Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 08:29
Static task
static1
Behavioral task
behavioral1
Sample
aed10ad37747d1d3c3078b2a24a73ccf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
aed10ad37747d1d3c3078b2a24a73ccf.exe
Resource
win10v2004-20231222-en
General
-
Target
aed10ad37747d1d3c3078b2a24a73ccf.exe
-
Size
216KB
-
MD5
aed10ad37747d1d3c3078b2a24a73ccf
-
SHA1
c6647496404dbb0a381fbaef83e2126c363153a5
-
SHA256
944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c
-
SHA512
e5a7181dbf4315e73516cab06c16c39e0d02ef4ea74d0688198d1b1eccfe4166e20f902f08b56660fea7579c0086330004349c4f81f1aecee501bbfeadcbb3e6
-
SSDEEP
3072:qhAVkKKz6bqDSWrItkJj75qwv7Zt6gIZi26GDaMQxgMXEfpF:qh12m+kZlqw9t6AGOMQxgMXI
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw
Extracted
vidar
7.6
1b9d7ec5a25ab9d78c31777a0016a097
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
-
profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097
Extracted
risepro
193.233.132.62:50500
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-435-0x00000000022D0000-0x0000000002372000-memory.dmp family_socks5systemz -
Detect Vidar Stealer 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1240-114-0x0000000000230000-0x0000000000260000-memory.dmp family_vidar_v7 behavioral1/memory/2792-118-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral1/memory/2792-115-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral1/memory/2792-119-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral1/memory/2216-258-0x0000000000230000-0x0000000000330000-memory.dmp family_vidar_v7 behavioral1/memory/2792-271-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral1/memory/2712-361-0x0000000003760000-0x0000000003A41000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2848-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3064-36-0x00000000044A0000-0x00000000045BB000-memory.dmp family_djvu behavioral1/memory/2848-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2848-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2848-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-95-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1240-112-0x00000000005D0000-0x00000000006D0000-memory.dmp family_djvu behavioral1/memory/1644-191-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
26E4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26E4.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
26E4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26E4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26E4.exe -
Deletes itself 1 IoCs
Processes:
pid process 1204 -
Executes dropped EXE 18 IoCs
Processes:
A0C2.exeB79D.exeB79D.exeB79D.exeB79D.exebuild2.exebuild2.exebuild3.exebuild3.exe26E4.exe3823.exe3823.tmpksverify.exeksverify.exemstsca.exemstsca.exemstsca.exemstsca.exepid process 2360 A0C2.exe 3064 B79D.exe 2848 B79D.exe 532 B79D.exe 1644 B79D.exe 1240 build2.exe 2792 build2.exe 2216 build3.exe 2656 build3.exe 2788 26E4.exe 588 3823.exe 2712 3823.tmp 1792 ksverify.exe 1748 ksverify.exe 1040 mstsca.exe 2984 mstsca.exe 1684 mstsca.exe 1804 mstsca.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
26E4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine 26E4.exe -
Loads dropped DLL 21 IoCs
Processes:
B79D.exeB79D.exeB79D.exeB79D.exeWerFault.exe3823.exe3823.tmppid process 3064 B79D.exe 2848 B79D.exe 2848 B79D.exe 532 B79D.exe 1644 B79D.exe 1644 B79D.exe 1644 B79D.exe 1644 B79D.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 588 3823.exe 2712 3823.tmp 2712 3823.tmp 2712 3823.tmp 2712 3823.tmp 2712 3823.tmp -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B79D.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ebb202a7-65ef-4dca-862d-ad372fdec8ec\\B79D.exe\" --AutoStart" B79D.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.2ip.ua 10 api.2ip.ua 19 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
26E4.exepid process 2788 26E4.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
