Resubmissions
19-11-2022 21:40
221119-1jgzlacd49 819-11-2022 13:48
221119-q4ed4adg34 1019-11-2022 06:26
221119-g7aqmscg91 1019-11-2022 05:30
221119-f67hjsbc8t 1015-11-2022 20:50
221115-zm3j2abf6y 1015-11-2022 20:50
221115-zmpm6sfh23 1015-11-2022 20:49
221115-zl6kasfg98 1015-11-2022 20:19
221115-y4ct9sff87 1014-11-2022 19:39
221114-yc4tnsdb92 1014-11-2022 19:34
221114-yakb9adb83 10Analysis
-
max time kernel
270s -
max time network
274s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 21:40
Static task
static1
Behavioral task
behavioral1
Sample
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Resource
win10-20220901-en
General
-
Target
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
-
Size
307KB
-
MD5
0abe50c1509136bf62d2184ab439e7a5
-
SHA1
722a7e2a0dd66f506ba93d24946b8bf504b100c0
-
SHA256
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
-
SHA512
0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
SSDEEP
6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 19 4384 rundll32.exe 24 4384 rundll32.exe 46 4384 rundll32.exe 48 4384 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
2C5F.exepid process 4064 2C5F.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MoreTools.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Mail\\en-US\\MoreTools..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MoreTools.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Deletes itself 1 IoCs
Processes:
pid process 2056 -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exesvchost.exerundll32.exerundll32.exepid process 4384 rundll32.exe 4856 svchost.exe 1352 rundll32.exe 4820 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4384 set thread context of 4820 4384 rundll32.exe rundll32.exe -
Drops file in Program Files directory 48 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\Acrofx32.dll rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\Accessibility.api rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\ccme_base_non_fips.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\aic_file_icons_retina_thumb.png rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\MoreTools..dll rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\ccloud_retina.png rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\base_uris.js rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\main-cef-ui-theme.css rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\Edit_R_Full.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\ccme_asym.dll rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\DataMatrix.pmp rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\forms_super.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\History.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api rundll32.exe File created C:\Program Files (x86)\Windows Mail\en-US\Close2x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedb79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F135BF79648BA74D8311AF337A666876F69D889 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F135BF79648BA74D8311AF337A666876F69D889\Blob = 0300000001000000140000001f135bf79648ba74d8311af337a666876f69d88920000000010000003f0200003082023b308201a4a003020102020868251d2c70ce73d6300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6f6420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3230313131393231343334395a170d3234313131383231343334395a30433121301f06035504030c184d6963726f736f667420526f6f6420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100ac306e51bef0e20c8a68f942275fa9614a023b68bc835e9169f30bf10a48a039f830b043b6ea4993a87ee09729e147e3daf06e65c155167a9a43f5bf95642b325496204b9fa3c1847883403c18f2149d30dbfc3f3402187206cb0a3a3ada6ae9efdec7f66a52fd9fe7debdf0c0cbd31c83a4bcbe052d0ca0bb0136f20547b3ef0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6f6420417574686f72697479300d06092a864886f70d01010b0500038181002e1e20d7e042f0a24aafe5a78bd784f20ac4824e61a36ce618beccab0a6ff99eb38d118ec3c8af88a3b6d33e71cecfd48360f95d72f6a97ddc6a746ba8bb22682ee2d865ebfa16a9bf2979f234372adb0e4a73d2a138a56afd4d8c67c5f12623619e3d65c1e2294d831ed929e7ca7cd6bf02f66380bc41966a1e91f621ea330f rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exetaskmgr.exepid process 2676 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe 2676 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2516 taskmgr.exe 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2516 taskmgr.exe 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2056 2516 taskmgr.exe 2056 2056 2056 2056 2056 2056 2056 2056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2056 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exepid process 2676 db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
