Analysis
-
max time kernel
122s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 17:01
Static task
static1
Behavioral task
behavioral1
Sample
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Resource
win7-20220718-en
General
-
Target
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
-
Size
29.6MB
-
MD5
87e9ef77d9eae3a947a8922acf8179d4
-
SHA1
064167fa469d978df5fd2f1963d4bbb94c341e87
-
SHA256
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382
-
SHA512
4bbbe4f6fc0cf1fbe1ae30d3f1fe9356b5bdb08ef60dbecca42e32c3d6208b47db9c9087c1542f5f21c1f8a7a0e4951f2e7cc13f4fd336aed2fb3ca99cf487bf
Malware Config
Signatures
-
Processes:
wmiprvse.execonhost.exereg.exereg.exereg.exereg.exereg.execonhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wmiprvse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Executes dropped EXE 8 IoCs
Processes:
inerstelar.exekey.exermsbuild.exesysdisk.exesvnhost.exesysdisk.exemngrdevice.exewinsystem.exepid process 1316 inerstelar.exe 1596 key.exe 1940 rmsbuild.exe 1564 sysdisk.exe 1160 svnhost.exe 1224 sysdisk.exe 1616 mngrdevice.exe 856 winsystem.exe -
Modifies Windows Firewall 1 TTPs 16 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2000 netsh.exe 1016 netsh.exe 1432 netsh.exe 440 netsh.exe 1612 netsh.exe 1712 netsh.exe 2008 netsh.exe 1544 netsh.exe 2032 netsh.exe 1876 netsh.exe 2028 netsh.exe 860 netsh.exe 1512 netsh.exe 1496 netsh.exe 1952 netsh.exe 1904 netsh.exe -
Processes:
resource yara_rule behavioral1/memory/1160-129-0x0000000010000000-0x000000001005A000-memory.dmp upx behavioral1/memory/1160-128-0x0000000010000000-0x000000001005A000-memory.dmp upx behavioral1/memory/1160-132-0x00000000034D0000-0x000000000352A000-memory.dmp upx behavioral1/memory/1160-131-0x00000000034D0000-0x000000000352A000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sysdisk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International\Geo\Nation sysdisk.exe -
Loads dropped DLL 11 IoCs
Processes:
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exermsbuild.exeinerstelar.execmd.exesvnhost.execmd.exepid process 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 1940 rmsbuild.exe 1316 inerstelar.exe 1316 inerstelar.exe 1960 cmd.exe 1160 svnhost.exe 1160 svnhost.exe 952 cmd.exe 952 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mngrdevice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Windows = "C:\\Windows\\keylog\\mngrdevice.exe" mngrdevice.exe -
Drops file in Windows directory 10 IoCs
Processes:
mngrdevice.exermsbuild.exekey.exedescription ioc process File created C:\Windows\keylog\libeay32.dll mngrdevice.exe File created C:\Windows\System64\winsystem.exe rmsbuild.exe File opened for modification C:\Windows\keylog\mngrdevice.exe key.exe File created C:\Windows\System64\vp8encoder.dll rmsbuild.exe File created C:\Windows\System64\sysdisk.exe rmsbuild.exe File created C:\Windows\keylog\ssleay32.dll mngrdevice.exe File created C:\Windows\setlibrecini.ini rmsbuild.exe File created C:\Windows\System64\service.bat rmsbuild.exe File created C:\Windows\keylog\mngrdevice.exe key.exe File created C:\Windows\System64\vp8decoder.dll rmsbuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry key 1 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 288 reg.exe 1920 reg.exe 1300 reg.exe 1168 reg.exe 1744 reg.exe 1680 reg.exe 1572 reg.exe 2012 reg.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exesysdisk.exesysdisk.exesvnhost.exepid process 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1160 svnhost.exe 1160 svnhost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exesysdisk.exepowercfg.exesysdisk.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeCreatePagefilePrivilege 948 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeCreatePagefilePrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeCreatePagefilePrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeCreatePagefilePrivilege 904 conhost.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeCreatePagefilePrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeCreatePagefilePrivilege 1016 powercfg.exe Token: SeDebugPrivilege 1564 sysdisk.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeCreatePagefilePrivilege 1356 powercfg.exe Token: SeTakeOwnershipPrivilege 1224 sysdisk.exe Token: SeTcbPrivilege 1224 sysdisk.exe Token: SeTcbPrivilege 1224 sysdisk.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeCreatePagefilePrivilege 1632 powercfg.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
