Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 02:57
Behavioral task
behavioral1
Sample
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
Resource
win7-20220812-en
General
-
Target
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe
-
Size
713KB
-
MD5
4e99032cf799aad0a5b32fda617d3498
-
SHA1
e67deed6bfe806777b04266274713f3ed207fbff
-
SHA256
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
-
SHA512
21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
-
SSDEEP
12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj
Malware Config
Extracted
darkcomet
Guest16
85.93.52.232:1604
DC_MUTEX-X9V30LL
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PMQDeEGAfQts
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Detect Neshta payload 18 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\Windows\svchost.com family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta \PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
temp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" temp.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.commsdcsc.exepid process 1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 956 svchost.com 948 temp.exe 1784 svchost.com 1492 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\temp.exe upx \Users\Admin\AppData\Local\Temp\temp.exe upx \Users\Admin\AppData\Local\Temp\temp.exe upx C:\Users\Admin\AppData\Local\Temp\temp.exe upx behavioral1/memory/948-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\temp.exe upx C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx \Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx \Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx behavioral1/memory/1492-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/948-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1492-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx \Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx \Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 11 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comsvchost.compid process 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 956 svchost.com 956 svchost.com 1784 svchost.com 1784 svchost.com 956 svchost.com 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 956 svchost.com 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
temp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" temp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe svchost.com File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com -
Drops file in Windows directory 5 IoCs
Processes:
svchost.comsvchost.com557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
temp.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 948 temp.exe Token: SeSecurityPrivilege 948 temp.exe Token: SeTakeOwnershipPrivilege 948 temp.exe Token: SeLoadDriverPrivilege 948 temp.exe Token: SeSystemProfilePrivilege 948 temp.exe Token: SeSystemtimePrivilege 948 temp.exe Token: SeProfSingleProcessPrivilege 948 temp.exe Token: SeIncBasePriorityPrivilege 948 temp.exe Token: SeCreatePagefilePrivilege 948 temp.exe Token: SeBackupPrivilege 948 temp.exe Token: SeRestorePrivilege 948 temp.exe Token: SeShutdownPrivilege 948 temp.exe Token: SeDebugPrivilege 948 temp.exe Token: SeSystemEnvironmentPrivilege 948 temp.exe Token: SeChangeNotifyPrivilege 948 temp.exe Token: SeRemoteShutdownPrivilege 948 temp.exe Token: SeUndockPrivilege 948 temp.exe Token: SeManageVolumePrivilege 948 temp.exe Token: SeImpersonatePrivilege 948 temp.exe Token: SeCreateGlobalPrivilege 948 temp.exe Token: 33 948 temp.exe Token: 34 948 temp.exe Token: 35 948 temp.exe Token: SeIncreaseQuotaPrivilege 1492 msdcsc.exe Token: SeSecurityPrivilege 1492 msdcsc.exe Token: SeTakeOwnershipPrivilege 1492 msdcsc.exe Token: SeLoadDriverPrivilege 1492 msdcsc.exe Token: SeSystemProfilePrivilege 1492 msdcsc.exe Token: SeSystemtimePrivilege 1492 msdcsc.exe Token: SeProfSingleProcessPrivilege 1492 msdcsc.exe Token: SeIncBasePriorityPrivilege 1492 msdcsc.exe Token: SeCreatePagefilePrivilege 1492 msdcsc.exe Token: SeBackupPrivilege 1492 msdcsc.exe Token: SeRestorePrivilege 1492 msdcsc.exe Token: SeShutdownPrivilege 1492 msdcsc.exe Token: SeDebugPrivilege 1492 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1492 msdcsc.exe Token: SeChangeNotifyPrivilege 1492 msdcsc.exe Token: SeRemoteShutdownPrivilege 1492 msdcsc.exe Token: SeUndockPrivilege 1492 msdcsc.exe Token: SeManageVolumePrivilege 1492 msdcsc.exe Token: SeImpersonatePrivilege 1492 msdcsc.exe Token: SeCreateGlobalPrivilege 1492 msdcsc.exe Token: 33 1492 msdcsc.exe Token: 34 1492 msdcsc.exe Token: 35 1492 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1492 msdcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exesvchost.comtemp.exesvchost.comdescription pid process target process PID 2036 wrote to memory of 1204 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 2036 wrote to memory of 1204 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 2036 wrote to memory of 1204 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 2036 wrote to memory of 1204 2036 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe PID 1204 wrote to memory of 956 1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 1204 wrote to memory of 956 1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 1204 wrote to memory of 956 1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 1204 wrote to memory of 