taskmgr.exerundll32.exedescription pid process Token: SeDebugPrivilege 2516 taskmgr.exe Token: SeSystemProfilePrivilege 2516 taskmgr.exe Token: SeCreateGlobalPrivilege 2516 taskmgr.exe Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: 33 2516 taskmgr.exe Token: SeIncBasePriorityPrivilege 2516 taskmgr.exe Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeDebugPrivilege 4384 rundll32.exe Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 Token: SeShutdownPrivilege 2056 Token: SeCreatePagefilePrivilege 2056 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exerundll32.exerundll32.exepid process 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2056 2056 4820 rundll32.exe 2056 2056 2056 2056 4384 rundll32.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2056 2056 2056 2056 2056 2056 2056 2056 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pid process 2056 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2C5F.exerundll32.exesvchost.exedescription pid process target process PID 2056 wrote to memory of 4064 2056 2C5F.exe PID 2056 wrote to memory of 4064 2056 2C5F.exe PID 2056 wrote to memory of 4064 2056 2C5F.exe PID 4064 wrote to memory of 4384 4064 2C5F.exe rundll32.exe PID 4064 wrote to memory of 4384 4064 2C5F.exe rundll32.exe PID 4064 wrote to memory of 4384 4064 2C5F.exe rundll32.exe PID 4384 wrote to memory of 4820 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 4820 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 4820 4384 rundll32.exe rundll32.exe PID 4856 wrote to memory of 1352 4856 svchost.exe rundll32.exe PID 4856 wrote to memory of 1352 4856 svchost.exe rundll32.exe PID 4856 wrote to memory of 1352 4856 svchost.exe rundll32.exe PID 4384 wrote to memory of 4552 4384 rundll32.exe schtasks.exe PID 4384 wrote to memory of 4552 4384 rundll32.exe schtasks.exe PID 4384 wrote to memory of 4552 4384 rundll32.exe schtasks.exe PID 4384 wrote to memory of 1160 4384 rundll32.exe schtasks.exe PID 4384 wrote to memory of 1160 4384 rundll32.exe schtasks.exe PID 4384 wrote to memory of 1160 4384 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\2C5F.exeC:\Users\Admin\AppData\Local\Temp\2C5F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wuwedteata.tmp",Tiuqiiueaur2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 225233⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows mail\en-us\moretools..dll",n05RTg==2⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\114__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxmlFilesize
717B
MD521593495351442f1a81240632f56ce2e
SHA1ba21d48ee55cfaeef1d087b9feb2f626e474668e
SHA256d71a15759da5bc43f5f2e3ff0f81c8650bad176589de15080d99457ddba3406c
SHA51233d413a6b53c4a426044342641a2a23c078a900ab0f779344186ba4982ec8ce2527fde5d6401a5d1e20baaed7901a722fd60bdddd153272a2f4cd4b3d8d9ab03
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\142__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxmlFilesize
838B
MD589551f0137c7e6649db4a8160f604dff
SHA10b66aaeb0fa4aa9173defce30743c789ccec056d
SHA256fd14e7e09957a2b26c0e431cc8bb225ad3a738304482bf7de382f6920d0779ff
SHA5129a7232b3dc67f4557a41cee4f0bcf445b31f768f5000e3868744684e65086a29bcf85853f9a01562068a606d2642825d7bb50111c50783eaf979aeb6c0508667
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\144__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxmlFilesize
842B
MD5ef2b4659f5f805b450810141d4072f4c
SHA16e6024ab0420a826266847b7c90022b5f82c571e
SHA256a27024317b983aade55b7e96d9592dad390d1d9fadab50f663f3a5f5995d811a
SHA5122945a30daae02cb4fa2499b8732d2adc0ea6215fbfbc7459ec818a8ddfecbf9ef80d67d5e92a343cc8acf828f911ab8a81e75a74d7ffeaee77d2ffe14ba5e242
