Analysis
-
max time kernel
151s -
max time network
200s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-08-2021 21:30
Static task
static1
Behavioral task
behavioral1
Sample
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe
Resource
win10v20210410
General
-
Target
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe
-
Size
311KB
-
MD5
61cb66b049958cb48db0f5b33f96ae4f
-
SHA1
ab128a4c170927bc46f28977ac26f1d1264bd6e2
-
SHA256
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d
-
SHA512
01d8bf2c755b6314c342b4e3733042dbe164dbd01e5cbae46306acb1cc9ff252342e70a40dff069f84d6f55bb56055933e5a2c491bada862fadf227728420f1f
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected phishing page
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 436 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 436 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 436 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 436 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 436 schtasks.exe -
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-143-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral1/memory/1608-144-0x000000000044003F-mapping.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CD9D.exe dcrat C:\Users\Admin\AppData\Local\Temp\CD9D.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat \reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat \reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe dcrat C:\Windows\System32\C_1144\dllhost.exe dcrat C:\Windows\System32\C_1144\dllhost.exe dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
C783.exeCBA9.exeCD9D.exeRuntimebroker.exeD127.exeD75F.exeDE15.exereviewbrokercrtCommonsessionperfDll.exedllhost.exepid process 292 C783.exe 328 CBA9.exe 1492 CD9D.exe 364 Runtimebroker.exe 800 D127.exe 920 D75F.exe 1352 DE15.exe 1324 reviewbrokercrtCommonsessionperfDll.exe 1304 dllhost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DE15.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DE15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DE15.exe -
Deletes itself 1 IoCs
Processes:
pid process 1244 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 8 IoCs
Processes:
CBA9.execmd.exeWerFault.exepid process 328 CBA9.exe 328 CBA9.exe 1996 cmd.exe 1996 cmd.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DE15.exe themida behavioral1/memory/1352-101-0x0000000000DE0000-0x0000000000DE1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\winrshost\\winlogon.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\version\\conhost.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DE15 = "\"C:\\Users\\Default\\Templates\\DE15.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtimebroker = "\"C:\\Program Files\\Windows Mail\\en-US\\Runtimebroker.exe\"" reviewbrokercrtCommonsessionperfDll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\C_1144\\dllhost.exe\"" reviewbrokercrtCommonsessionperfDll.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
DE15.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DE15.exe -
Drops file in System32 directory 7 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File opened for modification C:\Windows\System32\C_1144\dllhost.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\C_1144\5940a34987c99120d96dace90a3f93f329dcad63 reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\winrshost\winlogon.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\winrshost\cc11b995f2a76da408ea6a601e682e64743153ad reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\version\conhost.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\version\088424020bedd6b28ac7fd22ee35dcd7322895ce reviewbrokercrtCommonsessionperfDll.exe File created C:\Windows\System32\C_1144\dllhost.exe reviewbrokercrtCommonsessionperfDll.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DE15.exepid process 1352 DE15.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exedescription pid process target process PID 1068 set thread context of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
