Analysis
-
max time kernel
160s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
25-01-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
Resource
win10v2004-en-20220112
General
-
Target
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
-
Size
317KB
-
MD5
651b565bf27de6c439c1c1071361b37a
-
SHA1
00bf67fd5775f80a14a0051bc295241c9e4c0b57
-
SHA256
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1
-
SHA512
6cbaa1e05e88ce967be7e7ae9c5aa5b6ab7cfce4b6bdd3e93550ee10a86336ef6f1d6ea1dff19172e8278791145e2e87ff6ec3f74815d3074655bac942f8b304
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Extracted
redline
1
45.32.171.34:42954
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3800-318-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3260 created 4060 3260 WerFault.exe explorer.exe PID 4092 created 2720 4092 WerFault.exe DllHost.exe PID 2268 created 2180 2268 WerFault.exe DllHost.exe PID 2536 created 3548 2536 WerFault.exe DllHost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
7468.exe984D.exe984D.exepid process 1564 7468.exe 3152 984D.exe 3800 984D.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
984D.exedescription pid process target process PID 3152 set thread context of 3800 3152 984D.exe 984D.exe -
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1888 4060 WerFault.exe explorer.exe 2508 2720 WerFault.exe DllHost.exe 1684 2180 WerFault.exe DllHost.exe 3888 3548 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe7468.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7468.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7468.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7468.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXEpid process 3068 NETSTAT.EXE 764 ipconfig.exe 1964 ipconfig.exe 488 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937573" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2332498120" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2332498120" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6691D33-7DD8-11EC-82D0-7AB5AFB0B0FC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937573" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2349373581" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937573" IEXPLORE.EXE -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exepid process 3292 be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe 3292 be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 2412 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2412 -
Suspicious behavior: MapViewOfSection 56 IoCs
Processes:
be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe7468.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3292 be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe 1564 7468.exe 2412 2412 2412 2412 2412 2412 3940 explorer.exe 3940 explorer.exe 2412 2412 656 explorer.exe 656 explorer.exe 2412 2412 2128 explorer.exe 2128 explorer.exe 2412 2412 4088 explorer.exe 4088 explorer.exe 2412 2412 492 explorer.exe 492 explorer.exe 492 explorer.exe 492 explorer.exe 2412 2412 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe 2832 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
984D.exe984D.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3152 984D.exe Token: SeShutdownPrivilege 2412 Token: SeCreatePagefilePrivilege 2412 Token: SeDebugPrivilege 3800 984D.exe Token: SeIncreaseQuotaPrivilege 1292 WMIC.exe Token: SeSecurityPrivilege 1292 WMIC.exe Token: SeTakeOwnershipPrivilege 1292 WMIC.exe Token: SeLoadDriverPrivilege 1292 WMIC.exe Token: SeSystemProfilePrivilege 1292 WMIC.exe Token: SeSystemtimePrivilege 1292 WMIC.exe Token: SeProfSingleProcessPrivilege 1292 WMIC.exe Token: SeIncBasePriorityPrivilege 1292 WMIC.exe Token: SeCreatePagefilePrivilege 1292 WMIC.exe Token: SeBackupPrivilege 1292 WMIC.exe Token: SeRestorePrivilege 1292 WMIC.exe Token: SeShutdownPrivilege 1292 WMIC.exe Token: SeDebugPrivilege 1292 WMIC.exe Token: SeSystemEnvironmentPrivilege 1292 WMIC.exe Token: SeRemoteShutdownPrivilege 1292 WMIC.exe Token: SeUndockPrivilege 1292 WMIC.exe Token: SeManageVolumePrivilege 1292 WMIC.exe Token: 33 1292 WMIC.exe Token: 34 1292 WMIC.exe Token: 35 1292 WMIC.exe Token: 36 1292 WMIC.exe Token: SeIncreaseQuotaPrivilege 1292 WMIC.exe Token: SeSecurityPrivilege 1292 WMIC.exe Token: SeTakeOwnershipPrivilege 1292 WMIC.exe Token: SeLoadDriverPrivilege 1292 WMIC.exe Token: SeSystemProfilePrivilege 1292 WMIC.exe Token: SeSystemtimePrivilege 1292 WMIC.exe Token: SeProfSingleProcessPrivilege 1292 WMIC.exe Token: SeIncBasePriorityPrivilege 1292 WMIC.exe Token: SeCreatePagefilePrivilege 1292 WMIC.exe Token: SeBackupPrivilege 1292 WMIC.exe Token: SeRestorePrivilege 1292 WMIC.exe Token: SeShutdownPrivilege 1292 WMIC.exe Token: SeDebugPrivilege 1292 WMIC.exe Token: SeSystemEnvironmentPrivilege 1292 WMIC.exe Token: SeRemoteShutdownPrivilege 1292 WMIC.exe Token: SeUndockPrivilege 1292 WMIC.exe Token: SeManageVolumePrivilege 1292 WMIC.exe Token: 33 1292 WMIC.exe Token: 34 1292 WMIC.exe Token: 35 1292 WMIC.exe Token: 36 1292 WMIC.exe Token: SeIncreaseQuotaPrivilege 3580 WMIC.exe Token: SeSecurityPrivilege 3580 WMIC.exe Token: SeTakeOwnershipPrivilege 3580 WMIC.exe Token: SeLoadDriverPrivilege 3580 WMIC.exe Token: SeSystemProfilePrivilege 3580 WMIC.exe Token: SeSystemtimePrivilege 3580 WMIC.exe Token: SeProfSingleProcessPrivilege 3580 WMIC.exe Token: SeIncBasePriorityPrivilege 3580 WMIC.exe Token: SeCreatePagefilePrivilege 3580 WMIC.exe Token: SeBackupPrivilege 3580 WMIC.exe Token: SeRestorePrivilege 3580 WMIC.exe Token: SeShutdownPrivilege 3580 WMIC.exe Token: SeDebugPrivilege 3580 WMIC.exe Token: SeSystemEnvironmentPrivilege 3580 WMIC.exe Token: SeRemoteShutdownPrivilege 3580 WMIC.exe Token: SeUndockPrivilege 3580 WMIC.exe Token: SeManageVolumePrivilege 3580 WMIC.exe Token: 33 3580 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2916 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2916 iexplore.exe 2916 iexplore.exe 452 IEXPLORE.EXE 452 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 2780 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
984D.execmd.exenet.exenet.exedescription pid process target process PID 2412 wrote to memory of 1564 2412 7468.exe PID 2412 wrote to memory of 1564 2412 7468.exe PID 2412 wrote to memory of 1564 2412 7468.exe PID 2412 wrote to memory of 3152 2412 984D.exe PID 2412 wrote to memory of 3152 2412 984D.exe PID 2412 wrote to memory of 3152 2412 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 3152 wrote to memory of 3800 3152 984D.exe 984D.exe PID 2412 wrote to memory of 1772 2412 cmd.exe PID 2412 wrote to memory of 1772 2412 cmd.exe PID 1772 wrote to memory of 1292 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1292 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3580 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3580 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1140 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1140 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1316 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1316 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3036 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3036 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3692 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3692 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3636 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3636 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 488 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 488 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1484 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1484 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3068 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 3068 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 764 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 764 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 2132 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 2132 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 4024 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 4024 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 2844 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 2844 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1964 1772 cmd.exe ipconfig.exe PID 1772 wrote to memory of 1964 1772 cmd.exe ipconfig.exe PID 1772 wrote to memory of 1996 1772 cmd.exe ROUTE.EXE PID 1772 wrote to memory of 1996 1772 cmd.exe ROUTE.EXE PID 1772 wrote to memory of 3580 1772 cmd.exe netsh.exe PID 1772 wrote to memory of 3580 1772 cmd.exe netsh.exe PID 1772 wrote to memory of 1316 1772 cmd.exe systeminfo.exe PID 1772 wrote to memory of 1316 1772 cmd.exe systeminfo.exe PID 1772 wrote to memory of 3192 1772 cmd.exe tasklist.exe PID 1772 wrote to memory of 3192 1772 cmd.exe tasklist.exe PID 1772 wrote to memory of 2180 1772 cmd.exe net.exe PID 1772 wrote to memory of 2180 1772 cmd.exe net.exe PID 2180 wrote to memory of 2432 2180 net.exe net1.exe PID 2180 wrote to memory of 2432 2180 net.exe net1.exe PID 1772 wrote to memory of 3940 1772 cmd.exe net.exe PID 1772 wrote to memory of 3940 1772 cmd.exe net.exe PID 3940 wrote to memory of 2236 3940 net.exe net1.exe PID 3940 wrote to memory of 2236 3940 net.exe net1.exe PID 1772 wrote to memory of 2932 1772 cmd.exe net.exe PID 1772 wrote to memory of 2932 1772 cmd.exe net.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2720 -s 10122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe"C:\Users\Admin\AppData\Local\Temp\be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e5e5e0cbfee086840323a7c126870ba5 YUZr/UheakC/FjzEQ2ieDg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7468.exeC:\Users\Admin\AppData\Local\Temp\7468.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\984D.exeC:\Users\Admin\AppData\Local\Temp\984D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\984D.exeC:\Users\Admin\AppData\Local\Temp\984D.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 8842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4060 -ip 40601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 2720 -ip 27201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2180 -s 8322⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 2180 -ip 21801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3548 -s 7802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 3548 -ip 35481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\984D.exe.logMD5
e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827
-
C:\Users\Admin\AppData\Local\Temp\7468.exeMD5
1e1abe7fe78311624c480f785228ef47
SHA15b790f25faf6d425240f68607409e5b0450e04ca
SHA256fc462265edf8ffd74ffd676925aecd60fee97f540addd79ee8acf027c05340f3
SHA51280b4e043dd17a7f5c783a2863eb6e8c9628478d52d50c0b4d12741f43d779d63727db7bfe38ed74e2a0d5cfdf20f31a94a8fa9518bcef998b6c820257180b363
-
C:\Users\Admin\AppData\Local\Temp\7468.exeMD5
1e1abe7fe78311624c480f785228ef47
SHA15b790f25faf6d425240f68607409e5b0450e04ca
SHA256fc462265edf8ffd74ffd676925aecd60fee97f540addd79ee8acf027c05340f3
SHA51280b4e043dd17a7f5c783a2863eb6e8c9628478d52d50c0b4d12741f43d779d63727db7bfe38ed74e2a0d5cfdf20f31a94a8fa9518bcef998b6c820257180b363
-
C:\Users\Admin\AppData\Local\Temp\984D.exeMD5
3c2e9382b4e85a6f9e0a09f81ec256af
SHA18b0776f4086f61cfd127b668a86339f250200aea
SHA2561be06cc2ea2134d4d08ff169a3cee4c39586b26b888eda3e710ab51f1eb26804
SHA5122b53bc7850563a71bb4b14b19aa8ba27caca4739022ad46f896b1e8330f2685774ba757d78f9c8788aa272addc845acf159f8b818afc9e95b3f5488557d0c4d6
-
C:\Users\Admin\AppData\Local\Temp\984D.exeMD5
3c2e9382b4e85a6f9e0a09f81ec256af
SHA18b0776f4086f61cfd127b668a86339f250200aea
SHA2561be06cc2ea2134d4d08ff169a3cee4c39586b26b888eda3e710ab51f1eb26804
SHA5122b53bc7850563a71bb4b14b19aa8ba27caca4739022ad46f896b1e8330f2685774ba757d78f9c8788aa272addc845acf159f8b818afc9e95b3f5488557d0c4d6
-
C:\Users\Admin\AppData\Local\Temp\984D.exeMD5
3c2e9382b4e85a6f9e0a09f81ec256af
SHA18b0776f4086f61cfd127b668a86339f250200aea
SHA2561be06cc2ea2134d4d08ff169a3cee4c39586b26b888eda3e710ab51f1eb26804
SHA5122b53bc7850563a71bb4b14b19aa8ba27caca4739022ad46f896b1e8330f2685774ba757d78f9c8788aa272addc845acf159f8b818afc9e95b3f5488557d0c4d6
