Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 06:53
Behavioral task
behavioral1
Sample
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe
Resource
win10v2004-20220812-en
General
-
Target
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe
-
Size
42KB
-
MD5
76fc6dd56b4f8ddc559c77036b76b937
-
SHA1
3e37d7bc9420c4fdde2d907d8d1ca1196e934bf1
-
SHA256
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5
-
SHA512
4a6213f0ddbaeb68a7b17516ed51d52e8434ec91102a6023396c468c4c6cd50acc8adf02e3f172bf6ae22d478bf9161bbbc0aea02ab68b9c505b5fe7bdbfeef6
-
SSDEEP
768:gSz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888s:BzOCay4wV339rPjzbpLwRJ9pSdoI1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
SPOOLSV.EXESVCHOST.EXEd2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeCTFMON.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\"" SPOOLSV.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeCTFMON.EXESPOOLSV.EXESVCHOST.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEd2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe -
Processes:
resource yara_rule C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\recycled\SVCHOST.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\recycled\SPOOLSV.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\recycled\CTFMON.EXE aspack_v212_v242 C:\Windows\Fonts\ Explorer.exe aspack_v212_v242 C:\Recycled\SVCHOST.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 C:\Recycled\SPOOLSV.EXE aspack_v212_v242 C:\Recycled\CTFMON.EXE aspack_v212_v242 -
Executes dropped EXE 12 IoCs
Processes:
SVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEpid process 2076 SVCHOST.EXE 3612 SVCHOST.EXE 1412 SPOOLSV.EXE 1872 SVCHOST.EXE 3572 SPOOLSV.EXE 3332 CTFMON.EXE 3644 SVCHOST.EXE 1828 SPOOLSV.EXE 4604 CTFMON.EXE 2316 CTFMON.EXE 4392 SPOOLSV.EXE 4400 CTFMON.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exedescription ioc process File opened for modification C:\Recycled\desktop.ini d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription ioc process File opened (read-only) \??\I: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\K: CTFMON.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\K: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\F: CTFMON.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\M: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\U: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\G: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\V: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\W: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\F: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\J: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\P: CTFMON.EXE File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\S: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\E: CTFMON.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\N: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\X: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\R: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\Y: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\X: CTFMON.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\T: CTFMON.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\E: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\P: d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\I: CTFMON.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\O: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe -
Drops file in Windows directory 4 IoCs
Processes:
CTFMON.EXEd2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeSVCHOST.EXESPOOLSV.EXEdescription ioc process File opened for modification C:\Windows\Fonts\ Explorer.exe CTFMON.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe File opened for modification C:\Windows\Fonts\ Explorer.exe SVCHOST.EXE File opened for modification C:\Windows\Fonts\ Explorer.exe SPOOLSV.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 29 IoCs
Processes:
SVCHOST.EXESPOOLSV.EXECTFMON.EXEd2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1560 WINWORD.EXE 1560 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CTFMON.EXESPOOLSV.EXESVCHOST.EXEd2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exepid process 3332 CTFMON.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 2076 SVCHOST.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3332 CTFMON.EXE 3332 CTFMON.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 1412 SPOOLSV.EXE 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1560 WINWORD.EXE 1560 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXESVCHOST.EXESPOOLSV.EXECTFMON.EXECTFMON.EXESPOOLSV.EXECTFMON.EXEWINWORD.EXEpid process 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe 2076 SVCHOST.EXE 3612 SVCHOST.EXE 1412 SPOOLSV.EXE 1872 SVCHOST.EXE 3572 SPOOLSV.EXE 3332 CTFMON.EXE 3644 SVCHOST.EXE 1828 SPOOLSV.EXE 4604 CTFMON.EXE 2316 CTFMON.EXE 4392 SPOOLSV.EXE 4400 CTFMON.