to memory of 1456 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 1456 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 1456 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 1544 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 1544 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 1544 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 3684 4092 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ZgoSo.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZgoSo.exe"C:\Users\Admin\AppData\Local\Temp\ZgoSo.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c hIDuoykI5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Mise.adts5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^qtOjQgNmHjCVwYiUrmbuExhNxKjAZBgFkHhWYSyJRWCSKhgtOmIhJwAGRqRywhAyXWJxKkVlxOgHRxriviMmSq$" Magrezza.adts7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.comConsumato.exe.com U7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.com U8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ooerfrdb.exe"C:\Users\Admin\AppData\Local\Temp\ooerfrdb.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\OOERFR~1.TMP,S C:\Users\Admin\AppData\Local\Temp\ooerfrdb.exe10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\OOERFR~1.TMP,awlibWs=11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 3180112⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp220B.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3556.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost13⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yqpismtwjp.vbs"9⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afnfntnsr.vbs"9⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping RJMQBVDN -n 307⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
1caf4824589c57622a87d2d57a6afd70
SHA17ab945df69724ad2279b9e8176d33ede3612f5e6
SHA2561aa428e9d0b661c1f93a36de26ef4b296d30d753905a7787d6f6ed4419e3961d
SHA512c17d624acc8e0a9ebafc796f97ba0c8c7cf48891ecb3889d14908c6f6acabb7ef116322f905150d599a8e97742b93f3c93f60b62235173e270c4aff3220d71e7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b97ae33ac1caf655695545303ac0d9c9
SHA121898ae0a3860911836b7db7eef128c09af0aa0f
SHA2562b802e472f92163fb2e8c5adb077422e074bf66ae433bc45c25d579bac3d13f9
SHA5126b595e8b7008f8c3d0e5897fa3e3e328ae13c24bea6ecee912e33f9e23580902810ea36a4d78ad4821dfb78b88b5efbb363e7f4b000c3aa21e2e876c958e6037
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\BCFXCY~1.ZIPMD5
9b415d9f859f575c46f3a7760dd40356
SHA112862743d51651036839f49d3cca09243a159fc2
SHA256b2c0d08d0651792cd6512604ea536b8381b4fdc6a0564d0854688d60c1eb82f8
SHA512ab55582262f61a5bc2df42ba094a2d1f0ba02356cc20afea1b280c7b332904dfcd8a24a76eaa1f602949321dffa5da7d05205258f38cf80e5fb2efec71df9c60
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\OIASKG~1.ZIPMD5
4526293e12f39d50b588472a56cb968d
SHA173e2e231270584a64855a206546e845916607a7a
SHA256d379ecc874b5dbbf82b042f8c38afac0f6056d552e49c1379f62a601b2a42cca
SHA51221be80795152eebd95a4d5d83568d298428e087c68fa59efd932fe938446cd66ac0170d0ce58fdfc4607299c30670162fac84d8d41694e0834a8b7a5763ca3d0
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\_Files\_INFOR~1.TXTMD5
