metasploit | 4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

Analysis

max time kernel
146s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
Size

516KB
MD5

0d468d8b2a1f7f599575a60378554192
SHA1

2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d
SHA256

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22
SHA512

b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Score

10^/10

metasploit backdoor evasion persistence suricata trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\list\C:\Windows\SysWOW64\msiexec.exe = "C:\\Windows\\SysWOW64\\msiexec.exe:*:Generic Host Process"	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\list\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Generic Host Process"	svchost.exe

suricata: ET MALWARE Andromeda Checkin
suricata: ET MALWARE Andromeda Checkin
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\14560 = "c:\\progra~3\\dxoveocmg.exe"	msiexec.exe

Executes dropped EXE 11 IoCs

Processes:

PJTPK87.exemsn.exemsn.execsrss.execsrss.exedxoveocmg.exedxoveocmg.exeUOYUPW83.exemsn.exedxoveocmg.exemsn.exe

pid	process
2032	PJTPK87.exe
936	msn.exe
1036	msn.exe
2020	csrss.exe
1936	csrss.exe
652	dxoveocmg.exe
1224	dxoveocmg.exe
744	UOYUPW83.exe
1148	msn.exe
2044	dxoveocmg.exe
1988	msn.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1656-58-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1656-61-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1656-62-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1656-70-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1656-83-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1224-161-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

468 msiexec.exe

pid	process
468	msiexec.exe

Loads dropped DLL 20 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exePJTPK87.exemsn.exemsiexec.exedxoveocmg.exedxoveocmg.exeUOYUPW83.exemsn.exe

pid	process
1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
2032	PJTPK87.exe
2032	PJTPK87.exe
2032	PJTPK87.exe
2032	PJTPK87.exe
936	msn.exe
468	msiexec.exe
468	msiexec.exe
652	dxoveocmg.exe
1224	dxoveocmg.exe
1224	dxoveocmg.exe
1224	dxoveocmg.exe
744	UOYUPW83.exe
744	UOYUPW83.exe
744	UOYUPW83.exe
744	UOYUPW83.exe
652	dxoveocmg.exe
1148	msn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remote Registry Service = "csrss.exe"	msn.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exedxoveocmg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	dxoveocmg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	dxoveocmg.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
C:\Users\Admin\F26D\msn.exe	autoit_exe
C:\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
C:\Users\Admin\F26D\msn.exe	autoit_exe
C:\Windows\csrss.exe	autoit_exe
C:\Windows\csrss.exe	autoit_exe
C:\Windows\csrss.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
C:\Users\Admin\F26D\msn.exe	autoit_exe
\Users\Admin\F26D\msn.exe	autoit_exe
C:\Users\Admin\F26D\msn.exe	autoit_exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exemsn.execsrss.exedxoveocmg.exemsn.exe

description	pid	process	target process
PID 1984 set thread context of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 set thread context of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 936 set thread context of 1036	936	msn.exe	msn.exe
PID 2020 set thread context of 1936	2020	csrss.exe	csrss.exe
PID 652 set thread context of 1224	652	dxoveocmg.exe	dxoveocmg.exe
PID 652 set thread context of 2044	652	dxoveocmg.exe	dxoveocmg.exe
PID 1148 set thread context of 1988	1148	msn.exe	msn.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created \??\c:\progra~3\dxoveocmg.exe msiexec.exe

description	ioc	process
File created	\??\c:\progra~3\dxoveocmg.exe	msiexec.exe

Drops file in Windows directory 4 IoCs

Processes:

msn.exemsn.exe

description	ioc	process
File created	C:\Windows\csrss.exe	msn.exe
File opened for modification	C:\Windows\csrss.exe	msn.exe
File opened for modification	C:\Windows\csrss.exe	msn.exe
File created	C:\Windows\csrss.exe	msn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exemsn.execsrss.exemsn.exedxoveocmg.exe

pid process

1296 4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
936 msn.exe
2020 csrss.exe
1148 msn.exe
2044 dxoveocmg.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exedxoveocmg.exe

pid	process
1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
2044	dxoveocmg.exe
2044	dxoveocmg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exedxoveocmg.exedxoveocmg.exe

pid	process
1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
652	dxoveocmg.exe
1224	dxoveocmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exePJTPK87.exe4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exemsn.exemsn.execsrss.exe

description	pid	process	target process
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1656	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 1656 wrote to memory of 2032	1656	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	PJTPK87.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 2032 wrote to memory of 936	2032	PJTPK87.exe	msn.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1984 wrote to memory of 1296	1984	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 1296 wrote to memory of 468	1296	4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe	msiexec.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 936 wrote to memory of 1036	936	msn.exe	msn.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 1036 wrote to memory of 2020	1036	msn.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe
PID 2020 wrote to memory of 1936	2020	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
"C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
"C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\PJTPK87.exe
"C:\Users\Admin\AppData\Local\Temp\PJTPK87.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\F26D\msn.exe
"C:\Users\Admin\F26D\msn.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\F26D\msn.exe
"C:\Users\Admin\F26D\msn.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\csrss.exe
"C:\Windows\csrss.exe"
7⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
"C:\Users\Admin\AppData\Local\Temp\4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
PID:468