key.exermsbuild.exesysdisk.exesysdisk.exemngrdevice.exepid process 1596 key.exe 1940 rmsbuild.exe 1940 rmsbuild.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1616 mngrdevice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exeinerstelar.exedescription pid process target process PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe inerstelar.exe PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe inerstelar.exe PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe inerstelar.exe PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe inerstelar.exe PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe powercfg.exe PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe netsh.exe PID 1316 wrote to memory of 1432 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1432 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1432 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1432 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1904 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1904 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1904 1316 inerstelar.exe netsh.exe PID 1316 wrote to memory of 1904 1316 inerstelar.exe netsh.exe PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe key.exe PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe key.exe PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe key.exe PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe key.exe PID 1316 wrote to memory of 1572 1316 inerstelar.exe reg.exe PID 1316 wrote to memory of 1572 1316 inerstelar.exe reg.exe PID 1316 wrote to memory of 1572 1316 inerstelar.exe reg.exe PID 1316 wrote to memory of 1572 1316 inerstelar.exe reg.exe PID 1316 wrote to memory of 2044 1316 inerstelar.exe powercfg.exe PID 1316 wrote to memory of 2044 1316 inerstelar.exe powercfg.exe PID 1316 wrote to memory of 2044 1316 inerstelar.exe powercfg.exe PID 1316 wrote to memory of 2044 1316 inerstelar.exe powercfg.exe PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe reg.exe PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe conhost.exe PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe conhost.exe PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe conhost.exe PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\svnhost.exe"C:\Users\Admin\AppData\Local\Temp\svnhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /C systeminfo4⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- Gathers system information
-
C:\Windows\SysWOW64\cmd.execmd.exe /C netsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\key.exe"C:\Users\Admin\AppData\Local\Temp\key.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\keylog\mngrdevice.exe"3⤵
- Loads dropped DLL
-
C:\Windows\keylog\mngrdevice.exeC:\Windows\keylog\mngrdevice.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System64\sysdisk.exe"C:\Windows\System64\sysdisk.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System64\sysdisk.exeC:\Windows\System64\sysdisk.exe -second4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\System64\service.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\System64\winsystem.exewinsystem.exe /install /silent4⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-37413531-1115838337787394631260271095-1399498577-1550575336-16586521101804196716"1⤵
- UAC bypass
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- UAC bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1179249605983682104-1119135658-75226695919307013912134044593-750440941-2093818915"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-313298714204795503-2093809785980915218-1295917972258122925-811576903835092896"1⤵
- UAC bypass
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-539312482-10954194241779308706-14704845521776876312-2855983688219138-1778331942"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20808106186806756-1242907773-1403845046-176882123820108127341860282369-1911956101"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\inerstelar.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
C:\Users\Admin\AppData\Local\Temp\inerstelar.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
C:\Users\Admin\AppData\Local\Temp\key.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
C:\Users\Admin\AppData\Local\Temp\key.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exeFilesize
17.6MB
MD53c953c3b4bcb16d9bcadad3388e20711
SHA117576d534a1d00e57b711ade93b7c57a89e1b7ad
SHA256e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da
SHA51266e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f
-
C:\Users\Admin\AppData\Local\Temp\svnhost.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
C:\Windows\System64\service.batFilesize
75B
MD53d8ae437e61d1bfa4d58eabc2050af96
SHA10d96b38ec1e6ad41920dbe82b461aa12b381ad19
SHA256b25eec1f9965466a9a32a139dd1728703833610049eb138684588d7cb2fa53b5
SHA512d558bf211cbb6bfc1533bca5f4ab342e6720b87d0c8e7d04a78018018a624b72eb21b7a3578cdf3782dfe48bda23fce468a754bc0978464c815c1dccb3918501
-
C:\Windows\System64\sysdisk.exeFilesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
C:\Windows\System64\sysdisk.exeFilesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
