Analysis
-
max time kernel
61s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
Resource
win10v2004-20220414-en
General
-
Target
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
-
Size
3.0MB
-
MD5
83d7f0fe8d269f04c7665c0b6cbb8ada
-
SHA1
902921743f59ff19eeb395d2618ef5addeac62fd
-
SHA256
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
-
SHA512
c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 2 1160 powershell.exe 4 1160 powershell.exe 6 1160 powershell.exe 8 1160 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
aipackagechainer.exe2.exepid process 1924 aipackagechainer.exe 300 2.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeaipackagechainer.exepid process 1712 MsiExec.exe 1712 MsiExec.exe 1712 MsiExec.exe 1712 MsiExec.exe 1712 MsiExec.exe 1924 aipackagechainer.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in System32 directory 8 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_DD2D9EEABEF3F0DB36412FEE753FD2DC powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_DD2D9EEABEF3F0DB36412FEE753FD2DC powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe -
Drops file in Windows directory 16 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\6c73f9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI74D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI834A.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\6c73f9.msi msiexec.exe File created C:\Windows\Installer\6c73fd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8416.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7715.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI7AED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B9A.tmp msiexec.exe File created C:\Windows\Installer\6c73fb.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI827D.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c73fb.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1996 1472 WerFault.exe word.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WINWORD.EXEpowershell.exeaipackagechainer.exeDrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia\msacm.imaadpcm WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Roman 12cpi = "Courier 12cpi" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\dBASE Files\Engines\Xbase\UserCommitSync = "Yes" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.co.uk = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAE791~1.XML" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\wans.net = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\WANSNE~1.XML" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Outlook_SocialConnector WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\TYPE8 = "application/pps" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Word_Intl\Count = "1" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Driver = "C:\\PROGRA~2\\COMMON~1\\MICROS~1\\OFFICE14\\ACEODBC.DLL" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MSDAIPP\Providers\{9FECD570-B9D4-11D1-9C78-0000F875AC61}\ = "Microsoft Data Access Internet Publishing Provider DAV" WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MSDAIPP\Providers\{9FECD570-B9D4-11D1-9C78-0000F875AC61}\Priority = "142606336" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.co.jp = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOC~3.XML" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task Response\Large Icon = "[7]" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\XDocs_XMLEditVerbHandler WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" aipackagechainer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Fax\AutoJournaled = "0" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\FE Font 2 = "FE Font 2" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources\dBASE Files = "Microsoft Access dBASE Driver (*.dbf, *.ndx, *.mdx)" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Ace_OdbcCurrentUser WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint\Security\Trusted Locations\Location1\AllowSubFolders = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dot = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dot" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\xls = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Xlstart = "XLSTART" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Startup = "STARTUP" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Request\Large Icon = "[3]" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier PS = "Roman PS" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Zapf Chancery = "Monotype Corsiva" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Roman 5cpi = "Courier 5cpi" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\MailSettings\Template WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesService\LoadBehavior = "0" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Request\JournalByContact = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task\Large Icon = "[11]" WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Times New Roman = "Times" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Graph_Core WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesService\Description = "Enable OneNote Linked Notes Content Service for Word" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\Shell WINWORD.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/pot = "POT" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\Engines WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1" WINWORD.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers WINWORD.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesService\CommandLineSafe = "0" WINWORD.EXE -
