Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
3-FRQ MOQ 001 08 2022PDT.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
3-FRQ MOQ 001 08 2022PDT.exe
Resource
win10v2004-20220722-en
General
-
Target
3-FRQ MOQ 001 08 2022PDT.exe
-
Size
1.2MB
-
MD5
105c2d0f5e8b8202ff79c97392855544
-
SHA1
d14307bfae983cde57dad14172d3a65258e9ba4e
-
SHA256
e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
-
SHA512
6072430cce7bc853e392f3f8ec63ba715e246b0ea36905df0523e9f0f61de3d06707cb56d1a86437c1ac047d874bab8b2fde58049e5fd9aaf0b56be9af063be5
Malware Config
Extracted
warzonerat
toomuchego.ydns.eu:5200
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1140-140-0x0000000000400000-0x00000000004AF000-memory.dmp family_snakekeylogger behavioral2/memory/1140-141-0x0000000000400000-0x00000000004AF000-memory.dmp family_snakekeylogger behavioral2/memory/1140-142-0x0000000000400000-0x00000000004AF000-memory.dmp family_snakekeylogger behavioral2/memory/1140-143-0x0000000000400000-0x00000000004AF000-memory.dmp family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\WXS.EXE family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\WXS.EXE family_snakekeylogger behavioral2/memory/256-150-0x0000000000E60000-0x0000000000E86000-memory.dmp family_snakekeylogger behavioral2/memory/1140-151-0x0000000000400000-0x00000000004AF000-memory.dmp family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE family_snakekeylogger -
Processes:
GUM.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Processes:
GUM.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" GUM.EXE -
Executes dropped EXE 6 IoCs
Processes:
EGGMM.EXEWXS.EXEEGGMM.EXEGUM.EXEWALL PAPER.EXEimages.exepid process 256 EGGMM.EXE 1820 WXS.EXE 4488 EGGMM.EXE 5048 GUM.EXE 3108 WALL PAPER.EXE 3764 images.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3-FRQ MOQ 001 08 2022PDT.exeWXS.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 3-FRQ MOQ 001 08 2022PDT.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation WXS.EXE -
Loads dropped DLL 6 IoCs
Processes:
images.exepid process 3764 images.exe 3764 images.exe 3764 images.exe 3764 images.exe 3764 images.exe 3764 images.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
GUM.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" GUM.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
Processes:
EGGMM.EXEimages.exeEGGMM.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EGGMM.EXE -
Processes:
GUM.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 checkip.dyndns.org -
Program crash 29 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3428 4992 WerFault.exe iexplore.exe 1680 1476 WerFault.exe iexplore.exe 1228 3176 WerFault.exe iexplore.exe 2220 5112 WerFault.exe iexplore.exe 5004 2768 WerFault.exe iexplore.exe 2944 4972 WerFault.exe iexplore.exe 4576 3616 WerFault.exe iexplore.exe 3768 3372 WerFault.exe iexplore.exe 3088 2928 WerFault.exe iexplore.exe 4996 3672 WerFault.exe iexplore.exe 868 3068 WerFault.exe iexplore.exe 3132 3872 WerFault.exe iexplore.exe 5104 3660 WerFault.exe iexplore.exe 2164 616 WerFault.exe iexplore.exe 384 3792 WerFault.exe iexplore.exe 3368 2200 WerFault.exe iexplore.exe 4576 3736 WerFault.exe iexplore.exe 4996 2032 WerFault.exe iexplore.exe 3720 3168 WerFault.exe iexplore.exe 4160 2560 WerFault.exe iexplore.exe 2204 4576 WerFault.exe iexplore.exe 3536 1540 WerFault.exe iexplore.exe 1684 2780 WerFault.exe iexplore.exe 3132 5004 WerFault.exe iexplore.exe 3476 2820 WerFault.exe iexplore.exe 4952 2128 WerFault.exe iexplore.exe 4204 868 WerFault.exe iexplore.exe 768 384 WerFault.exe iexplore.exe 5040 2612 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 30 IoCs
Processes:
3-FRQ MOQ 001 08 2022PDT.exeGUM.EXEdescription pid process target process PID 1124 set thread context of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 5048 set thread context of 4992 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 1476 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3176 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 5112 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2768 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 4972 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3616 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3372 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2928 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3672 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3068 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3872 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3660 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 616 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3792 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2200 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3736 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2032 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 3168 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2560 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 4576 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 1540 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2780 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 5004 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2820 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2128 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 868 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 384 5048 GUM.EXE iexplore.exe PID 5048 set thread context of 2612 5048 GUM.EXE iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3-FRQ MOQ 001 08 2022PDT.exeEGGMM.EXEEGGMM.EXEGUM.EXEpid process 1124 3-FRQ MOQ 001 08 2022PDT.exe 1124 3-FRQ MOQ 001 08 2022PDT.exe 1124 3-FRQ MOQ 001 08 2022PDT.exe 1124 3-FRQ MOQ 001 08 2022PDT.exe 256 EGGMM.EXE 4488 EGGMM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE 5048 GUM.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
3-FRQ MOQ 001 08 2022PDT.exeEGGMM.EXEEGGMM.EXEdescription pid process Token: SeDebugPrivilege 1124 3-FRQ MOQ 001 08 2022PDT.exe Token: SeDebugPrivilege 256 EGGMM.EXE Token: SeDebugPrivilege 4488 EGGMM.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
GUM.EXEimages.exepid process 5048 GUM.EXE 3764 images.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3-FRQ MOQ 001 08 2022PDT.exe3-FRQ MOQ 001 08 2022PDT.exeWXS.EXEGUM.EXEWALL PAPER.EXEcmd.exeimages.exedescription pid process target process PID 1124 wrote to memory of 616 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 616 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 616 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1072 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1072 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1072 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1124 wrote to memory of 1140 1124 3-FRQ MOQ 001 08 2022PDT.exe 3-FRQ MOQ 001 08 2022PDT.exe PID 1140 wrote to memory of 256 1140 3-FRQ MOQ 001 08 2022PDT.exe EGGMM.EXE PID 1140 wrote to memory of 256 1140 3-FRQ MOQ 001 08 2022PDT.exe EGGMM.EXE PID 1140 wrote to memory of 256 1140 3-FRQ MOQ 001 08 2022PDT.exe EGGMM.EXE PID 1140 wrote to memory of 1820 1140 3-FRQ MOQ 001 08 2022PDT.exe WXS.EXE PID 1140 wrote to memory of 1820 1140 3-FRQ MOQ 001 08 2022PDT.exe WXS.EXE PID 1140 wrote to memory of 1820 1140 3-FRQ MOQ 001 08 2022PDT.exe WXS.EXE PID 1820 wrote to memory of 4488 1820 WXS.EXE EGGMM.EXE PID 1820 wrote to memory of 4488 1820 WXS.EXE EGGMM.EXE PID 1820 wrote to memory of 4488 1820 WXS.EXE EGGMM.EXE PID 1820 wrote to memory of 5048 1820 WXS.EXE GUM.EXE PID 1820 wrote to memory of 5048 1820 WXS.EXE GUM.EXE PID 1820 wrote to memory of 5048 1820 WXS.EXE GUM.EXE PID 1820 wrote to memory of 3108 1820 WXS.EXE WALL PAPER.EXE PID 1820 wrote to memory of 3108 1820 WXS.EXE WALL PAPER.EXE PID 1820 wrote to memory of 3108 1820 WXS.EXE WALL PAPER.EXE PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 4992 5048 GUM.EXE iexplore.exe PID 3108 wrote to memory of 2876 3108 WALL PAPER.EXE cmd.exe PID 3108 wrote to memory of 2876 3108 WALL PAPER.EXE cmd.exe PID 3108 wrote to memory of 2876 3108 WALL PAPER.EXE cmd.exe PID 3108 wrote to memory of 3764 3108 WALL PAPER.EXE images.exe PID 3108 wrote to memory of 3764 3108 WALL PAPER.EXE images.exe PID 3108 wrote to memory of 3764 3108 WALL PAPER.EXE images.exe PID 2876 wrote to memory of 3932 2876 cmd.exe reg.exe PID 2876 wrote to memory of 3932 2876 cmd.exe reg.exe PID 2876 wrote to memory of 3932 2876 cmd.exe reg.