-
memory/492-370-0x0000000003180000-0x0000000003186000-memory.dmpFilesize
24KB
-
memory/492-371-0x0000000003170000-0x000000000317B000-memory.dmpFilesize
44KB
-
memory/656-365-0x0000000000CE0000-0x0000000000CEE000-memory.dmpFilesize
56KB
-
memory/656-364-0x0000000000CF0000-0x0000000000CF9000-memory.dmpFilesize
36KB
-
memory/1280-382-0x000001CBC8C50000-0x000001CBC8C51000-memory.dmpFilesize
4KB
-
memory/1564-308-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1564-307-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/1564-306-0x0000000000480000-0x0000000000488000-memory.dmpFilesize
32KB
-
memory/2084-361-0x0000000000B20000-0x0000000000B2C000-memory.dmpFilesize
48KB
-
memory/2128-366-0x0000000000330000-0x0000000000335000-memory.dmpFilesize
20KB
-
memory/2128-367-0x0000000000320000-0x0000000000329000-memory.dmpFilesize
36KB
-
memory/2204-376-0x000001D7DF400000-0x000001D7DF401000-memory.dmpFilesize
4KB
-
memory/2224-377-0x0000020C49F50000-0x0000020C49F51000-memory.dmpFilesize
4KB
-
memory/2276-378-0x0000014438450000-0x0000014438451000-memory.dmpFilesize
4KB
-
memory/2412-133-0x0000000000AB0000-0x0000000000AC6000-memory.dmpFilesize
88KB
-
memory/2412-311-0x0000000007B80000-0x0000000007B96000-memory.dmpFilesize
88KB
-
memory/2412-331-0x00000000082E0000-0x00000000086D3000-memory.dmpFilesize
3.9MB
-
memory/2524-379-0x00000176F4FE0000-0x00000176F4FE1000-memory.dmpFilesize
4KB
-
memory/2780-383-0x00000190A6910000-0x00000190A6911000-memory.dmpFilesize
4KB
-
memory/2812-380-0x000002C3BA780000-0x000002C3BA781000-memory.dmpFilesize
4KB
-
memory/2832-375-0x0000000000C90000-0x0000000000C9D000-memory.dmpFilesize
52KB
-
memory/2832-374-0x0000000000CA0000-0x0000000000CA7000-memory.dmpFilesize
28KB
-
memory/2880-381-0x000001E487EA0000-0x000001E487EA1000-memory.dmpFilesize
4KB
-
memory/3152-315-0x0000000004FE0000-0x0000000005056000-memory.dmpFilesize
472KB
-
memory/3152-317-0x0000000005940000-0x0000000005EE4000-memory.dmpFilesize
5.6MB
-
memory/3152-316-0x0000000004FC0000-0x0000000004FDE000-memory.dmpFilesize
120KB
-
memory/3152-313-0x0000000004F20000-0x0000000005170000-memory.dmpFilesize
2.3MB
-
memory/3152-312-0x0000000000600000-0x000000000068A000-memory.dmpFilesize
552KB
-
memory/3152-314-0x0000000004F20000-0x0000000005170000-memory.dmpFilesize
2.3MB
-
memory/3292-130-0x00000000005C0000-0x00000000005C8000-memory.dmpFilesize
32KB
-
memory/3292-132-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3292-131-0x00000000005D0000-0x00000000005D9000-memory.dmpFilesize
36KB
-
memory/3308-372-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3308-373-0x0000000004B50000-0x0000000004B5B000-memory.dmpFilesize
44KB
-
memory/3800-328-0x00000000073B0000-0x0000000007572000-memory.dmpFilesize
1.8MB
-
memory/3800-323-0x00000000058D0000-0x00000000059DA000-memory.dmpFilesize
1.0MB
-
memory/3800-318-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3800-321-0x0000000005D60000-0x0000000006378000-memory.dmpFilesize
6.1MB
-
memory/3800-322-0x00000000057A0000-0x00000000057B2000-memory.dmpFilesize
72KB
-
memory/3800-324-0x0000000005800000-0x000000000583C000-memory.dmpFilesize
240KB
-
memory/3800-325-0x0000000005740000-0x0000000005D58000-memory.dmpFilesize
6.1MB
-
memory/3800-330-0x0000000007580000-0x00000000075D0000-memory.dmpFilesize
320KB
-
memory/3800-329-0x0000000007AB0000-0x0000000007FDC000-memory.dmpFilesize
5.2MB
-
memory/3800-327-0x0000000006720000-0x00000000067B2000-memory.dmpFilesize
584KB
-
memory/3800-326-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/3940-362-0x00000000005B0000-0x00000000005B7000-memory.dmpFilesize
28KB
-
memory/3940-363-0x00000000005A0000-0x00000000005AB000-memory.dmpFilesize
44KB
-
memory/4060-359-0x0000000003470000-0x00000000034E5000-memory.dmpFilesize
468KB
-
memory/4060-360-0x0000000003400000-0x000000000346B000-memory.dmpFilesize
428KB
-
memory/4088-368-0x0000000000700000-0x0000000000706000-memory.dmpFilesize
24KB
-
memory/4088-369-0x00000000006F0000-0x00000000006FC000-memory.dmpFilesize
48KB