reviewbrokercrtCommonsessionperfDll.exedescription ioc process File created C:\Program Files\Windows Mail\en-US\Runtimebroker.exe reviewbrokercrtCommonsessionperfDll.exe File created C:\Program Files\Windows Mail\en-US\494612dc1871f8a4ed60d2fe7ea59dfbac148ae9 reviewbrokercrtCommonsessionperfDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 592 364 WerFault.exe Runtimebroker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1712 schtasks.exe 1468 schtasks.exe 1760 schtasks.exe 240 schtasks.exe 2036 schtasks.exe -
Processes:
dllhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 dllhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exepid process 1700 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe 1700 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1244 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exepid process 1700 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
DE15.exereviewbrokercrtCommonsessionperfDll.exeWerFault.exedllhost.exeD75F.exedescription pid process Token: SeShutdownPrivilege 1244 Token: SeShutdownPrivilege 1244 Token: SeShutdownPrivilege 1244 Token: SeDebugPrivilege 1352 DE15.exe Token: SeDebugPrivilege 1324 reviewbrokercrtCommonsessionperfDll.exe Token: SeDebugPrivilege 592 WerFault.exe Token: SeShutdownPrivilege 1244 Token: SeDebugPrivilege 1304 dllhost.exe Token: SeDebugPrivilege 920 D75F.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 1244 1244 1244 1244 1244 1244 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1244 1244 1244 1244 1244 1244 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
C783.exepid process 292 C783.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exeCBA9.exeCD9D.exeschtasks.execmd.exeD127.exeRuntimebroker.exereviewbrokercrtCommonsessionperfDll.execmd.exedescription pid process target process PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1068 wrote to memory of 1700 1068 cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe PID 1244 wrote to memory of 292 1244 C783.exe PID 1244 wrote to memory of 292 1244 C783.exe PID 1244 wrote to memory of 292 1244 C783.exe PID 1244 wrote to memory of 292 1244 C783.exe PID 1244 wrote to memory of 328 1244 CBA9.exe PID 1244 wrote to memory of 328 1244 CBA9.exe PID 1244 wrote to memory of 328 1244 CBA9.exe PID 1244 wrote to memory of 328 1244 CBA9.exe PID 1244 wrote to memory of 1492 1244 CD9D.exe PID 1244 wrote to memory of 1492 1244 CD9D.exe PID 1244 wrote to memory of 1492 1244 CD9D.exe PID 1244 wrote to memory of 1492 1244 CD9D.exe PID 1244 wrote to memory of 800 1244 D127.exe PID 1244 wrote to memory of 800 1244 D127.exe PID 1244 wrote to memory of 800 1244 D127.exe PID 1244 wrote to memory of 800 1244 D127.exe PID 328 wrote to memory of 364 328 CBA9.exe Runtimebroker.exe PID 328 wrote to memory of 364 328 CBA9.exe Runtimebroker.exe PID 328 wrote to memory of 364 328 CBA9.exe Runtimebroker.exe PID 328 wrote to memory of 364 328 CBA9.exe Runtimebroker.exe PID 1492 wrote to memory of 240 1492 CD9D.exe WScript.exe PID 1492 wrote to memory of 240 1492 CD9D.exe WScript.exe PID 1492 wrote to memory of 240 1492 CD9D.exe WScript.exe PID 1492 wrote to memory of 240 1492 CD9D.exe WScript.exe PID 1244 wrote to memory of 920 1244 D75F.exe PID 1244 wrote to memory of 920 1244 D75F.exe PID 1244 wrote to memory of 920 1244 D75F.exe PID 1244 wrote to memory of 920 1244 D75F.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 1244 wrote to memory of 1352 1244 DE15.exe PID 240 wrote to memory of 1996 240 schtasks.exe cmd.exe PID 240 wrote to memory of 1996 240 schtasks.exe cmd.exe PID 240 wrote to memory of 1996 240 schtasks.exe cmd.exe PID 240 wrote to memory of 1996 240 schtasks.exe cmd.exe PID 1996 wrote to memory of 1324 1996 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 1996 wrote to memory of 1324 1996 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 1996 wrote to memory of 1324 1996 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 1996 wrote to memory of 1324 1996 cmd.exe reviewbrokercrtCommonsessionperfDll.exe PID 800 wrote to memory of 1872 800 D127.exe cmd.exe PID 800 wrote to memory of 1872 800 D127.exe cmd.exe PID 800 wrote to memory of 1872 800 D127.exe cmd.exe PID 800 wrote to memory of 1872 800 D127.exe cmd.exe PID 364 wrote to memory of 592 364 Runtimebroker.exe WerFault.exe PID 364 wrote to memory of 592 364 Runtimebroker.exe WerFault.exe PID 364 wrote to memory of 592 364 Runtimebroker.exe WerFault.exe PID 364 wrote to memory of 592 364 Runtimebroker.exe WerFault.exe PID 1324 wrote to memory of 728 1324 reviewbrokercrtCommonsessionperfDll.exe cmd.exe PID 1324 wrote to memory of 728 1324 reviewbrokercrtCommonsessionperfDll.exe cmd.exe PID 1324 wrote to memory of 728 1324 reviewbrokercrtCommonsessionperfDll.exe cmd.exe PID 728 wrote to memory of 1488 728 cmd.exe chcp.com PID 728 wrote to memory of 1488 728 cmd.exe chcp.com PID 728 wrote to memory of 1488 728 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe"C:\Users\Admin\AppData\Local\Temp\cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe"C:\Users\Admin\AppData\Local\Temp\cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C783.exeC:\Users\Admin\AppData\Local\Temp\C783.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\CBA9.exeC:\Users\Admin\AppData\Local\Temp\CBA9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 7883⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CD9D.exeC:\Users\Admin\AppData\Local\Temp\CD9D.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zk5xzaCr5b.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\Windows\System32\C_1144\dllhost.exe"C:\Windows\System32\C_1144\dllhost.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D127.exeC:\Users\Admin\AppData\Local\Temp\D127.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\D75F.exeC:\Users\Admin\AppData\Local\Temp\D75F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D75F.exeC:\Users\Admin\AppData\Local\Temp\D75F.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\DE15.exeC:\Users\Admin\AppData\Local\Temp\DE15.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\C_1144\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\winrshost\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\version\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DE15" /sc ONLOGON /tr "'C:\Users\Default\Templates\DE15.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Runtimebroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\Runtimebroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
C:\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
C:\Users\Admin\AppData\Local\Temp\C783.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\CBA9.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
C:\Users\Admin\AppData\Local\Temp\CBA9.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
C:\Users\Admin\AppData\Local\Temp\CD9D.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\CD9D.exeMD5
6c5495906ddb50bedc2e331c424f8656
SHA1ffea086f81d853fb73796af1f91c6af0c5ce5011
SHA2569da59ca44258f50a20fc82517c9c8819af388dc7bb0932d58f275918121150ed
SHA512ef8358d3d369c390d1bf80e06a229b35f7c7dc8f70c776ea87273ab4f7d81e724f61ec02c63b0312d4b5f6089e6f0ff3ba32307d8f2290fe88a853de0bce261d
-
C:\Users\Admin\AppData\Local\Temp\D127.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\D127.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\D75F.exeMD5
65209d1051a2c9657d1e6a68b4cb6909
SHA1218541eed5f60e2d3b885003b3e0f7832cd5dca9
SHA25636459a58147855c0eba7d5345d4873cb8e93c62884492c53b7e94fa3892f10fb
SHA512aec7bda1e4e77ea3c26050d9869fde3a893a5657b7b8b65c87ed9ebe07e2f8684e655056ec442b6264502abd6f3ac82a7b7a61cab9bcc03bde2f3614deb8c2e0
-
C:\Users\Admin\AppData\Local\Temp\D75F.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D75F.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\DE15.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\Zk5xzaCr5b.batMD5
e92061e7224cdf04d69ff83d22195f30
SHA1926c0f917f3d8b6f9bd5090a7d2cd2e1002b427e
SHA25642f8a7388929024626b76ea5421ab0beac4c826ebb7c7dea1e848c9a41970dba
SHA512c8cbf23f163692d4dfd030f73d969fe7285490ac29f85021f6ff6968e80bbf5fe295b72667fb4540135a4250181a7f85a939fd960074bdb24096ec21637a37d8
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
d9036075ded08491ca8f9b980736cfae
SHA16e9138b5d7b1540c8f2c30a58a7900b989e9dc1e
SHA256e3fcc0f41d9da08d6b2b076f1e65f8ede7b7b201fdd33c8b1f076d63f2f21406
SHA512a274e388bfacc6ee3b0c5a89830af45147275ad3e5487b1b0068e0de5efaa5a5ae9da0917bed216c1a7fb429b73ff363cc082b5eb7e2bd1dc5ae78851ff1dd89
-
C:\Windows\System32\C_1144\dllhost.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\Windows\System32\C_1144\dllhost.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\reviewbrokercrtCommon\94dfcaErtMmvX.batMD5
