Analysis
-
max time kernel
150s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-03-2021 09:24
Static task
static1
Behavioral task
behavioral1
Sample
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
Resource
win10v20201028
General
-
Target
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
-
Size
380KB
-
MD5
a1ef511c6b47307948465fe6e1af6997
-
SHA1
103f8cc1af6581b4be3f606fd86940d632a450d1
-
SHA256
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
-
SHA512
8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
GetDecoding@zimbabwe.su
getdecoding@msgsafe.io
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
NS2.exewinhost.exepid process 1904 NS2.exe 1980 winhost.exe -
Deletes itself 1 IoCs
Processes:
winhost.exepid process 1980 winhost.exe -
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exepid process 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NS2.exedescription ioc process File opened (read-only) \??\A: NS2.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3FR.LEX winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png winhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.ELM.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png winhost.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281630.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_pt-BR.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx winhost.exe File opened for modification C:\Program Files\ExportInitialize.tiff winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx winhost.exe File created C:\Program Files\Java\jre7\bin\zip.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\VideoLAN\VLC\NEWS.txt.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_shmem.dll winhost.exe File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM winhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06049_.WMF winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1088 vssadmin.exe 2076 vssadmin.exe 2504 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exewinhost.exepid process 1692 powershell.exe 800 powershell.exe 1980 winhost.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe 1980 winhost.exe 1980 winhost.exe 1692 powershell.exe 1692 powershell.exe 1692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
powershell.exepowershell.exevssvc.exevssvc.exepowershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeIncBasePriorityPrivilege 1692 powershell.exe Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe Token: SeBackupPrivilege 2540 vssvc.exe Token: SeRestorePrivilege 2540 vssvc.exe Token: SeAuditPrivilege 2540 vssvc.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: 33 2080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2080 AUDIODG.EXE Token: 33 2080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2080 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
mshta.exemshta.exepid process 2440 mshta.exe 2460 mshta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exepowershell.execsc.exewinhost.execmd.exeNS2.exepowershell.execmd.exedescription pid process target process PID 1908 wrote to memory of 1692 1908 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 1908 wrote to memory of 1692 1908 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 1908 wrote to memory of 1692 1908 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 1908 wrote to memory of 1692 1908 dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe powershell.exe PID 1692 wrote to memory of 988 1692 powershell.exe csc.exe PID 1692 wrote to memory of 988 1692 powershell.exe csc.exe PID 1692 wrote to memory of 988 1692 powershell.exe csc.exe PID 1692 wrote to memory of 988 1692 powershell.exe csc.exe PID 988 wrote to memory of 1140 988 csc.exe cvtres.exe PID 988 wrote to memory of 1140 988 csc.exe cvtres.exe PID 988 wrote to memory of 1140 988 csc.exe cvtres.exe PID 988 wrote to memory of 1140 988 csc.exe cvtres.exe PID 1692 wrote to memory of 800 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 800 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 800 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 800 1692 powershell.exe powershell.exe PID 1692 wrote to memory of 1904 1692 powershell.exe NS2.exe PID 1692 wrote to memory of 1904 1692 powershell.exe NS2.exe PID 1692 wrote to memory of 1904 1692 powershell.exe NS2.exe PID 1692 wrote to memory of 1904 1692 powershell.exe NS2.exe PID 1692 wrote to memory of 1980 1692 powershell.exe winhost.exe PID 1692 wrote to memory of 1980 1692 powershell.exe winhost.exe PID 1692 wrote to memory of 1980 1692 powershell.exe winhost.exe PID 1692 wrote to memory of 1980 1692 powershell.exe winhost.exe PID 1980 wrote to memory of 1960 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 1960 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 1960 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 1960 1980 winhost.exe cmd.exe PID 1960 wrote to memory of 532 1960 cmd.exe mode.com PID 1960 wrote to memory of 532 1960 cmd.exe mode.com PID 1960 wrote to memory of 532 1960 cmd.exe mode.com PID 1960 wrote to memory of 1088 1960 cmd.exe vssadmin.exe PID 1960 wrote to memory of 1088 1960 cmd.exe vssadmin.exe PID 1960 wrote to memory of 1088 1960 cmd.exe vssadmin.exe PID 1904 wrote to memory of 992 1904 NS2.exe cmd.exe PID 1904 wrote to memory of 992 1904 NS2.exe cmd.exe PID 1904 wrote to memory of 992 1904 NS2.exe cmd.exe PID 1904 wrote to memory of 992 1904 NS2.exe cmd.exe PID 800 wrote to memory of 2076 800 powershell.exe vssadmin.exe PID 800 wrote to memory of 2076 800 powershell.exe vssadmin.exe PID 800 wrote to memory of 2076 800 powershell.exe vssadmin.exe PID 800 wrote to memory of 2076 800 powershell.exe vssadmin.exe PID 1980 wrote to memory of 2412 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 2412 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 2412 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 2412 1980 winhost.exe cmd.exe PID 1980 wrote to memory of 2440 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2440 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2440 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2440 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2460 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2460 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2460 1980 winhost.exe mshta.exe PID 1980 wrote to memory of 2460 1980 winhost.exe mshta.exe PID 2412 wrote to memory of 2488 2412 cmd.exe mode.com PID 2412 wrote to memory of 2488 2412 cmd.exe mode.com PID 2412 wrote to memory of 2488 2412 cmd.exe mode.com PID 2412 wrote to memory of 2504 2412 cmd.exe vssadmin.exe PID 2412 wrote to memory of 2504 2412 cmd.exe vssadmin.exe PID 2412 wrote to memory of 2504 2412 cmd.exe vssadmin.exe PID 800 wrote to memory of 2868 800 powershell.exe powershell.exe PID 800 wrote to memory of 2868 800 powershell.exe powershell.exe PID 800 wrote to memory of 2868 800 powershell.exe powershell.exe PID 800 wrote to memory of 2868 800 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18BE.tmp" "c:\Users\Admin\AppData\Local\Temp\xnezuizs\CSC5565D917140D4A1EB3A045EEA049D494.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NS2.exe"C:\Users\Admin\AppData\Local\Temp\NS2.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
e9b70a6fa817904b13c197eae184c0b9
SHA179a9a0b29417e02ad71ea3bf78a3823d5893905f
SHA256dc2873ca997c4cbd45cab5c3481288b1f72b31b37c40c1a47314a5118e3b2248
SHA51291ba21e868794745668a4be6328077487643ebd339790ea149625a6acfca57ced282de991647b8da6554aae8c7c607d3042c6a2c727e9adf3eef88ee052e214b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0774aaaf-ad3d-4971-82df-c7b933915fe4MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0774aaaf-ad3d-4971-82df-c7b933915fe4.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
698e6d8be9b1286e7593edf4546cb232
SHA15015d194fa5604934848b75578d18fbbf59e4133
SHA2566772487f62b8d39527150450ff0f95184e6c4313a0dec0a3e5541bc3babc5ae5
SHA51271f83e0884260f7f6d34b0668757ec7102fd33552cb17261c1b4574c7a2d613e0ded9c316eb873e5cbfca7299dc7f66f89047305cd14dcf1d0e75ec46119a982
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_16ed2cf3-dee0-4e54-8c87-93da676734f2MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_16ed2cf3-dee0-4e54-8c87-93da676734f2.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