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 1476 5048 GUM.EXE iexplore.exe PID 3764 wrote to memory of 3152 3764 images.exe cmd.exe PID 3764 wrote to memory of 3152 3764 images.exe cmd.exe PID 3764 wrote to memory of 3152 3764 images.exe cmd.exe PID 3764 wrote to memory of 3152 3764 images.exe cmd.exe PID 3764 wrote to memory of 3152 3764 images.exe cmd.exe PID 5048 wrote to memory of 3176 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 3176 5048 GUM.EXE iexplore.exe PID 5048 wrote to memory of 3176 5048 GUM.EXE iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
GUM.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE -
outlook_office_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
outlook_win_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WXS.EXE"C:\Users\Admin\AppData\Local\Temp\WXS.EXE"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\GUM.EXE"C:\Users\Admin\AppData\Local\Temp\GUM.EXE"4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 126⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 846⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\GUM.EXE5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE"C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"6⤵
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1476 -ip 14761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3176 -ip 31761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5112 -ip 51121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3616 -ip 36161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2928 -ip 29281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3068 -ip 30681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3872 -ip 38721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3660 -ip 36601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 616 -ip 6161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3792 -ip 37921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2200 -ip 22001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3736 -ip 37361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2032 -ip 20321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3168 -ip 31681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2560 -ip 25601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4576 -ip 45761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2780 -ip 27801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5004 -ip 50041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2820 -ip 28201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2128 -ip 21281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 868 -ip 8681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 384 -ip 3841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2612 -ip 26121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
152KB
MD5d934bc77b8157ece0a3bbec1527cee9b
SHA1841017a8d48040f1e0d593608c2506007ea9f997
SHA256c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
SHA5125b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8
-
C:\ProgramData\images.exeFilesize
152KB
MD5d934bc77b8157ece0a3bbec1527cee9b
SHA1841017a8d48040f1e0d593608c2506007ea9f997
SHA256c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
SHA5125b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8
-
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXEFilesize
126KB
MD5350dfc66657d2d9b2231bf8bfe33497b
SHA10fb28b28c416d21f1db2d54355e89fa8ec3e3324
SHA256a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
SHA512635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5
-
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXEFilesize
126KB
MD5350dfc66657d2d9b2231bf8bfe33497b
SHA10fb28b28c416d21f1db2d54355e89fa8ec3e3324
SHA256a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
SHA512635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5
-
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXEFilesize
126KB
MD5350dfc66657d2d9b2231bf8bfe33497b
SHA10fb28b28c416d21f1db2d54355e89fa8ec3e3324
SHA256a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