B79D.exeB79D.exebuild2.exebuild3.exemstsca.exemstsca.exedescription pid process target process PID 3064 set thread context of 2848 3064 B79D.exe B79D.exe PID 532 set thread context of 1644 532 B79D.exe B79D.exe PID 1240 set thread context of 2792 1240 build2.exe build2.exe PID 2216 set thread context of 2656 2216 build3.exe build3.exe PID 1040 set thread context of 2984 1040 mstsca.exe mstsca.exe PID 1684 set thread context of 1804 1684 mstsca.exe mstsca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2824 2792 WerFault.exe build2.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
aed10ad37747d1d3c3078b2a24a73ccf.exeA0C2.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aed10ad37747d1d3c3078b2a24a73ccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A0C2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A0C2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A0C2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aed10ad37747d1d3c3078b2a24a73ccf.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aed10ad37747d1d3c3078b2a24a73ccf.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2676 schtasks.exe 2280 schtasks.exe -
Processes:
build2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aed10ad37747d1d3c3078b2a24a73ccf.exepid process 2044 aed10ad37747d1d3c3078b2a24a73ccf.exe 2044 aed10ad37747d1d3c3078b2a24a73ccf.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
aed10ad37747d1d3c3078b2a24a73ccf.exeA0C2.exepid process 2044 aed10ad37747d1d3c3078b2a24a73ccf.exe 2360 A0C2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1204 Token: SeShutdownPrivilege 1204 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
3823.tmppid process 1204 1204 2712 3823.tmp -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1204 1204 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B79D.exeB79D.exeB79D.exeB79D.exebuild2.exebuild2.exebuild3.exedescription pid process target process PID 1204 wrote to memory of 2360 1204 A0C2.exe PID 1204 wrote to memory of 2360 1204 A0C2.exe PID 1204 wrote to memory of 2360 1204 A0C2.exe PID 1204 wrote to memory of 2360 1204 A0C2.exe PID 1204 wrote to memory of 3064 1204 B79D.exe PID 1204 wrote to memory of 3064 1204 B79D.exe PID 1204 wrote to memory of 3064 1204 B79D.exe PID 1204 wrote to memory of 3064 1204 B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 3064 wrote to memory of 2848 3064 B79D.exe B79D.exe PID 2848 wrote to memory of 692 2848 B79D.exe icacls.exe PID 2848 wrote to memory of 692 2848 B79D.exe icacls.exe PID 2848 wrote to memory of 692 2848 B79D.exe icacls.exe PID 2848 wrote to memory of 692 2848 B79D.exe icacls.exe PID 2848 wrote to memory of 532 2848 B79D.exe B79D.exe PID 2848 wrote to memory of 532 2848 B79D.exe B79D.exe PID 2848 wrote to memory of 532 2848 B79D.exe B79D.exe PID 2848 wrote to memory of 532 2848 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 532 wrote to memory of 1644 532 B79D.exe B79D.exe PID 1644 wrote to memory of 1240 1644 B79D.exe build2.exe PID 1644 wrote to memory of 1240 1644 B79D.exe build2.exe PID 1644 wrote to memory of 1240 1644 B79D.exe build2.exe PID 1644 wrote to memory of 1240 1644 B79D.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1240 wrote to memory of 2792 1240 build2.exe build2.exe PID 1644 wrote to memory of 2216 1644 B79D.exe build3.exe PID 1644 wrote to memory of 2216 1644 B79D.exe build3.exe PID 1644 wrote to memory of 2216 1644 B79D.exe build3.exe PID 1644 wrote to memory of 2216 1644 B79D.exe build3.exe PID 2792 wrote to memory of 2824 2792 build2.exe WerFault.exe PID 2792 wrote to memory of 2824 2792 build2.exe WerFault.exe PID 2792 wrote to memory of 2824 2792 build2.exe WerFault.exe PID 2792 wrote to memory of 2824 2792 build2.exe WerFault.exe PID 2216 wrote to memory of 2656 2216 build3.exe build3.exe PID 2216 wrote to memory of 2656 2216 build3.exe build3.exe PID 2216 wrote to memory of 2656 2216 build3.exe build3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe"C:\Users\Admin\AppData\Local\Temp\aed10ad37747d1d3c3078b2a24a73ccf.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A0C2.exeC:\Users\Admin\AppData\Local\Temp\A0C2.