Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-08-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
8ccbac1663570c8901fcb75111b07497.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ccbac1663570c8901fcb75111b07497.exe
Resource
win10v2004-20220812-en
General
-
Target
8ccbac1663570c8901fcb75111b07497.exe
-
Size
1.1MB
-
MD5
8ccbac1663570c8901fcb75111b07497
-
SHA1
a4772fd7f75d1d755e7494184aa35313182769d2
-
SHA256
3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983
-
SHA512
d9cb06f7bfbbaace59a5834f8ba1cd1e9de1d03370dc550d0b17527a52a09f3f6bb35ccd86ff3ef8b95673300d036779f2158faeefb9a5a7e139f1f8e9a7a96a
Malware Config
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
5
176.113.115.146:9582
-
auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f
Signatures
-
Raccoon Stealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/744-85-0x0000000000230000-0x0000000000330000-memory.dmp family_raccoon behavioral1/memory/744-98-0x0000000000230000-0x0000000000330000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
Processes:
resource yara_rule \Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline \Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline behavioral1/memory/1772-88-0x0000000001170000-0x0000000001190000-memory.dmp family_redline behavioral1/memory/1676-89-0x0000000000AE0000-0x0000000000B24000-memory.dmp family_redline -
Executes dropped EXE 8 IoCs
Processes:
F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.execaptain09876.exeme.exeSETUP_~1.EXEpid process 744 F0geI.exe 1800 kukurzka9000.exe 1772 namdoitntn.exe 1648 real.exe 1676 safert44.exe 976 captain09876.exe 516 me.exe 2676 SETUP_~1.EXE -
Loads dropped DLL 11 IoCs
Processes:
8ccbac1663570c8901fcb75111b07497.exepid process 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe 1408 8ccbac1663570c8901fcb75111b07497.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
captain09876.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce captain09876.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" captain09876.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 7 IoCs
Processes:
8ccbac1663570c8901fcb75111b07497.exedescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\captain09876.exe 8ccbac1663570c8901fcb75111b07497.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\me.exe 8ccbac1663570c8901fcb75111b07497.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000a6e499f44dceadccaf6d42e22fe9a7ad534a13f7ad7107fa1395cd8b6a6c4cf2000000000e8000000002000020000000d212c262c4d743639472994c39f731928c06d0b1a7819b29144349bc061d908e90000000931451b2352837c6ebfe1ac02fde4715d20fbe9a1633015bce1d84346dae796bc5a8aec476b86630f263482c155bec662f76a867c0ac6dca33d9026bca6f38292a952e086bb65c42eec74367051b9ae5380e711474947682db847b6ca3c5ce43478b25ed936c75e7a390e2b9b416f53f1d3ff5baded8ceaf96dba478ed73f982c060906976b4b72d90b53bdd3762d2c940000000cf87514d84bae496d775dedb81dcda24b0fa2c42f335ff7867531549e018fadcd4c3adc8bac87c426114a8cb91381b96d8ce0e17adc40aa3835e5c4888a07faa iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101cb2199db3d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30D795A1-1F90-11ED-9843-7ADD0904B6AC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30D8CE21-1F90-11ED-9843-7ADD0904B6AC} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