61c86108b7e29b4b999a273105986e08
SHA16ec379eff3135aa85f81531cd2162eae2a11c612
SHA2562f970a7e8a42dc7bedcc54b2791a65484351c924f8e54a7e78d23efae7cfe904
SHA512291d3aca75eecc33a30e74af2ed886aa8bde5271a1eb014289c7490b0af0b7122d07ac6595a5039124c217c7afc8f9a590575347b074dbd79910b18494f0036c
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\_Files\_SCREE~1.JPEMD5
596388e9ac4308957999b030b41df1ab
SHA19c1f39795e1de17f9f9a2c150def784191fe9694
SHA2565558e501f865c7b32c398cb0ab5a3498b3d700370c9825bb10366e398324b576
SHA5120109cad531609315cdd4fb2151c6edab75c7e2c1d1723c03d8d54d56a90e335ca8cfb76f1f21e8fc2632acda44a2790c518d59d420a9bed487f79b0cce003616
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\files_\SCREEN~1.JPGMD5
596388e9ac4308957999b030b41df1ab
SHA19c1f39795e1de17f9f9a2c150def784191fe9694
SHA2565558e501f865c7b32c398cb0ab5a3498b3d700370c9825bb10366e398324b576
SHA5120109cad531609315cdd4fb2151c6edab75c7e2c1d1723c03d8d54d56a90e335ca8cfb76f1f21e8fc2632acda44a2790c518d59d420a9bed487f79b0cce003616
-
C:\Users\Admin\AppData\Local\Temp\FyVwUZFKQstc\files_\SYSTEM~1.TXTMD5
432b26c861fb7c4b2fbfa380cdbe02e4
SHA1f2430aa1105c23f81e7245f6b0aa133a0f002f75
SHA256d9140592e52c7c391438294bc1f490d9b8b2e7051eb47f44bd965c3c7901098d
SHA512fa192e6380190c4597fde955fae542ff1c2ae9c0dffb85d39c6103081751a6a64d57038de13a38a8e8abc5884ab023699f215905854aed893474f8267f2d2d27
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Consumato.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.adtsMD5
b3ca9fa6e338f37cba89894f0dc0ccfb
SHA10e3a55ffa3af6b0396bc30a0e88eef61b357015b
SHA2563186ff707581468e32e4cef8157af27db76a54d26b9aeadd223a5034762fa073
SHA5127ad2050d56bd2a8068cd18f7ec7317032a95d94aa18c1c56580be15f27ba18b3a0748e420c1f0c1e1a50a385c0f2d07a2ef1e98c95c9463b543e2de1282754a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.adtsMD5
ab00680d714b342b90821af2a08cf844
SHA18f5b170496221ae5486ca226b562d2038d1732c9
SHA2562400176604e81c31c856208e96db9c8aba9c8e36aac5c9c52903e771ca8f4304
SHA512a1c9d600cc26513f6ab018d673e47ef9bb2a875b3bababf7e242d458222e1eab286e6fb61b9cd8d5c380230e62976d37144aab17babe1d81e0cd35cdb6e25369
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Magrezza.adtsMD5
6c74a02033d0fcd0c8cb96e8d7bc9363
SHA190ba3d5efd66628ff05db249f7d87c9eeb31633d
SHA256f2611e38c970b2cd06a81c40d36c3b687542278510b85aa4806820d161fb3242
SHA512826cd987ed933de45b770632e71b5fa78ec436681188c09cd245d6959fde96687b26fbcb7be4acb020cbc5e2dff8f6e8823e870174697d22429673f207d16073
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mise.adtsMD5
40b99134859b20ed28e8114f0cd89bff
SHA1245e5070ce852d3abdbe0b05b5e1f11b03096c6e
SHA256d15a60863bf720f676a7551cd6aa1edf190370ff0d94af59b6123ed21d24213a
SHA512ce26f830f68372f50f218ddc65edd486728a634d9a711443fd788ef55e32700f8f7c495ad43ef9c7bd0db85b54f3de5660ee17ffe7e11346cf8fb5cca253a256
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UMD5
b3ca9fa6e338f37cba89894f0dc0ccfb
SHA10e3a55ffa3af6b0396bc30a0e88eef61b357015b
SHA2563186ff707581468e32e4cef8157af27db76a54d26b9aeadd223a5034762fa073
SHA5127ad2050d56bd2a8068cd18f7ec7317032a95d94aa18c1c56580be15f27ba18b3a0748e420c1f0c1e1a50a385c0f2d07a2ef1e98c95c9463b543e2de1282754a7