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\161__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxmlFilesize
735B
MD5b5d1f4cdb275235143cdba1eaf7f233c
SHA1f96f9da2a74cdb581831823c8a0bd3365b8595ee
SHA256af5c7d1fe5e4e02ff2cb5e7e2b1a6bf3ec8612091fe2d54ebff2b5c29afbe5fd
SHA512425ff525c102cc25a4aee5944176f2c3c24876b3bd1f736cefdee8837342e7fcfb9ede36d5e0639b1d708ec78b2b026a320e6bececa36e6bc6e57a7b4037e204
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\163__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxmlFilesize
851B
MD578a0679c4d8c668f0b1f4f3b6028eb74
SHA1e4071ffb1fb9c3467945d23b4507b6ebfb8e48d5
SHA256af46cfb779a7de898e5a39c9a1fdf6be3d36789b3f939bb85c2cef1600f52ec1
SHA512848f1e7c660cc7614840cf233022b687a727374b68934d5d1afca6f5eaa58f4b298866dc295a665a7075dcb6f28d91c29f0367b94c74d3ab9d8a6713dc5d6fac
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\MasterDatastore.xmlFilesize
271B
MD5d6650e3886f3c95fb42d4f0762b04173
SHA11da4b8bb6bb45d576616ad843cf6e4c2e9d4784b
SHA2569101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9
SHA5121f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\Riirsyiyayu.tmpFilesize
3.5MB
MD59d74d88e7b23e964a6232d90e93be50d
SHA18387992761f953c68cf4f624c0eb97c304aab266
SHA2569268c928157c6c493014b0bb3e6158087654d7b315c6f595ed3ae879812d5887
SHA512a2f3c0638716956afd1f47491d7417476885a85d51d4b7d9f12aabf8208bb21c540bb619b831cfa7a898f9e5c6726f60d53b810573373d9fd9582448169c46f0
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\RunTime.xmlFilesize
251B
MD5585e0da2ec87617422335cce20b25a3c
SHA11532c38218dbea8af9c2dde70c2f9dd1f51e96d2
SHA2564fedaaf9a06af2a055bb68ccc3d81a6ba0de24c0d6a302ca713b4571d17eb5e6
SHA512dcbc187fb097b74b3ccfefa7cfd8ce270bdfdfff94e86108799a329a82a015ce5711eb3f80b5880b32f680ac83c017e8503bee673d90ea52fbd74c3bff8fddc5
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\device.pngFilesize
43KB
MD57051c15362866f6411ff4906403f2c54
SHA1768b062b336675ff9a2b9fcff0ce1057234a5399
SHA256609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a
SHA5125fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\superbar.pngFilesize
38KB
MD545b3b7ada6575d1623bd52d029d7cf96
SHA1ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4
SHA2560f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca
SHA512c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\sync.icoFilesize
48KB
MD5d1c012ba7049a4525a89b26c846ce0d3
SHA1769fccd1ed39b3b6ce1ec6e44f096107b4375c58
SHA256fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc
SHA512538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9
-
C:\ProgramData\{36041D63-C487-DEE5-C779-2662B278DB3B}\utc.app.json.bkFilesize
1KB
MD5e4649db0d07f1325f82d7937be90f9d8
SHA109c85cba2a09c2feef03f2f897c7fedff0890310
SHA256b953d67cef06f8bc2e595a9e2a1254e656cb2a522f2fb41d3fbc5aa2ed6ed5d1
SHA512fbcb1ccb53802622c0dc7ab906cdb34f598fa84290fb94a4e5a30dee2fd636323a45a2149b597243a7eec11c9aae5e0338bebf6efa034952e8ee0c3565e573d9
-
C:\Users\Admin\AppData\Local\Temp\2C5F.exeFilesize
1.1MB
MD58661f6595089cb9d54420f4722867cd7
SHA12a4ddda41932d569db180190e9517524402d6f73
SHA256f1163eca0799d8236de6d849f37157af3b05c612db2b7875a6171ceabb4f9a7b
SHA51220cd89218b1f5a0252ab6e945fafffaeb22749aae5c47b544cb569c5dca25de7499c359a2f7657a02328c5be9d0176f1525187597c2663993cf177d53752feb2
-
C:\Users\Admin\AppData\Local\Temp\2C5F.exeFilesize
1.1MB
MD58661f6595089cb9d54420f4722867cd7
SHA12a4ddda41932d569db180190e9517524402d6f73
SHA256f1163eca0799d8236de6d849f37157af3b05c612db2b7875a6171ceabb4f9a7b
SHA51220cd89218b1f5a0252ab6e945fafffaeb22749aae5c47b544cb569c5dca25de7499c359a2f7657a02328c5be9d0176f1525187597c2663993cf177d53752feb2
-
C:\Users\Admin\AppData\Local\Temp\Wuwedteata.tmpFilesize
752KB
MD5ad4fe6dd11eca5f7254e0e00ed47d984
SHA1e809de0322d74dd4642f215f46f22b3a9b7caa21
SHA2566ecc725eab418e27d8fa2f1031fce6bc119d677b8d72e0447050a87489e8e0ca
SHA512d09f4f9a94f34fe1a6f5fe78ec32e91026fe07263183d4d41c4a51cfa7ee5fbc1b38d2ebeda20a717a2a730af011d73d113decb3ae2fe9db50530c095cf33ea3
-
\??\c:\program files (x86)\windows mail\en-us\moretools..dllFilesize
752KB
MD599e0702dc8221be10022e23c06292b38
SHA1e8b03d69e9b5296c55b32d437deb07fce4dea2de
SHA25687eda6f230162d9419e7755ac79da107b1c1b092b38a7dbb91f2bdef1851ff26