52c1e0c3de45b2fb2938734799124fd4
SHA103c0d6b5076638eda8fda79e28e68f4decdeb03d
SHA256f16b70fb278ba08ae9309f120eb017b6f3306f83c66fb4226484615d48a54d8e
SHA5122b981fe93f862573e1f0593958d7f0de61f0ae4f3c5441c1afab7f55b6dda8e78df6ae5eb16662cc1b4e8de9e324f66c199e26aad7b627815306b1c7d854b2d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1744f9be-be80-4b18-9075-f153993b3fdfMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1744f9be-be80-4b18-9075-f153993b3fdf.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
c1bb63c54df1a582bff76d37c6fe35e7
SHA12591b6636753cfccb7306b049ace401742f3212d
SHA25690702212068011e1695b3343f3bf959bccb66579d244fa1ec7e5696b1a3ab896
SHA5129776b885cdf83561ee50834232d47f387d48ba15f48ccf72c740adc987bac77bccbe525f24decfc1c9bf01854a32b200f68355b949a6530ab956625fcd65c63c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
6fd279ae3a52bbb2ed40bf17936c77f4
SHA1fb77e6a345cabbc087ab935a4bdc6cbf02820cc2
SHA2562230c982828fa8ecf32c87029627bf255b035c9b35e5e1b9b93f5f1cc131cfa1
SHA512cc6c9de926a5b6f6602e87e516491c244a213da3e2fbac83a66e08ea4c6db8eb272f8a543d18a6caf4b615890737168668e10e02e0d2c1c5318790b5551b349e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9cMD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
5b28f6b7236f5c9d3150098ab9eaf0a4
SHA17205c2865b5fd93d94fce1e5acde0ab91fc3abcb
SHA25672c428622fc5f608adaf564ea14c6a4f50de1a5a331a37d57cc8cadd63144ea3
SHA5127229a887e66f670269bd1880cea63e073d12db9cb0c951266eddcf096df7f13c7fb6f6df6c673db526c5b3c2f261d3a4371cef286f854cf9dfdf2983b687658a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
37219cc1e0f43afaef74e748e3e6194a
SHA187bf47b45e5bbb262f8a20d3013ff836a35b44cf
SHA256d56f21fc75c11dd93083365f1a45068ee04a55bcfd41d3a762a839bdb9295ef5
SHA512ec835a42f221fee2cea90d58ac05eaebd883975c5de3713ba265122f0437fafd1fab6dd617ea406f594e606c3b299b874473da8a985bffc1515cce82f6490658
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_447c808c-a6c4-4283-8471-4016ee37c753MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_447c808c-a6c4-4283-8471-4016ee37c753.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
9d42ee9a9f0285561be16564c473635a
SHA1746214cdcd01984667854141b4bbea5577b9ed44
SHA256d6f848eeb4403e7ea46a4547587709c22d6d60f75e9e8c221d162720fab17e43
SHA5124cc5ab74cc58f3fe0f41b89c41569f52257210bcf3f1d071bb469048231aaa582cc7dd21bd16e7f5100c20854d5d8f8f3648b302914ee9164c617bc5ebd5f6b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
9f093562700acc7960b4ff093d056dcf
SHA1fc860b38c9bbb3e8432d29ccbb3ea86c2396fb04
SHA2567eaecf2b66edee5a73d726eb5dbaae4833f599084ec301fd6cbf4bdb1ee36cdb
SHA5129ee6aa139458d00cb6fc42c72d28fb9c1f6e63e6f10c3acc6567482826534dfffab9fe6d718410a6d1012796578a953348008500a154273e6911a4790107bc2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcfMD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
db869af9d108f94d9a821b7b31b33b01
SHA1814d99d530580b5633c082498916c878f7b2ab9e
SHA256ff9d6043158156313bce8728f158886721484b5bc960424d07c05bc96a9ea543
SHA512c44c71931193079dd02d0ec9796307ecb0042fcb4bd55edc7198b12da9599f4460408af4718100017fef6f4f931f8fbc4111d7305cf8d0b0c475defeae389318
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
1036121a1b63eb50bff85f53358be458
SHA143932ac30cbc45efe17cc526c08c6917496eb3ba
SHA256debbf3a60eb5f406906d6c1be4f38456a614d0fd6cf6863eb2e055381e2a96ea
SHA512139684addc0ee31349f1cb83a0203d8d63941ca0766bc9b7f1df3e9db2b4bf766fc1abadb54c13a4accbe0ead1d750cea892901fab5bb82fb71c4d96987ad0b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87aMD5
a725bb9fafcf91f3c6b7861a2bde6db2
SHA18bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA25651651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA5121c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
7fd149182223058fa17be06c0807d0f0
SHA1eece7bfa62aac78fcd8c6a085bc874e2fc56279e
SHA25688ebd61175cc9f715659db6829517ed5d6ea6eb91f10f62a7cd18b3b57cf40e2
SHA512aec4837e4d2a26ce698bd4ba29a58b49ad0924da82496403248b4c2f8a204cf01b7ae644a35cc85f0ab5493ee823ef962f7630b63629d0bd81b5f0b4f2d3b9bc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9eb5ee50-de32-4d4a-92aa-a36bb04401ffMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9eb5ee50-de32-4d4a-92aa-a36bb04401ff.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