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
046ada851b9f6193733140c6e129696b
SHA122d58b62ab2d39b038055c7ec45f29213534e547
SHA25679d2d551a3085bd5de8368b329ee39666a7ac98692d4261c4da7cc07ca360d9a
SHA5120bf530df50656a5bb1722220738039348c0ff7a3078b5c64ca6af9ce564d5f68d5bf51ee146c0c80751e963fe7e679f0f08243a1a508029ce75b7de4d1e3ddef
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
046ada851b9f6193733140c6e129696b
SHA122d58b62ab2d39b038055c7ec45f29213534e547
SHA25679d2d551a3085bd5de8368b329ee39666a7ac98692d4261c4da7cc07ca360d9a
SHA5120bf530df50656a5bb1722220738039348c0ff7a3078b5c64ca6af9ce564d5f68d5bf51ee146c0c80751e963fe7e679f0f08243a1a508029ce75b7de4d1e3ddef
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
ada68de170539dde7dc0a4b24af07f11
SHA1fc130610603913222dd0cafa661ea20088e6d332
SHA256cf072d97c33e2ad28618a943aaf43d0240d9002a45d9bb3688a2bcf2b27c26b0
SHA51272d5db5d1182e91e36706ef044b61695bb14fac98ca287b6f535db8df5bfa1219570314004d0309adc18ee573c496c9f44c3e0e516608375db80850780a24d8e
-
C:\Users\Admin\AppData\Local\Temp\OOERFR~1.TMPMD5
219e20b69d099cab64444334e0874da8
SHA1b3ea46e786a2826f4c01c807fee22934aeeb5c7b
SHA256d50cbc7b8894f96af15f5e150bac2b7e74346dda50e9cd88ede07b56042e35a4
SHA512063a4105306c1eb8c0a4ab46f0c2788ba1419da0fab62e44520c972b5c1b0ff17b1233e8f61a46c5520d42ae184253ec8b716ae2ba7e2f05f423a2f6233221bb
-
C:\Users\Admin\AppData\Local\Temp\ZgoSo.exeMD5
6129b2f210fcaea8e5e3abe04bc7ee91
SHA125fd446400857193bd3cfd668c3d084342fb3c07
SHA256c5533df1a613354dbf5beee7c8eae3b6976998264b3337195128971bd2e8d996
SHA512ce985926e0971732675265664e606fad15078e9bca7b31219decad2405c0175a61d41bd2dd9cb4db3ea4b6fcab6f78b8a348bc4f0711127963b4d8a3153a2164
-
C:\Users\Admin\AppData\Local\Temp\ZgoSo.exeMD5
6129b2f210fcaea8e5e3abe04bc7ee91
SHA125fd446400857193bd3cfd668c3d084342fb3c07
SHA256c5533df1a613354dbf5beee7c8eae3b6976998264b3337195128971bd2e8d996
SHA512ce985926e0971732675265664e606fad15078e9bca7b31219decad2405c0175a61d41bd2dd9cb4db3ea4b6fcab6f78b8a348bc4f0711127963b4d8a3153a2164
-
C:\Users\Admin\AppData\Local\Temp\afnfntnsr.vbsMD5
58a0e4b9ba5c90afb8636c2f3d945087
SHA100663c1c1c6a4824fcec15198e9f57cba286305f
SHA256807ed8f6d0ff17d6f59d2b651c6e12bac423df8e4de5bdd64e8db85a4dd21d01
SHA51228973594dac14284ad63d8fb16d0b810787fd0ac41869c461e85cdc66022dd2ca1cb7d460cf0fc94086ea3a9a4c633d1885a67163069374f61fed5652911ca6d
-
C:\Users\Admin\AppData\Local\Temp\ooerfrdb.exeMD5
2c269d932b52ff71a1429e94cd020c9f
SHA14de5a5fca618479c84e84f27bfdf589b692a5bea
SHA256f231fc321d5bfd7623b731251d4231ebd317916507696795ce0a091cb8e4dead
SHA5124f794cc19fdb840203782351d0b5216d34e8965892b47faa322b75b0b862d8d38362da314b0cd916bd6202f5a0c577bb7e7636042e65b03f1cf50b6730f73119
-
C:\Users\Admin\AppData\Local\Temp\ooerfrdb.exeMD5
2c269d932b52ff71a1429e94cd020c9f
SHA14de5a5fca618479c84e84f27bfdf589b692a5bea
SHA256f231fc321d5bfd7623b731251d4231ebd317916507696795ce0a091cb8e4dead
SHA5124f794cc19fdb840203782351d0b5216d34e8965892b47faa322b75b0b862d8d38362da314b0cd916bd6202f5a0c577bb7e7636042e65b03f1cf50b6730f73119
-
C:\Users\Admin\AppData\Local\Temp\tmp220B.tmp.ps1MD5
d67368501fb32af8c14ad4df2cc7cdcf
SHA1c95fc60da4cf3fb947cf05045d7e9e68e576ca73