SHA51255090ff0dcb573da48a492911664bd042812839426d2cc3b2832c0eccd71a6d8695dd39fe419bae25a10b752e55775f06014de2e0de649da8c4e5560f975c439
-
\Program Files (x86)\Windows Mail\en-US\MoreTools..dllFilesize
752KB
MD599e0702dc8221be10022e23c06292b38
SHA1e8b03d69e9b5296c55b32d437deb07fce4dea2de
SHA25687eda6f230162d9419e7755ac79da107b1c1b092b38a7dbb91f2bdef1851ff26
SHA51255090ff0dcb573da48a492911664bd042812839426d2cc3b2832c0eccd71a6d8695dd39fe419bae25a10b752e55775f06014de2e0de649da8c4e5560f975c439
-
\Program Files (x86)\Windows Mail\en-US\MoreTools..dllFilesize
752KB
MD599e0702dc8221be10022e23c06292b38
SHA1e8b03d69e9b5296c55b32d437deb07fce4dea2de
SHA25687eda6f230162d9419e7755ac79da107b1c1b092b38a7dbb91f2bdef1851ff26
SHA51255090ff0dcb573da48a492911664bd042812839426d2cc3b2832c0eccd71a6d8695dd39fe419bae25a10b752e55775f06014de2e0de649da8c4e5560f975c439
-
\Program Files\Mozilla Firefox\freebl3.dllFilesize
533KB
MD51ed291fe4a26b684ee34b6df11ffd450
SHA1bbb6328577711dfb2f105d839df3f8e2f60b8afb
SHA25699367fe1cfa699b27b9dfc4b1362d4862071e4cc8d55210600db75da234b046d
SHA5128840d8f14f4b6fc86daeb456be1dfce3fc84824dcf00f224027d9dbce3f5aa1e9652c6b0b7b5440619a78172a0bb0f287119209ac983ee05a8234725469dfb2f
-
\Users\Admin\AppData\Local\Temp\Wuwedteata.tmpFilesize
752KB
MD5ad4fe6dd11eca5f7254e0e00ed47d984
SHA1e809de0322d74dd4642f215f46f22b3a9b7caa21
SHA2566ecc725eab418e27d8fa2f1031fce6bc119d677b8d72e0447050a87489e8e0ca
SHA512d09f4f9a94f34fe1a6f5fe78ec32e91026fe07263183d4d41c4a51cfa7ee5fbc1b38d2ebeda20a717a2a730af011d73d113decb3ae2fe9db50530c095cf33ea3
-
memory/1160-530-0x0000000000000000-mapping.dmp
-
memory/1352-513-0x00000000067C0000-0x000000000733A000-memory.dmpFilesize
11.5MB
-
memory/1352-509-0x00000000067C0000-0x000000000733A000-memory.dmpFilesize
11.5MB
-
memory/1352-423-0x0000000000000000-mapping.dmp
-
memory/2676-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-147-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2676-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-156-0x0000000000B91000-0x0000000000BA6000-memory.dmpFilesize
84KB
-
memory/2676-157-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2676-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-145-0x0000000000850000-0x000000000099A000-memory.dmpFilesize
1.3MB
-
memory/2676-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-144-0x0000000000B91000-0x0000000000BA6000-memory.dmpFilesize
84KB
-
memory/2676-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/2676-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-187-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-188-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-189-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-190-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-191-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-192-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-193-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-194-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-195-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-158-0x0000000000000000-mapping.dmp
-
memory/4064-209-0x0000000000400000-0x000000000091F000-memory.dmpFilesize
5.1MB
-
memory/4064-183-0x0000000000400000-0x000000000091F000-memory.dmpFilesize
5.1MB
-
memory/4064-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-179-0x0000000000D50000-0x0000000000E71000-memory.dmpFilesize
1.1MB
-
memory/4064-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-176-0x0000000000AB0000-0x0000000000B9D000-memory.dmpFilesize
948KB
-
memory/4064-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4064-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/4384-322-0x0000000006E20000-0x000000000799A000-memory.dmpFilesize
11.5MB
-
memory/4384-306-0x0000000006E20000-0x000000000799A000-memory.dmpFilesize
11.5MB
-
memory/4384-205-0x0000000000000000-mapping.dmp
-
memory/4552-511-0x0000000000000000-mapping.dmp
-
memory/4820-321-0x00000282A2AA0000-0x00000282A2D48000-memory.dmpFilesize
2.7MB
-
memory/4820-320-0x00000000005A0000-0x0000000000837000-memory.dmpFilesize
2.6MB
-
memory/4820-315-0x00007FF7F4F15FD0-mapping.dmp
-
memory/4856-430-0x00000000059E0000-0x000000000655A000-memory.dmpFilesize
11.5MB
-
memory/4856-548-0x00000000059E0000-0x000000000655A000-memory.dmpFilesize
11.5MB