c80ea91a75b453b80fc7554dca378d35
SHA1afdec822e505c05f94c363571f1f81a05425f4e6
SHA25635ccc53c7cdf4edf1217e92bb3041f17b6de6f1bc8fe986ee9f32efa2107d9ca
SHA512fa30285258a004d66990deeb255472b1460a3f1b1bdea8fdd26b186c81b24662c26fb883808b3ca588c5313dae30043b3c5829ae66dcc2a4a1e7e18eaa5dd537
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63MD5
597009ea0430a463753e0f5b1d1a249e
SHA14e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA2563fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA5125d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
03d2395af5a9624bff9d25dc4d22e6ab
SHA1bcd7a463fc23702c0508b5392912e2e41a8335a1
SHA25666bb212c12c1549a8c7882021a5cd634742849f2a9c64c0f13a69066d7f0cf61
SHA5121043dc390c632ac353965ff5cca6593278234bf21a94dde7d01bde5b7513e27a48c093946fa6584052e376c493700e2e941fcbdad9c11305e3aad5a383fc08a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
92f8dd0f2b3ea9471f35b93f99fb4397
SHA1471e213d534437e1291a1ce770a1768181bf1e39
SHA256910573b0222fd3a449558df317be731b2b024b34ad136872ba4de768cac47510
SHA512c5500f268d8c1b1fbb51ce99c9268e37fd6ebbfc9c0ae5c33f0c6edc58dfa178546e078530e22c7023f2569b71862a00be4d799cd455730bcf9a0ac3acc5406c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134.id-B032E05E.[GetDecoding@zimbabwe.su].getMD5
7f8152a3132786653837b619fab9e45d
SHA1553b2e0752c0a461fc7e7753e3583bb055df43ba
SHA25677084fda786f0cf3583293d5fa8b19dfe140f70396aeda365d584a4236e47dc2
SHA512ef8e708708527d9ef02c6a94959b06d00de055dbb65a934a257cdd97c10c116cdc0e75924a986a5ad915ed428bb77c48fd840a74085f137127ff3a32eb7c21e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
3b7fc1b161371b85783c6472581fd086
SHA13f8b7332eee444d4010bde96cea48b37d1639027
SHA256b5c4b215818cff31e7220d947e06ba71ee8759c37c037a76421cbf34476cc65b
SHA512490f62004f3759a81ace400d8fab42bcb6dcf506411cb550a8f8181f98a9dd9db41db0a9fef18ddcced3f20012ea47002d80ef596e4f3fc9118b56932e368c6f
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\RES18BE.tmpMD5
b79724b82c8ac7d0c2b8a49b1d66d62d
SHA107d7ba8bf46b0af7fbd8966321fe5d259e1983cd
SHA256c59d61dfac69e07aa35cf62870204abb84eebd30d097fa6f56c4b726a10af2d0
SHA512da147e08cc5a49e2680b84042786abc2a674355797192510bd9dfda3d285725486e1c3bf4112d515bab8a892a834c15edf49eb408e01c96dac53f7eee3acb384
-
C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1MD5
31e22820cba11f6c7670854ed65f09ed
SHA19ab447c539234e75b56b3e180f3541580ffa0cea
SHA2566a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035
SHA512fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe
-
C:\Users\Admin\AppData\Local\Temp\takeaway.ps1MD5
08c0963ddf483e5c233026380de1b6d0
SHA11e3a06d038a48c76a6ad0c400cf145109e7179b7
SHA256488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59
SHA512a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.dllMD5
d2896c83493920a4fa596afae84d32d2
SHA1b35acefe280db6b417af5a24c86754e23c306b3e
SHA2561d19ab82e647221ed1c80e643c3653c89816945edd2301296cea90c75ea2e489
SHA5124e0cab8525eef93bb86541175be434a611dfd7e8dbf5b62ec46e11b8292bc958a2f06455a940142ff4600e11ca0794832d71462ccaa0441b78825f95d4fdbd5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
07a09cb0319bb22f93e8d35d78d9c3b4
SHA17d2cebde4f5738c03d807a01bbd455e7550e84eb
SHA256dd7476a592c5bc67de1fa918d40602dc04877f1c8fafc0943c42e5d56632496a
SHA512d847d75bb3bb671e83ac3406128230245920f750231a11713beaabe238501f6391387976c4ac309383b18370b1c84ebacc3f39ff10f80e4046354641a5f34cca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
e9b70a6fa817904b13c197eae184c0b9
SHA179a9a0b29417e02ad71ea3bf78a3823d5893905f
SHA256dc2873ca997c4cbd45cab5c3481288b1f72b31b37c40c1a47314a5118e3b2248
SHA51291ba21e868794745668a4be6328077487643ebd339790ea149625a6acfca57ced282de991647b8da6554aae8c7c607d3042c6a2c727e9adf3eef88ee052e214b
-
C:\Users\Public\Desktop\FILES ENCRYPTED.txtMD5
87761d2bf23b219659cb56b7287c1730
SHA1831cbef878557dc4eea66525b5fe3c5e388306b6
SHA256a5a738622a9e9d47eb2cebba4daf4acb3e4f4ccf1d7777a66dd0d9edbc21e29d