Modifies registry class 21 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FACD0CF651427304F94FC49674B3F70C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FACD0CF651427304F94FC49674B3F70C\_ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\ProductName = "\u007f\u007f\u007f\u007f\u007f\u007f\u007f" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\PackageCode = "5AE4DB11F422BB54C91A75E2D53B6327" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B22BFFB44A7AFFB4EA01F4C48AB561D0\FACD0CF651427304F94FC49674B3F70C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\SourceList\PackageName = "42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FACD0CF651427304F94FC49674B3F70C\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B22BFFB44A7AFFB4EA01F4C48AB561D0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FACD0CF651427304F94FC49674B3F70C\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 548 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 956 msiexec.exe 956 msiexec.exe 1160 powershell.exe 1592 powershell.exe 1908 powershell.exe 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1984 msiexec.exe Token: SeIncreaseQuotaPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeSecurityPrivilege 956 msiexec.exe Token: SeCreateTokenPrivilege 1984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1984 msiexec.exe Token: SeLockMemoryPrivilege 1984 msiexec.exe Token: SeIncreaseQuotaPrivilege 1984 msiexec.exe Token: SeMachineAccountPrivilege 1984 msiexec.exe Token: SeTcbPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeLoadDriverPrivilege 1984 msiexec.exe Token: SeSystemProfilePrivilege 1984 msiexec.exe Token: SeSystemtimePrivilege 1984 msiexec.exe Token: SeProfSingleProcessPrivilege 1984 msiexec.exe Token: SeIncBasePriorityPrivilege 1984 msiexec.exe Token: SeCreatePagefilePrivilege 1984 msiexec.exe Token: SeCreatePermanentPrivilege 1984 msiexec.exe Token: SeBackupPrivilege 1984 msiexec.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeShutdownPrivilege 1984 msiexec.exe Token: SeDebugPrivilege 1984 msiexec.exe Token: SeAuditPrivilege 1984 msiexec.exe Token: SeSystemEnvironmentPrivilege 1984 msiexec.exe Token: SeChangeNotifyPrivilege 1984 msiexec.exe Token: SeRemoteShutdownPrivilege 1984 msiexec.exe Token: SeUndockPrivilege 1984 msiexec.exe Token: SeSyncAgentPrivilege 1984 msiexec.exe Token: SeEnableDelegationPrivilege 1984 msiexec.exe Token: SeManageVolumePrivilege 1984 msiexec.exe Token: SeImpersonatePrivilege 1984 msiexec.exe Token: SeCreateGlobalPrivilege 1984 msiexec.exe Token: SeBackupPrivilege 1344 vssvc.exe Token: SeRestorePrivilege 1344 vssvc.exe Token: SeAuditPrivilege 1344 vssvc.exe Token: SeBackupPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeLoadDriverPrivilege 1624 DrvInst.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeaipackagechainer.exepid process 1984 msiexec.exe 1984 msiexec.exe 1924 aipackagechainer.exe 1924 aipackagechainer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 548 WINWORD.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
msiexec.exeaipackagechainer.exeword.exepowershell.exedescription pid process target process PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1712 956 msiexec.exe MsiExec.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 956 wrote to memory of 1924 956 msiexec.exe aipackagechainer.exe PID 1924 wrote to memory of 300 1924 aipackagechainer.exe 2.exe PID 1924 wrote to memory of 300 1924 aipackagechainer.exe 2.exe PID 1924 wrote to memory of 300 1924 aipackagechainer.exe 2.exe PID 1924 wrote to memory of 300 1924 aipackagechainer.exe 2.exe PID 1472 wrote to memory of 1996 1472 word.exe WerFault.exe PID 1472 wrote to memory of 1996 1472 word.exe WerFault.exe PID 1472 wrote to memory of 1996 1472 word.exe WerFault.exe PID 1924 wrote to memory of 1160 1924 aipackagechainer.exe powershell.exe PID 1924 wrote to memory of 1160 1924 aipackagechainer.exe powershell.exe PID 1924 wrote to memory of 1160 1924 aipackagechainer.exe powershell.exe PID 1924 wrote to memory of 1160 1924 aipackagechainer.exe powershell.exe PID 1160 wrote to memory of 1592 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1592 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1592 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1592 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1908 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1908 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1908 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1908 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1624 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1624 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1624 1160 powershell.exe powershell.exe PID 1160 wrote to memory of 1624 1160 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B7D0B2F327F81C5E9F914D574703585C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe"3⤵
- Executes dropped EXE
-
C:\windows\temp\word.exe"C:\windows\temp\word.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1472 -s 5445⤵
- Program crash
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\windows\temp\补充材料.docx"4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_8C97.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Microsoft\' -retry_count 10"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004EC" "0000000000000598"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AI_8C97.ps1Filesize
13KB
MD5bc738a907de8fd82f60b3076399d2919
SHA1b1ba780669af90d283ee41b46fd3a9c0be63289e
SHA256b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0
SHA51270a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e1d61ecc97a4feba458f9f4513f7099e
SHA1be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3
SHA256edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881