safert44.exenamdoitntn.exepid process 1676 safert44.exe 1772 namdoitntn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SETUP_~1.EXEsafert44.exenamdoitntn.exedescription pid process Token: SeDebugPrivilege 2676 SETUP_~1.EXE Token: SeDebugPrivilege 1676 safert44.exe Token: SeDebugPrivilege 1772 namdoitntn.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exepid process 108 iexplore.exe 1936 iexplore.exe 844 iexplore.exe 936 iexplore.exe 984 iexplore.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 936 iexplore.exe 936 iexplore.exe 1936 iexplore.exe 1936 iexplore.exe 844 iexplore.exe 844 iexplore.exe 108 iexplore.exe 108 iexplore.exe 984 iexplore.exe 984 iexplore.exe 1612 IEXPLORE.EXE 1612 IEXPLORE.EXE 1344 IEXPLORE.EXE 1344 IEXPLORE.EXE 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE 940 IEXPLORE.EXE 940 IEXPLORE.EXE 784 IEXPLORE.EXE 784 IEXPLORE.EXE 1344 IEXPLORE.EXE 1344 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ccbac1663570c8901fcb75111b07497.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription pid process target process PID 1408 wrote to memory of 844 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 844 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 844 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 844 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 1936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 1936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 1936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 1936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 984 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 984 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 984 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 984 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 936 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 108 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 108 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 108 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 108 1408 8ccbac1663570c8901fcb75111b07497.exe iexplore.exe PID 1408 wrote to memory of 744 1408 8ccbac1663570c8901fcb75111b07497.exe F0geI.exe PID 1408 wrote to memory of 744 1408 8ccbac1663570c8901fcb75111b07497.exe F0geI.exe PID 1408 wrote to memory of 744 1408 8ccbac1663570c8901fcb75111b07497.exe F0geI.exe PID 1408 wrote to memory of 744 1408 8ccbac1663570c8901fcb75111b07497.exe F0geI.exe PID 1408 wrote to memory of 1800 1408 8ccbac1663570c8901fcb75111b07497.exe kukurzka9000.exe PID 1408 wrote to memory of 1800 1408 8ccbac1663570c8901fcb75111b07497.exe kukurzka9000.exe PID 1408 wrote to memory of 1800 1408 8ccbac1663570c8901fcb75111b07497.exe kukurzka9000.exe PID 1408 wrote to memory of 1800 1408 8ccbac1663570c8901fcb75111b07497.exe kukurzka9000.exe PID 1408 wrote to memory of 1772 1408 8ccbac1663570c8901fcb75111b07497.exe namdoitntn.exe PID 1408 wrote to memory of 1772 1408 8ccbac1663570c8901fcb75111b07497.exe namdoitntn.exe PID 1408 wrote to memory of 1772 1408 8ccbac1663570c8901fcb75111b07497.exe namdoitntn.exe PID 1408 wrote to memory of 1772 1408 8ccbac1663570c8901fcb75111b07497.exe namdoitntn.exe PID 1408 wrote to memory of 1648 1408 8ccbac1663570c8901fcb75111b07497.exe real.exe PID 1408 wrote to memory of 1648 1408 8ccbac1663570c8901fcb75111b07497.exe real.exe PID 1408 wrote to memory of 1648 1408 8ccbac1663570c8901fcb75111b07497.exe real.exe PID 1408 wrote to memory of 1648 1408 8ccbac1663570c8901fcb75111b07497.exe real.exe PID 1408 wrote to memory of 1676 1408 8ccbac1663570c8901fcb75111b07497.exe safert44.exe PID 1408 wrote to memory of 1676 1408 8ccbac1663570c8901fcb75111b07497.exe safert44.exe PID 1408 wrote to memory of 1676 1408 8ccbac1663570c8901fcb75111b07497.exe safert44.exe PID 1408 wrote to memory of 1676 1408 8ccbac1663570c8901fcb75111b07497.exe safert44.exe PID 1408 wrote to memory of 976 1408 8ccbac1663570c8901fcb75111b07497.exe captain09876.exe PID 1408 wrote to memory of 976 1408 8ccbac1663570c8901fcb75111b07497.exe captain09876.exe PID 1408 wrote to memory of 976 1408 8ccbac1663570c8901fcb75111b07497.exe captain09876.exe PID 1408 wrote to memory of 976 1408 8ccbac1663570c8901fcb75111b07497.exe captain09876.exe PID 1408 wrote to memory of 516 1408 