SHA512057e08f023fa690510f76b59eb5acb678eefbfd654e288597d96d6e4d7dcfe686b25036f3bcde166e0ca240c34dc092b0b9ad6d328ab43eac80e29fc5baa2734
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\CSC5565D917140D4A1EB3A045EEA049D494.TMPMD5
45456985bfa8a634777bb87bb20f4627
SHA1689e705a7da7e393f722f1a08e4ca1c90ed98144
SHA256452caaa78de72d720c4dca1ba760680507522cb649b6c2f1f08f291394e45c88
SHA512c29423e32ddb5bb8fd55d6e81d6e383cbecddfb68ae857fd37d902ffde0d8d7e7b71c0745f22521554266282d03b879faa2ed26c62110a2b009a3b79ba08bed6
-
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.0.csMD5
9c478287d8b4ad6cd34ac20bdac9577c
SHA173965974950d1be20682abc2f716e5070f2c7097
SHA2568bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f
SHA512b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2
-
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.cmdlineMD5
8d4222b3e497d47f6b22416c7d48a082
SHA1b2a790e29a3073a0609c33354e59804e26bf8ced
SHA256518c219129e47898cd924fa3fa2cc1519de2697b2abce8ff45c5f071008d92e7
SHA51200b9f2f85a751ddcfa9d35504048133dc8cfd426589be8f84343089f6c77e8a57b8f3cbf0ea5e1b428b2e489803a09a72e1f18140379914ecfb7cdc20411112f
-
\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
\Users\Admin\AppData\Local\Temp\NS2.exeMD5
597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
\Users\Admin\AppData\Local\Temp\winhost.exeMD5
c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
memory/532-80-0x0000000000000000-mapping.dmp
-
memory/800-41-0x0000000000000000-mapping.dmp
-
memory/800-49-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/800-58-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/800-62-0x00000000049D2000-0x00000000049D3000-memory.dmpFilesize
4KB
-
memory/988-33-0x0000000000000000-mapping.dmp
-
memory/992-93-0x0000000000000000-mapping.dmp
-
memory/1088-81-0x0000000000000000-mapping.dmp
-
memory/1140-36-0x0000000000000000-mapping.dmp
-
memory/1692-5-0x0000000000000000-mapping.dmp
-
memory/1692-23-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1692-13-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1692-22-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1692-32-0x00000000064A0000-0x00000000064A1000-memory.dmpFilesize
4KB
-
memory/1692-7-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/1692-17-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/1692-65-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/1692-64-0x0000000006740000-0x0000000006741000-memory.dmpFilesize
4KB
-
memory/1692-40-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/1692-43-0x0000000006630000-0x0000000006631000-memory.dmpFilesize
4KB
-
memory/1692-11-0x0000000004852000-0x0000000004853000-memory.dmpFilesize
4KB
-
memory/1692-31-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/1692-12-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/1692-10-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1692-9-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1692-24-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/1692-8-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/1904-69-0x0000000000000000-mapping.dmp
-
memory/1908-2-0x0000000076271000-0x0000000076273000-memory.dmpFilesize
8KB
-
memory/1908-3-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1960-79-0x0000000000000000-mapping.dmp
-
memory/1980-76-0x0000000000000000-mapping.dmp
-
memory/2076-94-0x0000000000000000-mapping.dmp
-
memory/2412-103-0x0000000000000000-mapping.dmp
-
memory/2440-107-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/2440-104-0x0000000000000000-mapping.dmp
-
memory/2460-105-0x0000000000000000-mapping.dmp
-
memory/2488-106-0x0000000000000000-mapping.dmp
-
memory/2504-108-0x0000000000000000-mapping.dmp
-
memory/2688-111-0x000007FEF6270000-0x000007FEF64EA000-memory.dmpFilesize
2.5MB
-
memory/2868-131-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2868-135-0x0000000004822000-0x0000000004823000-memory.dmpFilesize
4KB
-
memory/2868-137-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/2868-141-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2868-142-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/2868-134-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/2868-128-0x0000000000000000-mapping.dmp