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B79D.exeC:\Users\Admin\AppData\Local\Temp\B79D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B79D.exeC:\Users\Admin\AppData\Local\Temp\B79D.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ebb202a7-65ef-4dca-862d-ad372fdec8ec" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B79D.exe"C:\Users\Admin\AppData\Local\Temp\B79D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B79D.exe"C:\Users\Admin\AppData\Local\Temp\B79D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 14367⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"C:\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\26E4.exeC:\Users\Admin\AppData\Local\Temp\26E4.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\3823.exeC:\Users\Admin\AppData\Local\Temp\3823.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-19V99.tmp\3823.tmp"C:\Users\Admin\AppData\Local\Temp\is-19V99.tmp\3823.tmp" /SL5="$601A4,7390120,54272,C:\Users\Admin\AppData\Local\Temp\3823.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -i3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe"C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exe" -s3⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {CE8B0DC2-891A-457C-B330-CE7F281D5C4B} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD58575bad5f12fe8f29f41c434d67fe563
SHA199391d1c1f1e9af2b3d3e0e604c77b90c40926ad
SHA2565ebd8bc8bd783501d4c6cc0efcfd2cd737300d43cb12e4ecfad4010905330d91
SHA512fc405ff900ca6988faf692a4471b1b29cee93683618e16d07e57eee2ede0ef51ad42cfa6974064641b0cf4128fc3989203f6d061d1c859b211c1cef9b63a839f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5942fd8900fe8ee33383e5228c0c5d7ca
SHA1ed056f29db411dec6fc977447510b2f665399776
SHA25604b206611be3dde8a7c97a4d221b7636f8fe31147ff4ec06f47bd9460094601f
SHA512bd9479cb7d6b3924e48a0fea58cfd38a88b75b803fecb37b6b19da6a3821758d784858cd553ec96ffa49746e9d9b6314f6ba59315e767050c9d4bf9282ed3542
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5eda9e7d8b261bcb08bf547e99f5e8c53
SHA1d05d21256ccc89b71395bc1d4bbb609396026372
SHA2565e24c64432920417f6779557139fd09e341a12419076c9a83f2a202910058fd5
SHA51236a002ca016df6c48ef584dd645a9eb7cf9b3c1d364eac53f8ffe43c573de3f08510f1a4223508f1c0234ab70a6c9e7a33c73228ba0d9a844e746f245170ce55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f0f91c5d19d66a83012b7b436e15b868
SHA125c50c861a567ad1cf2196e04e1d71679aeb7e0a
SHA25650c37c1658459411f50df010d6b8fb54a9b18d866b9ebcc8af5b13899f411ad0
SHA51277b524801cecea744fb932a3725805bc48e65af8241bde16a557167fdf5bd7bdc8bb5e85589650eaf7a63b950aca0bf252feb4e377ab177b842d6b28273010a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5f08b774746d0e51700f7c4e9b026d696
SHA1de27ed06508d9652b1b79555bcf844053371f492
SHA256625d716ca8497489f065ffab0bc74a6eb0fce4015fa9c3ace826b504e4a84c77
SHA51269bf9cbf750fa95b275831d56980f3728e3609bce72b1955b26ab9ac0b3fef1813f7cc81de6834f5cc3553b29d5643b9dd74dab2790eddeb9be8b6ae0b1f9a91
-
C:\Users\Admin\AppData\Local\Key Signatures verification\ksverify.exeFilesize
2.9MB
MD56936a45ddd0b7ca33e8de3533f629640
SHA122082a6bd02761f7350f58f51d1ce936ed033b31
SHA256f5ab766ada6141971442080f8f6c7577d2fb2520ebd078146d21cd779eb1f0c4
SHA512c28689e92d64fa2fdd95c933d8389489d708de2b45fd49d7fa941216800bbfdb7c8af4b2e91f3052e814aedbba2e8f6a5c4bdedb9c9fee6c75714d833a5d6d1e
-
C:\Users\Admin\AppData\Local\Temp\26E4.exeFilesize
2.2MB
MD5631417d758a28c436fdb13a7f3365117
SHA16443a00953d6823fa922e590c17774b6c398af29
SHA25604dc7e7bda691cfe893123023ebc84848233d4d5c7be8c32ecddab1fcd71f2a8
SHA5126048361f59aca6126366c8e9671143dd20dc0f3c125dab2861e61d312e4b193b573405699f6fe7503f3c930ec908b6d7313e27e6ea242117161e904bbf19a5dc
-
C:\Users\Admin\AppData\Local\Temp\3823.exeFilesize
4.2MB
MD5440f03b1867750bf45ba7e78b9ea80f4
SHA125ae4270d969befd5effe6d60aa184af30fcb09a
SHA256928f484f11874ae86c68c9b52dd8fb68a335bec88fd1a2c9435ed5e516abfa84
SHA512ec24b7a8cdcff807bf043b24445b7b8ced61405420ffb1737c2f874a8319b1a9ec9ddd6d382e01582403fffbc942cb1804c2c1b9fbf8aebf82c7da1946163a0d
-
C:\Users\Admin\AppData\Local\Temp\3823.exeFilesize
4.6MB
MD583edef6cf6434eab94be978936208921
SHA1976003687cfaf09bfd4747775119ad747d619aed