8ccbac1663570c8901fcb75111b07497.exe me.exe PID 1408 wrote to memory of 516 1408 8ccbac1663570c8901fcb75111b07497.exe me.exe PID 1408 wrote to memory of 516 1408 8ccbac1663570c8901fcb75111b07497.exe me.exe PID 1408 wrote to memory of 516 1408 8ccbac1663570c8901fcb75111b07497.exe me.exe PID 936 wrote to memory of 1612 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1612 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1612 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1612 936 iexplore.exe IEXPLORE.EXE PID 984 wrote to memory of 1608 984 iexplore.exe IEXPLORE.EXE PID 984 wrote to memory of 1608 984 iexplore.exe IEXPLORE.EXE PID 984 wrote to memory of 1608 984 iexplore.exe IEXPLORE.EXE PID 984 wrote to memory of 1608 984 iexplore.exe IEXPLORE.EXE PID 1936 wrote to memory of 784 1936 iexplore.exe IEXPLORE.EXE PID 108 wrote to memory of 940 108 iexplore.exe IEXPLORE.EXE PID 1936 wrote to memory of 784 1936 iexplore.exe IEXPLORE.EXE PID 1936 wrote to memory of 784 1936 iexplore.exe IEXPLORE.EXE PID 108 wrote to memory of 940 108 iexplore.exe IEXPLORE.EXE PID 1936 wrote to memory of 784 1936 iexplore.exe IEXPLORE.EXE PID 108 wrote to memory of 940 108 iexplore.exe IEXPLORE.EXE PID 108 wrote to memory of 940 108 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ccbac1663570c8901fcb75111b07497.exe"C:\Users\Admin\AppData\Local\Temp\8ccbac1663570c8901fcb75111b07497.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:275457 /prefetch:23⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nXvZ42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\captain09876.exe"C:\Program Files (x86)\Company\NewProduct\captain09876.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\me.exe"C:\Program Files (x86)\Company\NewProduct\me.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
C:\Program Files (x86)\Company\NewProduct\captain09876.exeFilesize
704KB
MD5ce94ce7de8279ecf9519b12f124543c3
SHA1be2563e381439ed33869a052391eec1ddd40faa0
SHA256f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20
SHA5129697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
764KB
MD58044b9ea12d49d849f8b516ac3d8173b
SHA168a078e750dad5befd1212a62c903379c1e3525c
SHA25622850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81
SHA51244df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
274KB
MD52eee4c301ce357df8f235957fcb774b3
SHA1f9fd1eac58b5f40475269a1e8eb1675227e2389c
SHA25666cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1
SHA512590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30D5E7F1-1F90-11ED-9843-7ADD0904B6AC}.datFilesize
3KB
MD5871249941d7236d476a131f580fdd6e9
SHA1a3c97394b5ce6b5eb2fa067a12395d197b3eee36
SHA256e0096fe7b250e550d2d3c7d3bca7f82ac5cc6762dcf43f33865a1b936a1e424c
SHA5128714c5563f072ccf05b0c34c02958a10aceeae0ba7171c47976131e1a4bf5ca8ba1e3791a5d6c717ed83e194a81d2b4793970ba241606a5780efc34dc22090c8
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30D68431-1F90-11ED-9843-7ADD0904B6AC}.datFilesize
5KB
MD5e044cb2660b06c7d1a98b325ac8d7561
SHA1221ac0864592ceec000964210d83848bbb5abf36
SHA256e58ccb05319c7e84655d6ccc4292f454e1754a22cc3cbe92e4309c2bfaf72866
SHA512847456de745a4a79296c4cfac1af8801da6a8274c9c30f3022c9847438700515dbfd755dca9a424d46e3265875ee5377ae45df6face6cf913ce0c64fb3576c5e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30D795A1-1F90-11ED-9843-7ADD0904B6AC}.datFilesize
3KB
MD5eab5b9d5f54e12ef37136b12f768c720
SHA19560f7535bc870464493f75655f5d596694b077e
SHA2567dcdeb9abe06cc65ab9cc745c54840a5d31753ae4a8a23d71f60e612ec5b7ccb
SHA5124055083cddacb198fa1762d9a7107d8ccf9b7212dd19c3490f122b64b1b8eb61989e74c205e33f8c2454f7eb17bd712df36649f1cfeb87b2c77aab1c810bbcc5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
334.1MB
MD5ce25658ac9291c713590b834d96406bb
SHA15a45881222b0e35968427eaf3185c9534ad54943