SHA2562b15765efb517156703678d5991518169851bbe636491b28030c921860e8b744
SHA51250fac4ccc7e31ccb558e381605819070009a78ae82ea0bd408a395dc016b9ef4346126304fafea08000a41f7231b9c0b6f10e61a5f525694b659086a634c8fb9
-
C:\Users\Admin\AppData\Local\Temp\tmp220C.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp3556.tmp.ps1MD5
5ebb398f6422501d96ef3100413f9b96
SHA105eebb6df1ff16254114606962a9c83eefaf5ed3
SHA256475779076317815d869ae9b408d003936f77622ca0836587f77f723b93084b72
SHA512cf5dfe16291a3026bc30bc4fb329fc8724d776655e991468559b4f9ef57b52e39c24ad293edb13e97883399587b6bff9b2e73df8154b92af0f6882abb1a8b644
-
C:\Users\Admin\AppData\Local\Temp\yqpismtwjp.vbsMD5
4ddedc0d8ce2850ddaee69c71cebc899
SHA131538f87403049e3b855398cb2b0d6a3f33990ff
SHA256f77ac6c9c8adb9ec43074e9c56e99ee8a4b800dec85d3c0d63c34fcf838f52e4
SHA512f5978811a2579b0ce7eef920f48b939f38babac37ff5dc8ff50ccba7f5a58d4a9a813d6d04075a5a40a45f0340c74517f23802a6d2f3f6af778838ad2c7f3293
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
046ada851b9f6193733140c6e129696b
SHA122d58b62ab2d39b038055c7ec45f29213534e547
SHA25679d2d551a3085bd5de8368b329ee39666a7ac98692d4261c4da7cc07ca360d9a
SHA5120bf530df50656a5bb1722220738039348c0ff7a3078b5c64ca6af9ce564d5f68d5bf51ee146c0c80751e963fe7e679f0f08243a1a508029ce75b7de4d1e3ddef
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
046ada851b9f6193733140c6e129696b
SHA122d58b62ab2d39b038055c7ec45f29213534e547
SHA25679d2d551a3085bd5de8368b329ee39666a7ac98692d4261c4da7cc07ca360d9a
SHA5120bf530df50656a5bb1722220738039348c0ff7a3078b5c64ca6af9ce564d5f68d5bf51ee146c0c80751e963fe7e679f0f08243a1a508029ce75b7de4d1e3ddef
-
\Users\Admin\AppData\Local\Temp\OOERFR~1.TMPMD5
219e20b69d099cab64444334e0874da8
SHA1b3ea46e786a2826f4c01c807fee22934aeeb5c7b
SHA256d50cbc7b8894f96af15f5e150bac2b7e74346dda50e9cd88ede07b56042e35a4
SHA512063a4105306c1eb8c0a4ab46f0c2788ba1419da0fab62e44520c972b5c1b0ff17b1233e8f61a46c5520d42ae184253ec8b716ae2ba7e2f05f423a2f6233221bb
-
\Users\Admin\AppData\Local\Temp\OOERFR~1.TMPMD5
219e20b69d099cab64444334e0874da8
SHA1b3ea46e786a2826f4c01c807fee22934aeeb5c7b
SHA256d50cbc7b8894f96af15f5e150bac2b7e74346dda50e9cd88ede07b56042e35a4
SHA512063a4105306c1eb8c0a4ab46f0c2788ba1419da0fab62e44520c972b5c1b0ff17b1233e8f61a46c5520d42ae184253ec8b716ae2ba7e2f05f423a2f6233221bb
-
\Users\Admin\AppData\Local\Temp\OOERFR~1.TMPMD5
219e20b69d099cab64444334e0874da8
SHA1b3ea46e786a2826f4c01c807fee22934aeeb5c7b
SHA256d50cbc7b8894f96af15f5e150bac2b7e74346dda50e9cd88ede07b56042e35a4
SHA512063a4105306c1eb8c0a4ab46f0c2788ba1419da0fab62e44520c972b5c1b0ff17b1233e8f61a46c5520d42ae184253ec8b716ae2ba7e2f05f423a2f6233221bb
-
\Users\Admin\AppData\Local\Temp\nsh3242.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/364-116-0x0000000000000000-mapping.dmp
-
memory/744-130-0x0000000000000000-mapping.dmp
-
memory/748-140-0x0000000000000000-mapping.dmp
-
memory/812-127-0x0000000000000000-mapping.dmp
-
memory/1368-137-0x0000000000000000-mapping.dmp
-
memory/1368-155-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/1456-191-0x0000000000A60000-0x0000000000C00000-memory.dmpFilesize
1.6MB
-
memory/1456-186-0x00007FF61E825FD0-mapping.dmp
-
