Analysis
-
max time kernel
101s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 17:23
Static task
static1
Behavioral task
behavioral1
Sample
CoronaVirus.exe
Resource
win7-20240319-en
Errors
General
-
Target
CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
coronavirus@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RR2Y49Z\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8JQ7Q2W\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G5DX35ZA\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QY1C4128\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2610426812-2871295383-373749122-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe -
Drops file in System32 directory 4 IoCs
Processes:
CoronaVirus.exeutilman.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_04F683155C0849E1AB911F7E79377E18.dat utilman.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_04F683155C0849E1AB911F7E79377E18.dat utilman.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF CoronaVirus.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Games\Chess\desktop.ini.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMC.exe CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\EquityFax.Dotx CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18252_.WMF CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx CoronaVirus.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01470_.WMF.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\RequestCompare.png.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js.id-E8D68324.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo CoronaVirus.exe File opened for modification C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1476 vssadmin.exe 1616 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
utilman.exewinlogon.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\Attributes utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\DeviceId = "{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\DeviceName = "Speakers (High Definition Audio Device)" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English" utilman.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\ = "Speakers (High Definition Audio Device)" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A} utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\Attributes\Vendor = "Microsoft" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon" utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut utilman.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_04F683155C0849E1AB911F7E79377E18.dat" utilman.exe Key created \REGISTRY\USER\.DEFAULT\System utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\Attributes\Technology = "MMSys" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c313db7b-dfed-497b-89ee-a7f8b1e717c8} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CoronaVirus.exepid process 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe 2348 CoronaVirus.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vssvc.exeLogonUI.exewinlogon.exedescription pid process Token: SeBackupPrivilege 1012 vssvc.exe Token: SeRestorePrivilege 1012 vssvc.exe Token: SeAuditPrivilege 1012 vssvc.exe Token: SeShutdownPrivilege 1256 LogonUI.exe Token: SeShutdownPrivilege 1256 LogonUI.exe Token: SeShutdownPrivilege 1256 LogonUI.exe Token: SeShutdownPrivilege 2108 winlogon.exe Token: SeShutdownPrivilege 2108 winlogon.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
CoronaVirus.execmd.execmd.execsrss.exewinlogon.exedescription pid process target process PID 2348 wrote to memory of 1716 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1716 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1716 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1716 2348 CoronaVirus.exe cmd.exe PID 1716 wrote to memory of 2780 1716 cmd.exe mode.com PID 1716 wrote to memory of 2780 1716 cmd.exe mode.com PID 1716 wrote to memory of 2780 1716 cmd.exe mode.com PID 1716 wrote to memory of 1476 1716 cmd.exe vssadmin.exe PID 1716 wrote to memory of 1476 1716 cmd.exe vssadmin.exe PID 1716 wrote to memory of 1476 1716 cmd.exe vssadmin.exe PID 2348 wrote to memory of 1760 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1760 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1760 2348 CoronaVirus.exe cmd.exe PID 2348 wrote to memory of 1760 2348 CoronaVirus.exe cmd.exe PID 1760 wrote to memory of 1444 1760 cmd.exe mode.com PID 1760 wrote to memory of 1444 1760 cmd.exe mode.com PID 1760 wrote to memory of 1444 1760 cmd.exe mode.com PID 1760 wrote to memory of 1616 1760 cmd.exe vssadmin.exe PID 1760 wrote to memory of 1616 1760 cmd.exe vssadmin.exe PID 1760 wrote to memory of 1616 1760 cmd.exe vssadmin.exe PID 2348 wrote to memory of 1792 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 1792 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 1792 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 1792 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 3632 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 3632 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 3632 2348 CoronaVirus.exe mshta.exe PID 2348 wrote to memory of 3632 2348 CoronaVirus.exe mshta.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 2108 wrote to memory of 1256 2108 winlogon.exe LogonUI.exe PID 2108 wrote to memory of 1256 2108 winlogon.exe LogonUI.exe PID 2108 wrote to memory of 1256 2108 winlogon.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe PID 1544 wrote to memory of 1256 1544 csrss.exe LogonUI.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-E8D68324.[coronavirus@qq.com].ncovFilesize
23.5MB
MD557139133f50b324af9b8150a1b084a9b
SHA18b6d575cf1a2ffdb78f3ec0e57afdad76c86f16c
SHA256f7e81b738375d40f6b122f810c5fd10e6abb55c6d0f4ee8cc77a781924a74b00
SHA512757ab5d3f80c7181b0bbe4d72a38e30e4afb8e66801e2d7bdf77aa07e3bf549500f232fc03565b18c36587e72710bcc9d29ec0a2928857f03be69f407d535595
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD56a15929d7e5ab3f83df97099a4e931a7
SHA109ec32d6a6c4c9d8634d38b6d4c5e6dfcdac8f04
SHA256fed6e410ba22c941cf9cfe731157a8398d2d483e7239160b9af411ff20fe969e
SHA5120fc2cd7fd701effe69a1ce44ba336c5fd07b42343d522a429d6bed5eebdcc49d5688de78a1bc1a49d02aee4e3868582b7dcc970769403bf290abedd9e015536b
-
memory/1076-19914-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1256-19906-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/1256-19912-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/2348-1-0x000000000A8C0000-0x000000000A8F4000-memory.dmpFilesize
208KB
-
memory/2348-2-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2348-1002-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2348-5608-0x000000000A8C0000-0x000000000A8F4000-memory.dmpFilesize
208KB
-
memory/2348-0-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2520-18038-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2632-14833-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/2632-19897-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB