Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 21:43
Static task
static1
Behavioral task
behavioral1
Sample
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe
Resource
win10-en-20211014
General
-
Target
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe
-
Size
333KB
-
MD5
fa79bc553bfb6ea54398beca43a78c4b
-
SHA1
1a0b4934954ca30abbb6426e85669561068e661f
-
SHA256
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2
-
SHA512
f1d58702575e26c641bdcc3c5ddeb33c1d96d88d3b67c78f342b7ef2bbce0587d4082834dbc5f95079f63397171d91347cc9aa98797bd22fe3fac17fdd3280ce
Malware Config
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Extracted
redline
1
45.9.20.59:46287
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-167-0x0000000002570000-0x000000000259E000-memory.dmp family_redline behavioral1/memory/2320-170-0x00000000050A0000-0x00000000050CC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
7C6F.exeSmartClock.exeAAB4.exeA69.exe3A44.exepid process 2404 7C6F.exe 3180 SmartClock.exe 1608 AAB4.exe 1288 A69.exe 2320 3A44.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3056 -
Drops startup file 1 IoCs
Processes:
7C6F.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 7C6F.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 392 1288 WerFault.exe A69.exe 3164 3728 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exeAAB4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAB4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAB4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAB4.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 1968 ipconfig.exe 2720 NETSTAT.EXE 1184 NETSTAT.EXE 376 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5FF7447-5553-11EC-B8A2-527FF4A17328} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 3180 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exepid process 2504 dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe 2504 dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3056 -
Suspicious behavior: MapViewOfSection 58 IoCs
Processes:
dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exeAAB4.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2504 dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe 1608 AAB4.exe 3056 3056 3056 3056 3056 3056 1188 explorer.exe 1188 explorer.exe 3056 3056 3932 explorer.exe 3932 explorer.exe 3056 3056 1740 explorer.exe 1740 explorer.exe 3056 3056 3896 explorer.exe 3896 explorer.exe 3056 3056 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 3056 3056 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe 3632 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 392 WerFault.exe Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeIncreaseQuotaPrivilege 2000 WMIC.exe Token: SeSecurityPrivilege 2000 WMIC.exe Token: SeTakeOwnershipPrivilege 2000 WMIC.exe Token: SeLoadDriverPrivilege 2000 WMIC.exe Token: SeSystemProfilePrivilege 2000 WMIC.exe Token: SeSystemtimePrivilege 2000 WMIC.exe Token: SeProfSingleProcessPrivilege 2000 WMIC.exe Token: SeIncBasePriorityPrivilege 2000 WMIC.exe Token: SeCreatePagefilePrivilege 2000 WMIC.exe Token: SeBackupPrivilege 2000 WMIC.exe Token: SeRestorePrivilege 2000 WMIC.exe Token: SeShutdownPrivilege 2000 WMIC.exe Token: SeDebugPrivilege 2000 WMIC.exe Token: SeSystemEnvironmentPrivilege 2000 WMIC.exe Token: SeRemoteShutdownPrivilege 2000 WMIC.exe Token: SeUndockPrivilege 2000 WMIC.exe Token: SeManageVolumePrivilege 2000 WMIC.exe Token: 33 2000 WMIC.exe Token: 34 2000 WMIC.exe Token: 35 2000 WMIC.exe Token: 36 2000 WMIC.exe Token: SeIncreaseQuotaPrivilege 2000 WMIC.exe Token: SeSecurityPrivilege 2000 WMIC.exe Token: SeTakeOwnershipPrivilege 2000 WMIC.exe Token: SeLoadDriverPrivilege 2000 WMIC.exe Token: SeSystemProfilePrivilege 2000 WMIC.exe Token: SeSystemtimePrivilege 2000 WMIC.exe Token: SeProfSingleProcessPrivilege 2000 WMIC.exe Token: SeIncBasePriorityPrivilege 2000 WMIC.exe Token: SeCreatePagefilePrivilege 2000 WMIC.exe Token: SeBackupPrivilege 2000 WMIC.exe Token: SeRestorePrivilege 2000 WMIC.exe Token: SeShutdownPrivilege 2000 WMIC.exe Token: SeDebugPrivilege 2000 WMIC.exe Token: SeSystemEnvironmentPrivilege 2000 WMIC.exe Token: SeRemoteShutdownPrivilege 2000 WMIC.exe Token: SeUndockPrivilege 2000 WMIC.exe Token: SeManageVolumePrivilege 2000 WMIC.exe Token: 33 2000 WMIC.exe Token: 34 2000 WMIC.exe Token: 35 2000 WMIC.exe Token: 36 2000 WMIC.exe Token: SeIncreaseQuotaPrivilege 1964 WMIC.exe Token: SeSecurityPrivilege 1964 WMIC.exe Token: SeTakeOwnershipPrivilege 1964 WMIC.exe Token: SeLoadDriverPrivilege 1964 WMIC.exe Token: SeSystemProfilePrivilege 1964 WMIC.exe Token: SeSystemtimePrivilege 1964 WMIC.exe Token: SeProfSingleProcessPrivilege 1964 WMIC.exe Token: SeIncBasePriorityPrivilege 1964 WMIC.exe Token: SeCreatePagefilePrivilege 1964 WMIC.exe Token: SeBackupPrivilege 1964 WMIC.exe Token: SeRestorePrivilege 1964 WMIC.exe Token: SeShutdownPrivilege 1964 WMIC.exe Token: SeDebugPrivilege 1964 WMIC.exe Token: SeSystemEnvironmentPrivilege 1964 WMIC.exe Token: SeRemoteShutdownPrivilege 1964 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2212 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2212 iexplore.exe 2212 iexplore.exe 2180 IEXPLORE.EXE 2180 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7C6F.execmd.exenet.exenet.exedescription pid process target process PID 3056 wrote to memory of 2404 3056 7C6F.exe PID 3056 wrote to memory of 2404 3056 7C6F.exe PID 3056 wrote to memory of 2404 3056 7C6F.exe PID 2404 wrote to memory of 3180 2404 7C6F.exe SmartClock.exe PID 2404 wrote to memory of 3180 2404 7C6F.exe SmartClock.exe PID 2404 wrote to memory of 3180 2404 7C6F.exe SmartClock.exe PID 3056 wrote to memory of 1608 3056 AAB4.exe PID 3056 wrote to memory of 1608 3056 AAB4.exe PID 3056 wrote to memory of 1608 3056 AAB4.exe PID 3056 wrote to memory of 1288 3056 A69.exe PID 3056 wrote to memory of 1288 3056 A69.exe PID 3056 wrote to memory of 1796 3056 cmd.exe PID 3056 wrote to memory of 1796 3056 cmd.exe PID 1796 wrote to memory of 2000 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2000 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1964 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1964 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2252 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2252 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 4016 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 4016 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2968 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2968 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2504 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2504 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2484 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2484 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2972 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2972 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 872 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 872 1796 cmd.exe WMIC.exe PID 3056 wrote to memory of 2320 3056 3A44.exe PID 3056 wrote to memory of 2320 3056 3A44.exe PID 3056 wrote to memory of 2320 3056 3A44.exe PID 1796 wrote to memory of 1768 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1768 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2720 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 2720 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 680 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 680 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 604 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 604 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1188 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1188 1796 cmd.exe WMIC.exe PID 1796 wrote to memory of 1968 1796 cmd.exe ipconfig.exe PID 1796 wrote to memory of 1968 1796 cmd.exe ipconfig.exe PID 1796 wrote to memory of 2208 1796 cmd.exe ROUTE.EXE PID 1796 wrote to memory of 2208 1796 cmd.exe ROUTE.EXE PID 1796 wrote to memory of 3656 1796 cmd.exe netsh.exe PID 1796 wrote to memory of 3656 1796 cmd.exe netsh.exe PID 1796 wrote to memory of 2976 1796 cmd.exe systeminfo.exe PID 1796 wrote to memory of 2976 1796 cmd.exe systeminfo.exe PID 1796 wrote to memory of 2180 1796 cmd.exe tasklist.exe PID 1796 wrote to memory of 2180 1796 cmd.exe tasklist.exe PID 1796 wrote to memory of 1596 1796 cmd.exe net.exe PID 1796 wrote to memory of 1596 1796 cmd.exe net.exe PID 1596 wrote to memory of 2744 1596 net.exe net1.exe PID 1596 wrote to memory of 2744 1596 net.exe net1.exe PID 1796 wrote to memory of 2844 1796 cmd.exe net.exe PID 1796 wrote to memory of 2844 1796 cmd.exe net.exe PID 2844 wrote to memory of 3772 2844 net.exe net1.exe PID 2844 wrote to memory of 3772 2844 net.exe net1.exe PID 1796 wrote to memory of 2756 1796 cmd.exe net.exe PID 1796 wrote to memory of 2756 1796 cmd.exe net.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3728 -s 9082⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe"C:\Users\Admin\AppData\Local\Temp\dc633751553106e282194500442fa25b956356b6c008d62319e3e70663b790c2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7C6F.exeC:\Users\Admin\AppData\Local\Temp\7C6F.exe1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\AAB4.exeC:\Users\Admin\AppData\Local\Temp\AAB4.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A69.exeC:\Users\Admin\AppData\Local\Temp\A69.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1288 -s 4202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Local\Temp\3A44.exeC:\Users\Admin\AppData\Local\Temp\3A44.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3A44.exeMD5
08723c40933b55241d686843f84c3447
SHA1874867e62a0f1ce70550f6944f4e8db66f645a61
SHA25608cddf1d75e9d20554b470691c5cdeb055d1354e183ad3be5bdf8bb18a1f13e6
SHA5122ec0feb148b7932691bf82af5240b00205d712d1484568e4b22ee154865cbdc0f2d9a05d9a3990b7c39697f0c59eda99b9d362e69d885ce54e3dbde34ae669ec
-
C:\Users\Admin\AppData\Local\Temp\3A44.exeMD5
08723c40933b55241d686843f84c3447
SHA1874867e62a0f1ce70550f6944f4e8db66f645a61
SHA25608cddf1d75e9d20554b470691c5cdeb055d1354e183ad3be5bdf8bb18a1f13e6
SHA5122ec0feb148b7932691bf82af5240b00205d712d1484568e4b22ee154865cbdc0f2d9a05d9a3990b7c39697f0c59eda99b9d362e69d885ce54e3dbde34ae669ec
-
C:\Users\Admin\AppData\Local\Temp\7C6F.exeMD5
3c5e3151f6caf2b791c566360fbe2a0a
SHA1e6f334e8611580d729bee053286e2d810cbe5c69
SHA2565561da03c4e77cfcfc1de1372dbbacc506f56ff341c667f51d269df9100d7577
SHA512bcb0ca65cfae8ab88d0526fbdc10195221399ca9336f6dd2fc7cadee9d46ef010848e3613fef98845c444640c0eed3425190e69d43a25634783d082d785fd5cb
-
C:\Users\Admin\AppData\Local\Temp\7C6F.exeMD5
3c5e3151f6caf2b791c566360fbe2a0a
SHA1e6f334e8611580d729bee053286e2d810cbe5c69
SHA2565561da03c4e77cfcfc1de1372dbbacc506f56ff341c667f51d269df9100d7577
SHA512bcb0ca65cfae8ab88d0526fbdc10195221399ca9336f6dd2fc7cadee9d46ef010848e3613fef98845c444640c0eed3425190e69d43a25634783d082d785fd5cb
-
C:\Users\Admin\AppData\Local\Temp\A69.exeMD5
89f72549d10ca37bda16dfb88b06163c
SHA16bf7fdcf959387f311a4d519c99addd83fcddbb3
SHA256a87650819ff9fdaa524de78d2024505b3afba6412084f5a18d001605bad4e52f
SHA512fb2a292d33a98dd7ff4d35c776ac867a15b34d28238733151c0803595063eb97c52d81012622dd8537716def6011617242e2486eb99bd8acb72918d93ce64fbf
-
C:\Users\Admin\AppData\Local\Temp\A69.exeMD5
89f72549d10ca37bda16dfb88b06163c
SHA16bf7fdcf959387f311a4d519c99addd83fcddbb3
SHA256a87650819ff9fdaa524de78d2024505b3afba6412084f5a18d001605bad4e52f
SHA512fb2a292d33a98dd7ff4d35c776ac867a15b34d28238733151c0803595063eb97c52d81012622dd8537716def6011617242e2486eb99bd8acb72918d93ce64fbf
-
C:\Users\Admin\AppData\Local\Temp\AAB4.exeMD5
05db051d56a60badfecd383277573408
SHA12acb74daebd96c79e8e412468fd8b2c22d20861a
SHA25641f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28
SHA51287572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d
-
C:\Users\Admin\AppData\Local\Temp\AAB4.exeMD5
05db051d56a60badfecd383277573408
SHA12acb74daebd96c79e8e412468fd8b2c22d20861a
SHA25641f90072241c6875fbd2cf1125881345e08c95d38de2b01c6815d164c6846f28
SHA51287572dad23c1058c7414e838d9febf7130b14595d97ecfe7aa91b21cdf895db800023e9d0704d79b4922ff5f3e109279409b5d26e1175959d545eeb9fe69c59d
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
3c5e3151f6caf2b791c566360fbe2a0a
SHA1e6f334e8611580d729bee053286e2d810cbe5c69
SHA2565561da03c4e77cfcfc1de1372dbbacc506f56ff341c667f51d269df9100d7577
SHA512bcb0ca65cfae8ab88d0526fbdc10195221399ca9336f6dd2fc7cadee9d46ef010848e3613fef98845c444640c0eed3425190e69d43a25634783d082d785fd5cb
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
3c5e3151f6caf2b791c566360fbe2a0a
SHA1e6f334e8611580d729bee053286e2d810cbe5c69
SHA2565561da03c4e77cfcfc1de1372dbbacc506f56ff341c667f51d269df9100d7577
SHA512bcb0ca65cfae8ab88d0526fbdc10195221399ca9336f6dd2fc7cadee9d46ef010848e3613fef98845c444640c0eed3425190e69d43a25634783d082d785fd5cb
-
memory/376-208-0x0000000000000000-mapping.dmp
-
memory/392-300-0x00000202F6DB0000-0x00000202F6DB1000-memory.dmpFilesize
4KB
-
memory/396-288-0x0000000002FF0000-0x0000000002FFB000-memory.dmpFilesize
44KB
-
memory/396-286-0x0000000000000000-mapping.dmp
-
memory/396-287-0x0000000003200000-0x0000000003206000-memory.dmpFilesize
24KB
-
memory/588-198-0x0000000000000000-mapping.dmp
-
memory/592-195-0x0000000000000000-mapping.dmp
-
memory/604-162-0x0000000000000000-mapping.dmp
-
memory/680-205-0x0000000000000000-mapping.dmp
-
memory/680-161-0x0000000000000000-mapping.dmp
-
memory/816-199-0x0000000000000000-mapping.dmp
-
memory/872-155-0x0000000000000000-mapping.dmp
-
memory/876-151-0x00000181BDD40000-0x00000181BDD42000-memory.dmpFilesize
8KB
-
memory/876-150-0x00000181BDD40000-0x00000181BDD42000-memory.dmpFilesize
8KB
-
memory/1012-201-0x0000000000000000-mapping.dmp
-
memory/1068-202-0x0000000000000000-mapping.dmp
-
memory/1180-207-0x0000000000000000-mapping.dmp
-
memory/1184-206-0x0000000000000000-mapping.dmp
-
memory/1188-273-0x0000000003200000-0x0000000003207000-memory.dmpFilesize
28KB
-
memory/1188-274-0x0000000002FF0000-0x0000000002FFB000-memory.dmpFilesize
44KB
-
memory/1188-163-0x0000000000000000-mapping.dmp
-
memory/1188-272-0x0000000000000000-mapping.dmp
-
memory/1288-138-0x0000000000000000-mapping.dmp
-
memory/1288-298-0x000002016AEF0000-0x000002016AEF1000-memory.dmpFilesize
4KB
-
memory/1432-265-0x0000000000000000-mapping.dmp
-
memory/1432-267-0x0000000000870000-0x00000000008E5000-memory.dmpFilesize
468KB
-
memory/1432-268-0x0000000000800000-0x000000000086B000-memory.dmpFilesize
428KB
-
memory/1500-269-0x0000000000000000-mapping.dmp
-
memory/1500-270-0x0000000000E30000-0x0000000000E37000-memory.dmpFilesize
28KB
-
memory/1500-271-0x0000000000E20000-0x0000000000E2C000-memory.dmpFilesize
48KB
-
memory/1596-185-0x0000000000000000-mapping.dmp
-
memory/1608-136-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1608-135-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1608-134-0x00000000007C1000-0x00000000007D2000-memory.dmpFilesize
68KB
-
memory/1608-131-0x0000000000000000-mapping.dmp
-
memory/1608-204-0x0000000000000000-mapping.dmp
-
memory/1740-281-0x0000000002FF0000-0x0000000002FF9000-memory.dmpFilesize
36KB
-
memory/1740-279-0x0000000000000000-mapping.dmp
-
memory/1740-280-0x0000000003200000-0x0000000003205000-memory.dmpFilesize
20KB
-
memory/1768-159-0x0000000000000000-mapping.dmp
-
memory/1796-144-0x0000000000000000-mapping.dmp
-
memory/1964-146-0x0000000000000000-mapping.dmp
-
memory/1968-168-0x0000000000000000-mapping.dmp
-
memory/2000-145-0x0000000000000000-mapping.dmp
-
memory/2180-183-0x0000000000000000-mapping.dmp
-
memory/2180-238-0x0000000000000000-mapping.dmp
-
memory/2208-171-0x0000000000000000-mapping.dmp
-
memory/2212-245-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-231-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-301-0x000002CB80A70000-0x000002CB80A71000-memory.dmpFilesize
4KB
-
memory/2212-285-0x000002CB80A40000-0x000002CB80A41000-memory.dmpFilesize
4KB
-
memory/2212-278-0x000002CB808E0000-0x000002CB808E1000-memory.dmpFilesize
4KB
-
memory/2212-214-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-249-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-248-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-247-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-243-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-242-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-240-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-239-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-236-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-235-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-233-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-234-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-213-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-230-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-229-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-227-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-226-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-225-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-223-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-222-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-221-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-215-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-220-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-219-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-218-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2212-217-0x00007FF81F660000-0x00007FF81F6CB000-memory.dmpFilesize
428KB
-
memory/2236-200-0x0000000000000000-mapping.dmp
-
memory/2252-147-0x0000000000000000-mapping.dmp
-
memory/2320-169-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/2320-184-0x0000000005BF0000-0x0000000005BF1000-memory.dmpFilesize
4KB
-
memory/2320-176-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/2320-177-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2320-179-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/2320-181-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/2320-156-0x0000000000000000-mapping.dmp
-
memory/2320-182-0x0000000002304000-0x0000000002306000-memory.dmpFilesize
8KB
-
memory/2320-166-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2320-174-0x0000000002303000-0x0000000002304000-memory.dmpFilesize
4KB
-
memory/2320-165-0x00000000001C0000-0x00000000001F9000-memory.dmpFilesize
228KB
-
memory/2320-167-0x0000000002570000-0x000000000259E000-memory.dmpFilesize
184KB
-
memory/2320-178-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/2320-170-0x00000000050A0000-0x00000000050CC000-memory.dmpFilesize
176KB
-
memory/2320-197-0x0000000006840000-0x0000000006841000-memory.dmpFilesize
4KB
-
memory/2320-196-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/2320-172-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/2320-173-0x0000000002302000-0x0000000002303000-memory.dmpFilesize
4KB
-
memory/2320-187-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/2320-189-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/2320-191-0x0000000006540000-0x0000000006541000-memory.dmpFilesize
4KB
-
memory/2340-294-0x000001DD730B0000-0x000001DD730B1000-memory.dmpFilesize
4KB
-
memory/2348-295-0x000001D0974C0000-0x000001D0974C1000-memory.dmpFilesize
4KB
-
memory/2404-119-0x0000000000000000-mapping.dmp
-
memory/2404-127-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/2404-126-0x0000000000680000-0x00000000007CA000-memory.dmpFilesize
1.3MB
-
memory/2404-122-0x0000000000791000-0x0000000000811000-memory.dmpFilesize
512KB
-
memory/2484-194-0x0000000000000000-mapping.dmp
-
memory/2484-153-0x0000000000000000-mapping.dmp
-
memory/2492-299-0x000001E066290000-0x000001E066291000-memory.dmpFilesize
4KB
-
memory/2492-296-0x000001E065F50000-0x000001E065F51000-memory.dmpFilesize
4KB
-
memory/2504-152-0x0000000000000000-mapping.dmp
-
memory/2504-117-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/2504-115-0x0000000000721000-0x0000000000732000-memory.dmpFilesize
68KB
-
memory/2504-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2720-160-0x0000000000000000-mapping.dmp
-
memory/2720-203-0x0000000000000000-mapping.dmp
-
memory/2744-186-0x0000000000000000-mapping.dmp
-
memory/2756-192-0x0000000000000000-mapping.dmp
-
memory/2844-188-0x0000000000000000-mapping.dmp
-
memory/2968-149-0x0000000000000000-mapping.dmp
-
memory/2972-154-0x0000000000000000-mapping.dmp
-
memory/2976-180-0x0000000000000000-mapping.dmp
-
memory/3056-141-0x0000000005D60000-0x0000000005D62000-memory.dmpFilesize
8KB
-
memory/3056-143-0x0000000005D50000-0x0000000005D5F000-memory.dmpFilesize
60KB
-
memory/3056-209-0x0000000005D60000-0x0000000005D62000-memory.dmpFilesize
8KB
-
memory/3056-137-0x0000000002BD0000-0x0000000002BE6000-memory.dmpFilesize
88KB
-
memory/3056-142-0x0000000005D60000-0x0000000005D62000-memory.dmpFilesize
8KB
-
memory/3056-211-0x0000000005D60000-0x0000000005D62000-memory.dmpFilesize
8KB
-
memory/3056-118-0x0000000000790000-0x00000000007A6000-memory.dmpFilesize
88KB
-
memory/3056-212-0x0000000005D60000-0x0000000005D62000-memory.dmpFilesize
8KB
-
memory/3164-302-0x00000171DF220000-0x00000171DF221000-memory.dmpFilesize
4KB
-
memory/3168-193-0x0000000000000000-mapping.dmp
-
memory/3180-130-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3180-129-0x0000000000780000-0x0000000000811000-memory.dmpFilesize
580KB
-
memory/3180-123-0x0000000000000000-mapping.dmp
-
memory/3180-290-0x00000000001C0000-0x00000000001CB000-memory.dmpFilesize
44KB
-
memory/3180-289-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3480-297-0x00000256F09F0000-0x00000256F09F1000-memory.dmpFilesize
4KB
-
memory/3632-293-0x0000000000FF0000-0x0000000000FFD000-memory.dmpFilesize
52KB
-
memory/3632-291-0x0000000000000000-mapping.dmp
-
memory/3632-292-0x0000000001280000-0x0000000001287000-memory.dmpFilesize
28KB
-
memory/3656-175-0x0000000000000000-mapping.dmp
-
memory/3772-190-0x0000000000000000-mapping.dmp
-
memory/3896-283-0x0000000000790000-0x0000000000796000-memory.dmpFilesize
24KB
-
memory/3896-284-0x0000000000780000-0x000000000078C000-memory.dmpFilesize
48KB
-
memory/3896-282-0x0000000000000000-mapping.dmp
-
memory/3932-277-0x0000000000F00000-0x0000000000F0E000-memory.dmpFilesize
56KB
-
memory/3932-276-0x0000000000F10000-0x0000000000F19000-memory.dmpFilesize
36KB
-
memory/3932-275-0x0000000000000000-mapping.dmp
-
memory/4016-148-0x0000000000000000-mapping.dmp