SHA256627373ae0a16e6c35fd2a8d431d26310cc88dd23a072e4bcc51d1c8320f4419e
SHA512d317ac40a4f7ef50dc0065f445a36850682d824d791cdde21d36af2a3534d683c14107ea98a99047f21a8f3dcd34e1d2f2c92b7836326e93df749938e061a2ab
-
C:\Users\Admin\AppData\Local\Temp\A0C2.exeFilesize
208KB
MD53459e4e3b8c2023cb721b547fda205f6
SHA1c4cc7eb4d2e016b762e685a87b16144fda258f9c
SHA2569e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd
SHA512eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc
-
C:\Users\Admin\AppData\Local\Temp\B79D.exeFilesize
686KB
MD577c4f6bb281f77975dcafa34ac349790
SHA1d7f9091c80970c92769ec6ef76b67609afabe1eb
SHA256135698647c6708059999b677fcd123b3255cdb3020842db103dbe990f4cc0593
SHA512ed0b9f4fba640134402a034bc7eabdf2ab6f276c2e145a8a83b54bb592d992f9b6b47e759f4a3ae5dcd3eb6d5c56c09b66f612334d335c03c4c502aaeb16ccb0
-
C:\Users\Admin\AppData\Local\Temp\B79D.exeFilesize
627KB
MD5c62c7b573217e329aaa1e8a4557650cd
SHA12c90e1c9c0540d4d42ca9ae8a5f4363259d22136
SHA256c76fc75052d155d501cf33c60fd7ed1544e32f113fbe53195d3d27924ced8971
SHA5126da723c55d6548a14757ef94d8400f1dfc5a0263fe351fa38152c3660b6b8d26350baa027199b3fa3582ae25783463142a1721f422e9e9d12ef6e31a0f6bccea
-
C:\Users\Admin\AppData\Local\Temp\B79D.exeFilesize
486KB
MD549c80ca6e8600bfedf84d2f497cd195e
SHA1b82886bd4fde9180244412408c17bcc836d991aa
SHA256fd060f989c8da349a3ed0b711e7d84e923a1771aea3ba696103d1ddb88671f1a
SHA512599cfc6e417292752547c959183b5284d7a8d7658c0e963ba7ce6f3c5ae1225bdba89899a5950b3300872c35363fb5dfc20fbf457109e02bd6fc8ff4081407ad
-
C:\Users\Admin\AppData\Local\Temp\CabCE66.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar1160.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
\??\c:\users\admin\appdata\local\temp\is-19v99.tmp\3823.tmpFilesize
692KB
MD5558517932afff8def7d6c9e9a2a51668
SHA169f1830a41bf3c5f9d3e578b85071d05faefc934
SHA256464ff8248e06554c0d76b162e9c10968648013091c93869b3c93be6d086b632e
SHA512d23badd9d1dd0bbb370fdb4f46dca6ebf176d42f126d7ebf751f25498a047eda3f1c0e6fd93fcfaba0df29b177961201ab869cf0e14e2f360da47e7a756d69db
-
\Users\Admin\AppData\Local\Temp\B79D.exeFilesize
652KB
MD5f3131787bdad2925e3946d719551970f
SHA131d34fcf263faf51c5860dcece22752c9e9378fc
SHA256cb0a96aaa041f60795335024435b51de1889638c8a44524670269e63ac84784e
SHA512dbcb04292a988b22987e79f383d66c0cc8b41b43ce9fee9bbb8c957cd1ebdf99e2c1911c8af79d9f9c55127b79e4c0cd8cc162c4bf81384fc2be1426aca160d5
-
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_isdecmp.dllFilesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
\Users\Admin\AppData\Local\Temp\is-TUNGG.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build2.exeFilesize
385KB
MD563e4a9cd7a8b37335b5f18cefc5dd9d2
SHA1c781a30935afc452b108cc78724b60f389b78874
SHA256c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f
SHA5123818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc
-
\Users\Admin\AppData\Local\a320ee96-5bbc-4324-9e14-98f278560fc7\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
memory/532-66-0x0000000000220000-0x00000000002B2000-memory.dmpFilesize
584KB
-
memory/532-64-0x0000000000220000-0x00000000002B2000-memory.dmpFilesize
584KB
-
memory/588-292-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/588-296-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/588-375-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1040-384-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/1204-27-0x0000000002B00000-0x0000000002B16000-memory.dmpFilesize
88KB
-
memory/1204-4-0x0000000002A50000-0x0000000002A66000-memory.dmpFilesize
88KB
-
memory/1240-114-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1240-112-0x00000000005D0000-0x00000000006D0000-memory.dmpFilesize
1024KB
-