C:\Windows\System64\sysdisk.exeFilesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
C:\Windows\System64\vp8decoder.dllFilesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
C:\Windows\System64\vp8encoder.dllFilesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
C:\Windows\System64\winsystem.exeFilesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
C:\Windows\System64\winsystem.exeFilesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
C:\Windows\keylog\mngrdevice.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
C:\Windows\keylog\mngrdevice.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\inerstelar.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
\Users\Admin\AppData\Local\Temp\inerstelar.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
\Users\Admin\AppData\Local\Temp\key.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
\Users\Admin\AppData\Local\Temp\libeay32.dllFilesize
1.3MB
MD5c39b8d8bd482b717ebdd17dcae374c9b
SHA1abe57f749650fdebbaa6792e3676294c20db6abe
SHA2560e8006f941ad484931369e96d4319e526e62c3e802b8917d2693074e2e0451af
SHA5122c9f749541b1fa7d9ff2e4f4182ec81824c71c7306e95cf84f93a5b21dbd0fba40f3e0bb10782742f3b84aaee928bac65f75d3226ecb44e41c27fc6219679667
-
\Users\Admin\AppData\Local\Temp\rmsbuild.exeFilesize
17.6MB
MD53c953c3b4bcb16d9bcadad3388e20711
SHA117576d534a1d00e57b711ade93b7c57a89e1b7ad
SHA256e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da
SHA51266e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f
-
\Users\Admin\AppData\Local\Temp\ssleay32.dllFilesize
349KB
MD589172a85c3b07bff7541720d42d31bc6
SHA14685df166f9a64d02c86d7966d4d3a7fa18b3106
SHA2569594efa47fa162756ad19c7fb7e7c7c09d97f505daf6280f6d9a130f76264350
SHA5121e9f56f89f5f57be88b95836626ffafe54e58a41cb7c1851bb1933ca056e2c8aaf08aa6e7509e0b22f358c727c554c2a7a7cbe7da3d13dd0c42f9084413b468c
-
\Users\Admin\AppData\Local\Temp\svnhost.exeFilesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
\Windows\System64\sysdisk.exeFilesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
\Windows\System64\winsystem.exeFilesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
\Windows\System64\winsystem.exeFilesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
\Windows\keylog\mngrdevice.exeFilesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
memory/288-95-0x0000000000000000-mapping.dmp
-
memory/440-89-0x0000000000000000-mapping.dmp
-
memory/856-163-0x0000000000000000-mapping.dmp
-
memory/856-133-0x0000000000000000-mapping.dmp
-
memory/860-70-0x0000000000000000-mapping.dmp
-
memory/904-86-0x0000000000000000-mapping.dmp
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/952-158-0x0000000000000000-mapping.dmp
-
memory/1016-108-0x0000000000000000-mapping.dmp
-
memory/1016-69-0x0000000000000000-mapping.dmp
-
memory/1160-131-0x00000000034D0000-0x000000000352A000-memory.dmpFilesize
360KB
-
memory/1160-132-0x00000000034D0000-0x000000000352A000-memory.dmpFilesize
360KB
-
memory/1160-129-0x0000000010000000-0x000000001005A000-memory.dmpFilesize
360KB
-
memory/1160-119-0x0000000000000000-mapping.dmp
-
memory/1160-128-0x0000000010000000-0x000000001005A000-memory.dmpFilesize
360KB
-
memory/1168-148-0x0000000000000000-mapping.dmp
-
memory/1300-153-0x0000000000000000-mapping.dmp
-
memory/1300-124-0x0000000000000000-mapping.dmp
-
memory/1316-63-0x0000000000000000-mapping.dmp
-
memory/1356-125-0x0000000000000000-mapping.dmp
-
memory/1432-73-0x0000000000000000-mapping.dmp
-
memory/1496-123-0x0000000000000000-mapping.dmp
-
memory/1512-104-0x0000000000000000-mapping.dmp
-
memory/1544-122-0x0000000000000000-mapping.dmp
-
memory/1564-112-0x0000000000000000-mapping.dmp
-
memory/1572-77-0x0000000000000000-mapping.dmp
-
memory/1596-76-0x0000000000000000-mapping.dmp
-
memory/1612-90-0x0000000000000000-mapping.dmp
-
memory/1616-140-0x0000000000000000-mapping.dmp
-
memory/1632-149-0x0000000000000000-mapping.dmp
-
memory/1680-66-0x0000000000000000-mapping.dmp
-
memory/1712-105-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000000000000-mapping.dmp
-
memory/1876-87-0x0000000000000000-mapping.dmp
-
memory/1884-67-0x0000000000000000-mapping.dmp
-
memory/1904-74-0x0000000000000000-mapping.dmp
-
memory/1912-96-0x0000000000000000-mapping.dmp
-
memory/1920-106-0x0000000000000000-mapping.dmp
-
memory/1940-94-0x0000000000000000-mapping.dmp
-
memory/1952-147-0x0000000000000000-mapping.dmp
-
memory/1960-137-0x0000000000000000-mapping.dmp
-
memory/1972-134-0x0000000000000000-mapping.dmp
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2008-58-0x0000000000000000-mapping.dmp
-
memory/2012-85-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/2028-92-0x0000000000000000-mapping.dmp
-
memory/2032-146-0x0000000000000000-mapping.dmp
-
memory/2032-154-0x0000000000000000-mapping.dmp
-
memory/2044-78-0x0000000000000000-mapping.dmp