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE 1560 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exeSVCHOST.EXESPOOLSV.EXECTFMON.EXEdescription pid process target process PID 3160 wrote to memory of 2076 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SVCHOST.EXE PID 3160 wrote to memory of 2076 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SVCHOST.EXE PID 3160 wrote to memory of 2076 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SVCHOST.EXE PID 2076 wrote to memory of 3612 2076 SVCHOST.EXE SVCHOST.EXE PID 2076 wrote to memory of 3612 2076 SVCHOST.EXE SVCHOST.EXE PID 2076 wrote to memory of 3612 2076 SVCHOST.EXE SVCHOST.EXE PID 2076 wrote to memory of 1412 2076 SVCHOST.EXE SPOOLSV.EXE PID 2076 wrote to memory of 1412 2076 SVCHOST.EXE SPOOLSV.EXE PID 2076 wrote to memory of 1412 2076 SVCHOST.EXE SPOOLSV.EXE PID 1412 wrote to memory of 1872 1412 SPOOLSV.EXE SVCHOST.EXE PID 1412 wrote to memory of 1872 1412 SPOOLSV.EXE SVCHOST.EXE PID 1412 wrote to memory of 1872 1412 SPOOLSV.EXE SVCHOST.EXE PID 1412 wrote to memory of 3572 1412 SPOOLSV.EXE SPOOLSV.EXE PID 1412 wrote to memory of 3572 1412 SPOOLSV.EXE SPOOLSV.EXE PID 1412 wrote to memory of 3572 1412 SPOOLSV.EXE SPOOLSV.EXE PID 1412 wrote to memory of 3332 1412 SPOOLSV.EXE CTFMON.EXE PID 1412 wrote to memory of 3332 1412 SPOOLSV.EXE CTFMON.EXE PID 1412 wrote to memory of 3332 1412 SPOOLSV.EXE CTFMON.EXE PID 3332 wrote to memory of 3644 3332 CTFMON.EXE SVCHOST.EXE PID 3332 wrote to memory of 3644 3332 CTFMON.EXE SVCHOST.EXE PID 3332 wrote to memory of 3644 3332 CTFMON.EXE SVCHOST.EXE PID 3332 wrote to memory of 1828 3332 CTFMON.EXE SPOOLSV.EXE PID 3332 wrote to memory of 1828 3332 CTFMON.EXE SPOOLSV.EXE PID 3332 wrote to memory of 1828 3332 CTFMON.EXE SPOOLSV.EXE PID 3332 wrote to memory of 4604 3332 CTFMON.EXE CTFMON.EXE PID 3332 wrote to memory of 4604 3332 CTFMON.EXE CTFMON.EXE PID 3332 wrote to memory of 4604 3332 CTFMON.EXE CTFMON.EXE PID 2076 wrote to memory of 2316 2076 SVCHOST.EXE CTFMON.EXE PID 2076 wrote to memory of 2316 2076 SVCHOST.EXE CTFMON.EXE PID 2076 wrote to memory of 2316 2076 SVCHOST.EXE CTFMON.EXE PID 3160 wrote to memory of 4392 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SPOOLSV.EXE PID 3160 wrote to memory of 4392 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SPOOLSV.EXE PID 3160 wrote to memory of 4392 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe SPOOLSV.EXE PID 3160 wrote to memory of 4400 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe CTFMON.EXE PID 3160 wrote to memory of 4400 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe CTFMON.EXE PID 3160 wrote to memory of 4400 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe CTFMON.EXE PID 3160 wrote to memory of 1560 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe WINWORD.EXE PID 3160 wrote to memory of 1560 3160 d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe"C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5d3151c6ce92402e22e174aefeec794a5
SHA1a5aa55df177cc30271f6356cceee6752adeb2680
SHA25605f6e08489798296e4e51115e2e4e27d043124c774c856d40356e5a8bbf8cfdd
SHA512feb8f43910d708f289fc55fb67df4cfaa377cb283da5e8e41716fd6c7f630e73ec247c99a7c77c467573441428ed349d4a4b7563099e7092e605176974bd0452
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD537d243b0f23821ae1df624320883c58a
SHA1de14b3c4436448ccec2dc358e175fd6ba68ef776
SHA2566bd5ee1ec8a96e94212f212e391a12ba4319cfe05d400a5ecce68f9837b34875
SHA512efb8a0def2a7097056eca50df31348d356d6061aa48cfcd5af7d428ca15b3fd18491213b34105073338943b843535274f85ec0410cdec3ff4afa373f460ffb09
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD56ad98ed21a8e6ec8be965aa8f3721e9f
SHA115cbd7d8ff52d89a8ad998f2d6d242ac98203f95
SHA256c1b4f402947d3926e703315569bd2945a17d534901efa5394e9591d0cb3a657a
SHA512eb41d965db03861a1a05fa3b602528a1e4ad9b6f10eee627d2c2ab4596e95439846ee7101061c2e9afcfb95b6d004be80b8d370957b21cc756d09292de787202
-
C:\recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
memory/1412-148-0x0000000000000000-mapping.dmp
-
memory/1412-172-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1412-217-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1560-213-0x00007FFF53BF0000-0x00007FFF53C00000-memory.dmpFilesize
64KB
-
memory/1560-206-0x0000000000000000-mapping.dmp
-
memory/1560-208-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-209-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-210-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-211-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-212-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-214-0x00007FFF53BF0000-0x00007FFF53C00000-memory.dmpFilesize
64KB
-
memory/1828-179-0x0000000000000000-mapping.dmp
-
memory/1828-186-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1872-161-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1872-156-0x0000000000000000-mapping.dmp
-
memory/2076-215-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2076-135-0x0000000000000000-mapping.dmp
-
memory/2076-146-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2316-190-0x0000000000000000-mapping.dmp
-
memory/2316-194-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2316-195-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3160-207-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3160-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3332-171-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3332-166-0x0000000000000000-mapping.dmp
-
memory/3332-216-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3572-165-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3572-160-0x0000000000000000-mapping.dmp
-
memory/3612-142-0x0000000000000000-mapping.dmp
-
memory/3612-147-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3612-150-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3644-175-0x0000000000000000-mapping.dmp
-
memory/3644-180-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4392-200-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4392-196-0x0000000000000000-mapping.dmp
-
memory/4400-205-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4400-201-0x0000000000000000-mapping.dmp
-
memory/4604-189-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4604-184-0x0000000000000000-mapping.dmp