SHA512635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5
-
C:\Users\Admin\AppData\Local\Temp\GUM.EXEFilesize
172KB
MD581912e3dd162ce7c96114a84d0d58b29
SHA12def8b1c48c9e550f57c9dab915c5232a7113d57
SHA256f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0
SHA512893b3c4483d0a307cad24c73fce27bc4e02438439fc5b07d596146bdb92767e53e60642ff6264ce80891b10c0a7f2a3f5b397560a47ee6e1244d6e5e9a80f341
-
C:\Users\Admin\AppData\Local\Temp\GUM.EXEFilesize
172KB
MD581912e3dd162ce7c96114a84d0d58b29
SHA12def8b1c48c9e550f57c9dab915c5232a7113d57
SHA256f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0
SHA512893b3c4483d0a307cad24c73fce27bc4e02438439fc5b07d596146bdb92767e53e60642ff6264ce80891b10c0a7f2a3f5b397560a47ee6e1244d6e5e9a80f341
-
C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXEFilesize
152KB
MD5d934bc77b8157ece0a3bbec1527cee9b
SHA1841017a8d48040f1e0d593608c2506007ea9f997
SHA256c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
SHA5125b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8
-
C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXEFilesize
152KB
MD5d934bc77b8157ece0a3bbec1527cee9b
SHA1841017a8d48040f1e0d593608c2506007ea9f997
SHA256c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
SHA5125b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8
-
C:\Users\Admin\AppData\Local\Temp\WXS.EXEFilesize
503KB
MD5f801b47ec91f5f75b0f5804506665b14
SHA16ca1c47f85abaed4a3cc414b6200360ca658b2c5
SHA25662ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
SHA5121e3910895b9bbd23d4adf174683f83ce8b000dba606034bfb2bfaa18ffbf2293ebc4eb47bdebda46d2f326f74c963be005ddb440aa2449a21918c40a8d974322
-
C:\Users\Admin\AppData\Local\Temp\WXS.EXEFilesize
503KB
MD5f801b47ec91f5f75b0f5804506665b14
SHA16ca1c47f85abaed4a3cc414b6200360ca658b2c5
SHA25662ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
SHA5121e3910895b9bbd23d4adf174683f83ce8b000dba606034bfb2bfaa18ffbf2293ebc4eb47bdebda46d2f326f74c963be005ddb440aa2449a21918c40a8d974322
-
C:\Users\Admin\AppData\Local\Temp\freebl3.dllFilesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
C:\Users\Admin\AppData\Local\Temp\mozglue.dllFilesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
C:\Users\Admin\AppData\Local\Temp\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\nss3.dllFilesize
1.2MB
MD5d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
C:\Users\Admin\AppData\Local\Temp\softokn3.dllFilesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/256-144-0x0000000000000000-mapping.dmp
-
memory/256-162-0x0000000006A50000-0x0000000006C12000-memory.dmpFilesize
1.8MB
-
memory/256-150-0x0000000000E60000-0x0000000000E86000-memory.dmpFilesize
152KB
-
memory/616-137-0x0000000000000000-mapping.dmp
-
memory/1072-138-0x0000000000000000-mapping.dmp
-
memory/1124-133-0x0000000007DB0000-0x0000000008354000-memory.dmpFilesize
5.6MB
-
memory/1124-134-0x00000000078E0000-0x0000000007972000-memory.dmpFilesize
584KB
-
memory/1124-135-0x0000000007980000-0x0000000007A1C000-memory.dmpFilesize
624KB
-
memory/1124-136-0x00000000078B0000-0x00000000078BA000-memory.dmpFilesize
40KB
-
memory/1124-132-0x0000000000900000-0x0000000000A3C000-memory.dmpFilesize
1.2MB
-
memory/1140-142-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/1140-141-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/1140-139-0x0000000000000000-mapping.dmp
-
memory/1140-143-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/1140-151-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/1140-140-0x0000000000400000-0x00000000004AF000-memory.dmpFilesize
700KB
-
memory/1820-147-0x0000000000000000-mapping.dmp
-
memory/2876-163-0x0000000000000000-mapping.dmp
-
memory/3108-157-0x0000000000000000-mapping.dmp
-
memory/3152-168-0x0000000000000000-mapping.dmp
-
memory/3152-169-0x0000000001400000-0x0000000001401000-memory.dmpFilesize
4KB
-
memory/3764-171-0x00000000040B0000-0x0000000004134000-memory.dmpFilesize
528KB
-
memory/3764-170-0x0000000003BB0000-0x0000000003D50000-memory.dmpFilesize
1.6MB
-
memory/3764-164-0x0000000000000000-mapping.dmp
-
memory/3932-167-0x0000000000000000-mapping.dmp
-
memory/4488-152-0x0000000000000000-mapping.dmp
-
memory/5048-154-0x0000000000000000-mapping.dmp