956 1204 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe svchost.com PID 956 wrote to memory of 948 956 svchost.com temp.exe PID 956 wrote to memory of 948 956 svchost.com temp.exe PID 956 wrote to memory of 948 956 svchost.com temp.exe PID 956 wrote to memory of 948 956 svchost.com temp.exe PID 948 wrote to memory of 1784 948 temp.exe svchost.com PID 948 wrote to memory of 1784 948 temp.exe svchost.com PID 948 wrote to memory of 1784 948 temp.exe svchost.com PID 948 wrote to memory of 1784 948 temp.exe svchost.com PID 1784 wrote to memory of 1492 1784 svchost.com msdcsc.exe PID 1784 wrote to memory of 1492 1784 svchost.com msdcsc.exe PID 1784 wrote to memory of 1492 1784 svchost.com msdcsc.exe PID 1784 wrote to memory of 1492 1784 svchost.com msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"C:\Users\Admin\AppData\Local\Temp\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeC:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEFilesize
741KB
MD55d2fd8de43da81187b030d6357ab75ce
SHA1327122ef6afaffc61a86193fbe3d1cbabb75407e
SHA2564d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f
SHA5129f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2
-
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEFilesize
392KB
MD525b9301a6557a958b0a64752342be27d
SHA10887e1a9389a711ef8b82da8e53d9a03901edebc
SHA2565d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303
SHA512985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab
-
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEFilesize
606KB
MD59b1c9f74ac985eab6f8e5b27441a757b
SHA19a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5
SHA2562a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24
SHA512d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD57a81734925f7cb7617fa8c5949434d2d
SHA1d235362248820a3e01111535ac0d383d0cf8f602
SHA2562612a37955b885949d4a77596f9065b138504551d3332f91a245abd16d7cb44b
SHA51268dfdac4d323ff3bff140ae39cd15f8adc0744a9808484b51ebeef3552fc5b796ddb4e0161863ce41b5230bbc91245917970b73f05429504ee8f944ae190affb
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD524179b4581907abfef8a55ab41c97999
SHA1e4de417476f43da4405f4340ebf6044f6b094337
SHA256a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA5126fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD53e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
C:\Windows\directx.sysFilesize
44B
MD56b0e9a218062a0e0c7075bf73f88a801
SHA16ecab7ccfe4d3dc66270827cc7db73dc76300af5
SHA25656fc0cf79bc77c72d36879de73d23c91620edc93c4b2727951cb2a00d5b2de75
SHA512f86a77d2fa66e4d9261faa8d5428e8a224124a90394a5438e9053b5b29ce2c9d18dfbdeeadfe3a75675fd7baa7fe26ba64619ddfd3f594555981a388e9cbdf6f
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
C:\Windows\svchost.comFilesize
40KB
MD530268ff30af9c2179188a809ef2ddb5a
SHA1ed389e7107e27936c9cba7cb81b3c6cb8b2c4eea
SHA256af957861e3766cff6b0ae58ca97b716a3e8abfe3e54b01659f462d26b768d3f5
SHA512e3a44993b7e2dfa1b2a10304978ad80ca6c9e3cefcff8adef42a7d2520fdc2769129af7a643cfae56617c8dbdd0f4d4ffc7d0804988561593944ec9a61bc7d89
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
\Users\Admin\AppData\Local\Temp\3582-490\557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exeFilesize
673KB
MD5fbefde6ac78abf88621da3ccc7dd9daf
SHA1ad230be204c8355a57a65b54e6db65e1dc19b617
SHA256f74e5ffcd9d66becadd92a1f1add13fa88312825abb96cdf4aa6d2393c2495ba
SHA512b254da4f8bb73ba0e8b14c99d1b2b1380d93a0aecff8677502da4fa4cb63a2a79b5e9f76970e2d6263f78db5ef0b0d15693ce5851a3b54e6c196a1007cd118b9
-
\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
\Users\Admin\AppData\Local\Temp\temp.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
\Users\Admin\DOCUME~1\MSDCSC\msdcsc.exeFilesize
251KB
MD5a4cc20b478e7d157bcf4e8198ab59569
SHA1bb2d857d6ad41529c9eb96bb2056c5c615265fee
SHA256a57069ac9d4a70348d1f03d6ae20ac0d9b6ecce95d9652b473af3cc8a7fa9f41
SHA5126e79d5ca2e83cd6b37ead747dbd1222b621857faa57cfe8c32618536fc38b983ec572e0567f4e84c7238722c8cd8046290eaccf7bcfccb76de989b258c8fdb7d
-
memory/948-92-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/948-74-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/948-70-0x0000000000000000-mapping.dmp
-
memory/956-73-0x0000000001D20000-0x0000000001DD7000-memory.dmpFilesize
732KB
-
memory/956-113-0x0000000002080000-0x0000000002137000-memory.dmpFilesize
732KB
-
memory/956-94-0x0000000001D20000-0x0000000001DD7000-memory.dmpFilesize
732KB
-
memory/956-64-0x0000000000000000-mapping.dmp
-
memory/956-93-0x0000000001D20000-0x0000000001DD7000-memory.dmpFilesize
732KB
-
memory/956-72-0x0000000001D20000-0x0000000001DD7000-memory.dmpFilesize
732KB
-
memory/956-109-0x0000000002080000-0x0000000002137000-memory.dmpFilesize
732KB
-
memory/1204-57-0x0000000000000000-mapping.dmp
-
memory/1204-62-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB
-
memory/1204-61-0x000007FEF28F0000-0x000007FEF3986000-memory.dmpFilesize
16.6MB
-
memory/1204-60-0x000007FEF3990000-0x000007FEF43B3000-memory.dmpFilesize
10.1MB
-
memory/1492-91-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1492-88-0x0000000000000000-mapping.dmp
-
memory/1492-96-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1784-81-0x0000000000000000-mapping.dmp
-
memory/2036-110-0x0000000002160000-0x0000000002217000-memory.dmpFilesize
732KB
-
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/2036-114-0x0000000002160000-0x0000000002217000-memory.dmpFilesize
732KB