Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:04
Behavioral task
behavioral1
Sample
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Resource
win7-20220812-en
General
-
Target
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
-
Size
916KB
-
MD5
0e6eccc2cb4555748e5b1dec1ea8e0b0
-
SHA1
3eba614e98ff631ecb30bcc1cc3cfe4824747dff
-
SHA256
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2
-
SHA512
75926bd3d19ef06f38581ad03a95eb99dfed1b0505484680abc633e36200e02bc8fb72bbe1caf4241446edd398650f0ad3a3ecc12b78e2758c29adc843703452
-
SSDEEP
12288:aW6VgX0SyGUsp8Qd/zDdz+A+hi6+pE30vwmC46oSVISpn7awwgoSPpi6:a/lGl6Qp3R+hos4w74YGwJpi6
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dll acprotect C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL acprotect C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exepid process 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe upx C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe upx behavioral2/memory/1668-135-0x0000000000400000-0x0000000000953000-memory.dmp upx behavioral2/memory/1668-136-0x0000000000400000-0x0000000000953000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dll upx C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL upx C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dll upx behavioral2/memory/1668-143-0x00000000740B0000-0x0000000074114000-memory.dmp upx behavioral2/memory/4972-144-0x0000000073A60000-0x0000000073AC4000-memory.dmp upx behavioral2/memory/1668-145-0x00000000740B0000-0x0000000074114000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Wine dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Loads dropped DLL 2 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exerundll32.exepid process 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe 4972 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Drops file in Windows directory 1 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process File opened for modification C:\Windows\svchost.com dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer\ = "Bunndle.BunndleOfferManager.1" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1\ = "131473" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Control dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32\ThreadingModel = "Apartment" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\ = "0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\CLSID\ = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib\Version = "1.0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\Programmable dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ = "BunndleOfferManager Class" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\Version = "1.0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib\Version = "1.0" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CurVer dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\AppId = "{2C9E6EB4-45BD-4855-A0C2-4614D4C49DBA}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID\ = "Bunndle.BunndleOfferManager" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ = "IBunndleOfferManager2" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\FalconBetaAccount\remote_access_client_id = "5972182477" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager.1\ = "BunndleOfferManager Class" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\ = "BunndleOfferManager Class" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ = "IBunndleOfferManager" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ = "IInstallScriptHelper" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Bunndle.BunndleOfferManager\CLSID dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\FalconBetaAccount dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID\ = "Bunndle.BunndleOfferManager.1" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BunndleOfferManager.dll" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib\ = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711} dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\ = "BunndleOfferManager 1.0 Type Library" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedescription pid process Token: SeManageVolumePrivilege 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exerundll32.exedescription pid process target process PID 4032 wrote to memory of 1668 4032 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe PID 4032 wrote to memory of 1668 4032 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe PID 4032 wrote to memory of 1668 4032 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe PID 1668 wrote to memory of 4972 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe rundll32.exe PID 1668 wrote to memory of 4972 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe rundll32.exe PID 1668 wrote to memory of 4972 1668 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe rundll32.exe PID 4972 wrote to memory of 3540 4972 rundll32.exe cmd.exe PID 4972 wrote to memory of 3540 4972 rundll32.exe cmd.exe PID 4972 wrote to memory of 3540 4972 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL,RunOfferManagerAgentW3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /p x= & del /f /s "C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLL"4⤵PID:3540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exeFilesize
875KB
MD52c1ef6485eeb834187fc69556a64eafe
SHA1c959e7d82203d234eb4912c61f05a450417c8c36
SHA2567f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56
SHA5127f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7
-
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exeFilesize
875KB
MD52c1ef6485eeb834187fc69556a64eafe
SHA1c959e7d82203d234eb4912c61f05a450417c8c36
SHA2567f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56
SHA5127f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7
-
C:\Users\Admin\AppData\Local\Temp\BunndleOfferManager.dllFilesize
130KB
MD5f8f7820b4336e61b40ca67418dacc7ba
SHA182b6ddc00ddcee0526a357a328a4cad8165d89a1
SHA256d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6
SHA512260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856
-
C:\Users\Admin\AppData\Local\Temp\Bunndle\BUNNDL~1.DLLFilesize
130KB
MD5f8f7820b4336e61b40ca67418dacc7ba
SHA182b6ddc00ddcee0526a357a328a4cad8165d89a1
SHA256d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6
SHA512260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856
-
C:\Users\Admin\AppData\Local\Temp\Bunndle\Bunndle.logFilesize
1KB
MD593d9a6c6fdd3ac03af9e7af93698af32
SHA1e2991a2839a21d7012b1daa0f383052ad85b9d15
SHA256a265b84eba7e12c397a847758a058e715d24a1bff249147342ad97bad8345e95
SHA5122d413535c9fa20dcdf63d5fdc51beb3b1fccab3d451b402d29e71499add9cf90f82d0484a84bd730cc996ee6e24276051cdd693a0a7d9a27a2470a9d1404103c
-
C:\Users\Admin\AppData\Local\Temp\Bunndle\BunndleOfferManager.dllFilesize
130KB
MD5f8f7820b4336e61b40ca67418dacc7ba
SHA182b6ddc00ddcee0526a357a328a4cad8165d89a1
SHA256d4dd8b04ed2cb17d9440b24157163c52d8cb2969c71df6e13c30856e29a50fb6
SHA512260537c02f075b1971d2464fab08e09b194d26ad588e7e5c7809c917393b4328130079941e122ee2e1fa8ae8fbfc202e68462ff779d965555d4fe9d204ceb856
-
memory/1668-135-0x0000000000400000-0x0000000000953000-memory.dmpFilesize
5.3MB
-
memory/1668-136-0x0000000000400000-0x0000000000953000-memory.dmpFilesize
5.3MB
-
memory/1668-132-0x0000000000000000-mapping.dmp
-
memory/1668-143-0x00000000740B0000-0x0000000074114000-memory.dmpFilesize
400KB
-
memory/1668-145-0x00000000740B0000-0x0000000074114000-memory.dmpFilesize
400KB
-
memory/3540-142-0x0000000000000000-mapping.dmp
-
memory/4972-138-0x0000000000000000-mapping.dmp
-
memory/4972-144-0x0000000073A60000-0x0000000073AC4000-memory.dmpFilesize
400KB