SHA512e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e1d61ecc97a4feba458f9f4513f7099e
SHA1be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3
SHA256edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881
SHA512e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e1d61ecc97a4feba458f9f4513f7099e
SHA1be4cd4d92a64ced37b6cdd2e0e0e3375f77272b3
SHA256edbdf6e6877c2b743b4dcdbc2305ddf24c308fb4037e76132c40023da000e881
SHA512e6c82c32af3c25aba56662963a1506ba9454825e26b47731d8c2a1bd29cefa4ac9d37cd4b6a7784ed9ac5715870292a49b64ac6be9e721a9d22214f107b46433
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exeFilesize
748KB
MD5cf23d98b7e5d4f005b90c14e99ef146a
SHA1a89c40cc44930374ac4510f4978990f987975e7d
SHA2566306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f
SHA512176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exeFilesize
748KB
MD5cf23d98b7e5d4f005b90c14e99ef146a
SHA1a89c40cc44930374ac4510f4978990f987975e7d
SHA2566306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f
SHA512176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.iniFilesize
1KB
MD5aa344a2c80996664a3487d188bb8db38
SHA1df818590e6b6c6f00a8636630e3382932e283059
SHA256671eb170889772d3db273ac5e69a0c0a3bc842721c583d164afb7f1e34033c82
SHA51246e39a5a55789b7f05f7107d1fef1b5271bfc61741c7d3018e8661b6d2f9bb604c1081a130c557b01c005ae6bbd3836d7cf25e0fb79a7d7de54222dcb56edca5
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1Filesize
13KB
MD5bc738a907de8fd82f60b3076399d2919
SHA1b1ba780669af90d283ee41b46fd3a9c0be63289e
SHA256b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0
SHA51270a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exeFilesize
681KB
MD50340cd41dc46e57d7a496c55e735f8b3
SHA178ef3380bb7307d5b2020a35c5a845160b9405e3
SHA256bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596
SHA5127ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066
-
C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exeFilesize
681KB
MD50340cd41dc46e57d7a496c55e735f8b3
SHA178ef3380bb7307d5b2020a35c5a845160b9405e3
SHA256bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596
SHA5127ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066
-
C:\Windows\Installer\MSI74D3.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
C:\Windows\Installer\MSI7715.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
C:\Windows\Installer\MSI7AED.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
C:\Windows\Installer\MSI7B9A.tmpFilesize
631KB
MD5825dfb5d9b0e8a8e6035741c984b60a8
SHA1c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a
SHA25668d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa
SHA5124cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35
-
C:\Windows\Installer\MSI834A.tmpFilesize
631KB
MD5825dfb5d9b0e8a8e6035741c984b60a8
SHA1c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a
SHA25668d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa
SHA5124cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35
-
\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exeFilesize
681KB
MD50340cd41dc46e57d7a496c55e735f8b3
SHA178ef3380bb7307d5b2020a35c5a845160b9405e3
SHA256bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596
SHA5127ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066
-
\Windows\Installer\MSI74D3.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
\Windows\Installer\MSI7715.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
\Windows\Installer\MSI7AED.tmpFilesize
549KB
MD5822ec3c1b42ffdf6db9a15936f4512cf
SHA16ea07cae9eea92dd58bb6a81d3795033825e7045
SHA25694cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597
SHA5120d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4
-
\Windows\Installer\MSI7B9A.tmpFilesize
631KB
MD5825dfb5d9b0e8a8e6035741c984b60a8
SHA1c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a
SHA25668d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa
SHA5124cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35
-
\Windows\Installer\MSI834A.tmpFilesize
631KB
MD5825dfb5d9b0e8a8e6035741c984b60a8
SHA1c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a
SHA25668d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa
SHA5124cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35
-
memory/300-76-0x0000000000000000-mapping.dmp
-
memory/548-89-0x00000000716ED000-0x00000000716F8000-memory.dmpFilesize
44KB
-
memory/548-82-0x0000000072C81000-0x0000000072C84000-memory.dmpFilesize
12KB
-
memory/548-84-0x0000000070701000-0x0000000070703000-memory.dmpFilesize
8KB
-
memory/548-85-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1160-104-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1160-105-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1160-81-0x0000000000000000-mapping.dmp
-
memory/1160-86-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1160-87-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1472-78-0x0000000000F70000-0x00000000011BE000-memory.dmpFilesize
2.3MB
-
memory/1592-94-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1592-90-0x0000000000000000-mapping.dmp
-
memory/1592-102-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1624-101-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1624-97-0x0000000000000000-mapping.dmp
-
memory/1624-106-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1712-57-0x0000000075DB1000-0x0000000075DB3000-memory.dmpFilesize
8KB
-
memory/1712-56-0x0000000000000000-mapping.dmp
-
memory/1908-93-0x0000000000000000-mapping.dmp
-
memory/1908-100-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1908-103-0x0000000070150000-0x00000000706FB000-memory.dmpFilesize
5.7MB
-
memory/1924-73-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1924-69-0x0000000000000000-mapping.dmp
-
memory/1984-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/1996-79-0x0000000000000000-mapping.dmp