memory/1644-72-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-191-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-93-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-94-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-95-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-86-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-87-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-73-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1644-91-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1684-447-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/1748-373-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1748-397-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1748-400-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1748-391-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1748-370-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1748-435-0x00000000022D0000-0x0000000002372000-memory.dmpFilesize
648KB
-
memory/1792-367-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1792-368-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1792-362-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/1792-364-0x0000000000400000-0x00000000006E1000-memory.dmpFilesize
2.9MB
-
memory/2044-3-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2044-1-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/2044-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2044-5-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/2216-258-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/2216-259-0x00000000003A0000-0x00000000003A4000-memory.dmpFilesize
16KB
-
memory/2360-28-0x0000000000400000-0x0000000002B0D000-memory.dmpFilesize
39.1MB
-
memory/2360-18-0x0000000002BD0000-0x0000000002CD0000-memory.dmpFilesize
1024KB
-
memory/2360-19-0x0000000000400000-0x0000000002B0D000-memory.dmpFilesize
39.1MB
-
memory/2656-265-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2656-264-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2656-261-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2712-361-0x0000000003760000-0x0000000003A41000-memory.dmpFilesize
2.9MB
-
memory/2712-306-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2712-376-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2712-381-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2712-390-0x0000000003760000-0x0000000003A41000-memory.dmpFilesize
2.9MB
-
memory/2788-274-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/2788-276-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/2788-379-0x0000000000CA0000-0x000000000124C000-memory.dmpFilesize
5.7MB
-
memory/2788-282-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2788-280-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/2788-281-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/2788-283-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2788-284-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/2788-279-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/2788-277-0x0000000000CA0000-0x000000000124C000-memory.dmpFilesize
5.7MB
-
memory/2788-278-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/2788-372-0x0000000000CA0000-0x000000000124C000-memory.dmpFilesize
5.7MB
-
memory/2788-359-0x0000000000CA0000-0x000000000124C000-memory.dmpFilesize
5.7MB
-
memory/2788-272-0x0000000077B70000-0x0000000077B72000-memory.dmpFilesize
8KB
-
memory/2788-285-0x0000000002940000-0x0000000002942000-memory.dmpFilesize
8KB
-
memory/2788-275-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/2788-273-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/2788-270-0x0000000000CA0000-0x000000000124C000-memory.dmpFilesize
5.7MB
-
memory/2792-271-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2792-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2792-119-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2792-115-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2792-118-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2848-40-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-41-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-62-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2848-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2848-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3064-26-0x0000000000320000-0x00000000003B2000-memory.dmpFilesize
584KB
-
memory/3064-34-0x0000000000320000-0x00000000003B2000-memory.dmpFilesize
584KB
-
memory/3064-36-0x00000000044A0000-0x00000000045BB000-memory.dmpFilesize
1.1MB