ff43e4c7b1188d346031035c55623641
SHA15268e47d207e3d8a5ec6ed423116bde9a073a28e
SHA256e4897ed926dc76d2c62caab76b84201fac67cb53d2c4efad75aeb4551ade19e9
SHA5123295c4418bb9671e9b93b0ddc67c1650e12d3b905e021b355e2820a73502606278afb003673905f8eabbce96cd9afdd420239514ef8175b63e08f84a449b693a
-
C:\reviewbrokercrtCommon\kB5VrhbV.vbeMD5
8983bf9670fc6d1327d916b0443c25c6
SHA1562b4d499b0a542ae12d337042fe487bc21ce8d6
SHA2561cc898da3a1510b63ca6499ef0119513196a974b58b68443bb47fd575743b7c7
SHA5124b586e0596d90844a688e18cc9645dcaa04efa5c65cf936b239c5e2ffcb9befe44d79bfa5c3804e7930d1dce2dc7190872e81aea49b8cdfadb63865465d2a4e6
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\ProgramData\Runtimebroker.exeMD5
4dac8d418d044ab3ae0ce030fbf365a5
SHA1c79217f597816e669382872882f9755b0163cca5
SHA2560543a4108d6cf75296bec13121e5bf1cfb12a6d7e6d4a2ae9b5ccd4744cd7e64
SHA512eb9dfb5e334188dcb7f3a9df8a62c49290559e5baa03e4ecc355a570b62d4ff76cc657ce3978466e354051aa53a2c4948279707f6eb0a14b585d05aa3eab5005
-
\Users\Admin\AppData\Local\Temp\D75F.exeMD5
ba370719c541da534b49c50aeddadc59
SHA14085fd1bce5afdf8c50ddf3373d7ed9f51d86484
SHA256ef1860f3c0c9c8a621541c0e48ba43d06824c54f0561551d4caf1429edbb4211
SHA512d53da13250619184a5dafa1731a49aa3269e08c9eff8e5da2b651c5dadd231f849465762754d3e294ef16912fe6eeb23f905fac9ffd1d2bddcbe33459039c334
-
\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exeMD5
f3eb1441de3cebd14b359c65b5b653f5
SHA177be83e6961da1a8df572568bdb5441232d01f76
SHA2561176a29ec090a8f652a04e4ef39c2a64a04620bad9e2cf408f8dc5e668fee5ff
SHA512e5d5cd8e39fabe38a63d1bb62469413a5bd8f7fc00b933306cde702500df80a616b16980e5262e232ff85c78f8123e2fbe549b4e26070f9f3fd14eb35e6c569c
-
memory/240-81-0x0000000000000000-mapping.dmp
-
memory/292-65-0x0000000000000000-mapping.dmp
-
memory/328-87-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/328-69-0x0000000000000000-mapping.dmp
-
memory/328-86-0x0000000000220000-0x000000000025B000-memory.dmpFilesize
236KB
-
memory/364-80-0x0000000000000000-mapping.dmp
-
memory/364-94-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/592-121-0x0000000000000000-mapping.dmp
-
memory/592-127-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/728-128-0x0000000000000000-mapping.dmp
-
memory/800-78-0x0000000000000000-mapping.dmp
-
memory/800-98-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/800-114-0x0000000004D70000-0x0000000004F81000-memory.dmpFilesize
2.1MB
-
memory/800-116-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/800-95-0x0000000003280000-0x00000000034C3000-memory.dmpFilesize
2.3MB
-
memory/920-92-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/920-141-0x0000000000680000-0x00000000006A1000-memory.dmpFilesize
132KB
-
memory/920-89-0x0000000000000000-mapping.dmp
-
memory/920-103-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1068-63-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB
-
memory/1244-64-0x00000000029A0000-0x00000000029B6000-memory.dmpFilesize
88KB
-
memory/1304-138-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/1304-140-0x0000000000440000-0x0000000000445000-memory.dmpFilesize
20KB
-
memory/1304-139-0x0000000000320000-0x0000000000325000-memory.dmpFilesize
20KB
-
memory/1304-137-0x0000000000FD0000-0x0000000000FD2000-memory.dmpFilesize
8KB
-
memory/1304-135-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/1304-133-0x0000000000000000-mapping.dmp
-
memory/1324-111-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1324-109-0x0000000000000000-mapping.dmp
-
memory/1324-115-0x0000000001EB0000-0x0000000001EB2000-memory.dmpFilesize
8KB
-
memory/1352-113-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/1352-96-0x0000000000000000-mapping.dmp
-
memory/1352-101-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1488-130-0x0000000000000000-mapping.dmp
-
memory/1492-71-0x0000000000000000-mapping.dmp
-
memory/1508-131-0x0000000000000000-mapping.dmp
-
memory/1608-143-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1608-144-0x000000000044003F-mapping.dmp
-
memory/1700-62-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1700-61-0x0000000000402E1A-mapping.dmp
-
memory/1700-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1872-118-0x0000000000000000-mapping.dmp
-
memory/1996-105-0x0000000000000000-mapping.dmp