\??\c:\progra~3\dxoveocmg.exe
c:\progra~3\dxoveocmg.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:652

\??\c:\progra~3\dxoveocmg.exe
c:\progra~3\dxoveocmg.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Users\Admin\AppData\Local\Temp\UOYUPW83.exe
"C:\Users\Admin\AppData\Local\Temp\UOYUPW83.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744

C:\Users\Admin\F26D\msn.exe
"C:\Users\Admin\F26D\msn.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Users\Admin\F26D\msn.exe
"C:\Users\Admin\F26D\msn.exe"
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988

\??\c:\progra~3\dxoveocmg.exe
c:\progra~3\dxoveocmg.exe
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Modifies firewall policy service
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
C:\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
C:\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJTPK87.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJTPK87.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOYUPW83.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
C:\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Windows\csrss.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Windows\csrss.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
C:\Windows\csrss.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\??\c:\progra~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
\PROGRA~3\dxoveocmg.exe
Filesize
516KB

MD5
0d468d8b2a1f7f599575a60378554192

SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d

SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22

SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747

Download Submit
\Users\Admin\AppData\Local\Temp\PJTPK87.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\AppData\Local\Temp\PJTPK87.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\AppData\Local\Temp\PJTPK87.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\AppData\Local\Temp\UOYUPW83.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\AppData\Local\Temp\UOYUPW83.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\AppData\Local\Temp\UOYUPW83.exe
Filesize
483KB

MD5
846e69454ddca6f801239f0ff1e120be

SHA1
ff39cb2768bbf26e649892c01e470436f89f5599

SHA256
c6522bffd4b703164fed1600e3ecf2ef16d4b1b8b2493dcc8a1fca7ed3bfa65a

SHA512
b84870dca624e163417544e766165a5c2683faef5e78f36f68a5b5e84171d472ee0da5097728787ee3f2cc567101ce5e9f9c69f8f0788af60c7d5ad9da67fd22

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
\Users\Admin\F26D\msn.exe
Filesize
728KB

MD5
1838249f6e218963310b439c330e968f

SHA1
ede425b7e5bf6e48aad44911fc019d96860030b7

SHA256
e58756634c366fb6c92562750eab8f48f0044b8204e753dfee62b9c1c9c2b109

SHA512
f1226a8c44d788c3c1c7ff2a925f20bee61db43f193bcf862d503ab7f683869a0d64d7b4ecd017876e7ea494caa9a94a55b4e2155c116a3d53a5e5f2b93d0659

Download Submit
memory/468-135-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/468-133-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/468-103-0x0000000000000000-mapping.dmp

Download
memory/468-134-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/652-132-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/652-140-0x00000000005E8000-0x00000000005EA000-memory.dmp

Filesize
8KB

Download
memory/652-128-0x0000000000000000-mapping.dmp

Download
memory/652-170-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/652-142-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/744-153-0x0000000000000000-mapping.dmp

Download
memory/936-79-0x0000000000000000-mapping.dmp

Download
memory/1036-96-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-125-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-108-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-100-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-97-0x000000000040ACE5-mapping.dmp

Download
memory/1036-94-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-92-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-91-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-89-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1036-88-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1224-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1224-141-0x000000000047FDC0-mapping.dmp

Download
memory/1296-80-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1296-81-0x0000000000401B10-mapping.dmp

Download
memory/1296-104-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1656-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1656-65-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1656-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1656-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1656-59-0x000000000047FDC0-mapping.dmp

Download
memory/1656-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1656-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1732-188-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/1732-184-0x0000000000000000-mapping.dmp

Download
memory/1732-186-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/1732-187-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/1936-136-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1936-120-0x000000000040ACE5-mapping.dmp

Download
memory/1984-85-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1984-57-0x00000000002F8000-0x00000000002FA000-memory.dmp

Filesize
8KB

Download
memory/1984-69-0x00000000002F8000-0x00000000002FA000-memory.dmp

Filesize
8KB

Download
memory/1984-56-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1988-177-0x000000000040ACE5-mapping.dmp

Download
memory/1988-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1988-189-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2020-106-0x0000000000000000-mapping.dmp

Download
memory/2032-71-0x0000000000000000-mapping.dmp

Download
memory/2044-166-0x0000000000401B10-mapping.dmp

Download