memory/1456-192-0x000001E17DD40000-0x000001E17DEF1000-memory.dmpFilesize
1.7MB
-
memory/1544-197-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/1544-214-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/1544-217-0x00000000049F3000-0x00000000049F4000-memory.dmpFilesize
4KB
-
memory/1544-213-0x0000000009090000-0x0000000009091000-memory.dmpFilesize
4KB
-
memory/1544-212-0x0000000009B00000-0x0000000009B01000-memory.dmpFilesize
4KB
-
memory/1544-207-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/1544-205-0x0000000008380000-0x0000000008381000-memory.dmpFilesize
4KB
-
memory/1544-204-0x0000000008550000-0x0000000008551000-memory.dmpFilesize
4KB
-
memory/1544-203-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/1544-202-0x00000000049F2000-0x00000000049F3000-memory.dmpFilesize
4KB
-
memory/1544-201-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/1544-200-0x0000000007D70000-0x0000000007D71000-memory.dmpFilesize
4KB
-
memory/1544-199-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/1544-198-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/1544-196-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/1544-195-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/1544-189-0x0000000000000000-mapping.dmp
-
memory/2116-136-0x0000000000000000-mapping.dmp
-
memory/2124-164-0x0000000002350000-0x0000000002450000-memory.dmpFilesize
1024KB
-
memory/2124-156-0x0000000000000000-mapping.dmp
-
memory/2124-165-0x0000000000400000-0x0000000000549000-memory.dmpFilesize
1.3MB
-
memory/2368-126-0x0000000000000000-mapping.dmp
-
memory/2488-121-0x0000000000000000-mapping.dmp
-
memory/2788-179-0x0000000005170000-0x0000000006406000-memory.dmpFilesize
18.6MB
-
memory/2788-161-0x0000000000000000-mapping.dmp
-
memory/2796-123-0x0000000000000000-mapping.dmp
-
memory/2796-148-0x0000000002070000-0x0000000002096000-memory.dmpFilesize
152KB
-
memory/2796-149-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3080-153-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3080-150-0x0000000000000000-mapping.dmp
-
memory/3272-166-0x0000000000000000-mapping.dmp
-
memory/3324-133-0x0000000000000000-mapping.dmp
-
memory/3516-159-0x0000000000000000-mapping.dmp
-
memory/3684-231-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/3684-232-0x0000000007232000-0x0000000007233000-memory.dmpFilesize
4KB
-
memory/3684-218-0x0000000000000000-mapping.dmp
-
memory/3684-230-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/3684-227-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/3860-117-0x0000000000000000-mapping.dmp
-
memory/3920-115-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/3920-114-0x0000000002120000-0x0000000002201000-memory.dmpFilesize
900KB
-
memory/3992-241-0x0000000000000000-mapping.dmp
-
memory/4064-147-0x0000000000000000-mapping.dmp
-
memory/4092-174-0x0000000000000000-mapping.dmp
-
memory/4092-185-0x00000000048B0000-0x0000000005B46000-memory.dmpFilesize
18.6MB
-
memory/4092-190-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/4092-129-0x0000000000000000-mapping.dmp
-
memory/4092-180-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/4092-177-0x00000000041E0000-0x000000000433F000-memory.dmpFilesize
1.4MB