SHA2560dfa582e65cf4e9ea1fd9575518fff57b71b3f0f850df643319c611d39a8c2c2
SHA5128f7bee11566fa8978a0e1716b51ba4e7735e98fc715a9eed0fb3b6e156abfa46f378035935b5ed8967f98bcb3ef83599208a00225bbf0cb2655306846e3d354c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
334.1MB
MD5ce25658ac9291c713590b834d96406bb
SHA15a45881222b0e35968427eaf3185c9534ad54943
SHA2560dfa582e65cf4e9ea1fd9575518fff57b71b3f0f850df643319c611d39a8c2c2
SHA5128f7bee11566fa8978a0e1716b51ba4e7735e98fc715a9eed0fb3b6e156abfa46f378035935b5ed8967f98bcb3ef83599208a00225bbf0cb2655306846e3d354c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BLDXBGG6.txtFilesize
589B
MD53df986137e2b76df21f7b0852e397d37
SHA1347761dfabfd3948b891cc7c2532d051b64e1602
SHA2562473360180840073e35f92a61dff9ca575be36b74731c50f5297eb6a0e7e128b
SHA512df91bc9944604b134cde4440f67bbe5ba6aefdb8987032d656a6bf2b2d67d3d7e145b7a5b966073b732c10ad76e938f43ba423c56113e0f2388e87591817601f
-
\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
\Program Files (x86)\Company\NewProduct\captain09876.exeFilesize
704KB
MD5ce94ce7de8279ecf9519b12f124543c3
SHA1be2563e381439ed33869a052391eec1ddd40faa0
SHA256f88d6fc5fd36ef3a9c54cf7101728a39a2a2694a0a64f6af1e1befacfbc03f20
SHA5129697cfc31b3344a2929b02ecdf9235756f4641dbb0910e9f6099382916447e2d06e41c153fad50890823f068ae412fb9a55fd274b3b9c7929f2ca972112cc5b7
-
\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
764KB
MD58044b9ea12d49d849f8b516ac3d8173b
SHA168a078e750dad5befd1212a62c903379c1e3525c
SHA25622850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81
SHA51244df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28
-
\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
764KB
MD58044b9ea12d49d849f8b516ac3d8173b
SHA168a078e750dad5befd1212a62c903379c1e3525c
SHA25622850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81
SHA51244df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28
-
\Program Files (x86)\Company\NewProduct\me.exeFilesize
274KB
MD52eee4c301ce357df8f235957fcb774b3
SHA1f9fd1eac58b5f40475269a1e8eb1675227e2389c
SHA25666cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1
SHA512590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc
-
\Program Files (x86)\Company\NewProduct\me.exeFilesize
274KB
MD52eee4c301ce357df8f235957fcb774b3
SHA1f9fd1eac58b5f40475269a1e8eb1675227e2389c
SHA25666cc79df9054fda09648b64a230427d4a574f8349de871e922fbd20432b431f1
SHA512590589c3f8ee16f12539b943ba04402771372fe7748fb689c03b5681466ec8d3f3778007224e0a7fac1413f188aaee59a754cad2d0194af1130a8ad3191466fc
-
\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
memory/516-106-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/516-82-0x0000000000000000-mapping.dmp
-
memory/744-98-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/744-87-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/744-86-0x00000000003A0000-0x00000000003B0000-memory.dmpFilesize
64KB
-
memory/744-57-0x0000000000000000-mapping.dmp
-
memory/744-85-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/976-77-0x0000000000000000-mapping.dmp
-
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1648-70-0x0000000000000000-mapping.dmp
-
memory/1676-89-0x0000000000AE0000-0x0000000000B24000-memory.dmpFilesize
272KB
-
memory/1676-92-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/1676-73-0x0000000000000000-mapping.dmp
-
memory/1772-88-0x0000000001170000-0x0000000001190000-memory.dmpFilesize
128KB
-
memory/1772-65-0x0000000000000000-mapping.dmp
-
memory/1800-90-0x00000000003A0000-0x00000000003B2000-memory.dmpFilesize
72KB
-
memory/1800-61-0x0000000000000000-mapping.dmp
-
memory/1800-91-0x0000000000400000-0x00000000004C5000-memory.dmpFilesize
788KB
-
memory/2676-102-0x00000000011A0000-0x00000000011F0000-memory.dmpFilesize
320KB
-
memory/2676-99-0x0000000000000000-mapping.dmp