39a50e2c78f6cbd02f8d0d78d505ec03febddd89d0ac61bb78a5c667a5f6012e

Analysis

max time kernel
1872s
max time network
1862s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blueline_0024.js
Size

16.0MB
MD5

a12532ca2dfe9a3dc025923882809e6f
SHA1

407f86ac6d207f02825b94bfde931065a71805e0
SHA256

39a50e2c78f6cbd02f8d0d78d505ec03febddd89d0ac61bb78a5c667a5f6012e
SHA512

7e3d7171e1f91f8451de0d9df9d5e3365deac3f704c88aabecf6f1d7c1d2b98f1ee865e24d3fcc43353c420ae71d6f7e2485cc6bdab9d90056df8bced22c3503
SSDEEP

49152:qGm3fzsfjnxVItPYA6OaMkTuHqv7cAo/zu2iMZOoRGmS3QdG4BIh9o5xj36rLjci:R

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exe

flow pid process

90 4984 wscript.exe
92 4984 wscript.exe
94 4504 powershell.exe
95 3480 powershell.exe
96 3344 powershell.exe

flow	pid	process
90	4984	wscript.exe
92	4984	wscript.exe
94	4504	powershell.exe
95	3480	powershell.exe
96	3344	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.execscript.execscript.exewscript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.execscript.execscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\affcadccf46888 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46888affcadccf', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39091affcadccf = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39091affcadccf', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\affcadccf46419 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46419affcadccf', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46888affcadccf = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46888affcadccf', 'User'))\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\affcadccf39091 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('39091affcadccf', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\affcadccf60154 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('60154affcadccf', 'User'))\""	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46419affcadccf = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46419affcadccf', 'User'))\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46564affcadccf = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46564affcadccf', 'User'))\""	cscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\affcadccf46564 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('46564affcadccf', 'User'))\""	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60154affcadccf = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('60154affcadccf', 'User'))\""	cscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2068 308 WerFault.exe powershell.exe

pid	pid_target	process	target process
2068	308	WerFault.exe	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4984	wscript.exe
1856	powershell.exe
3480	powershell.exe
4504	powershell.exe
4516	powershell.exe
308	powershell.exe
308	powershell.exe
3480	powershell.exe
4504	powershell.exe
4516	powershell.exe
1856	powershell.exe
2592	powershell.exe
3884	powershell.exe
3516	powershell.exe
3344	powershell.exe
4980	powershell.exe
3344	powershell.exe
3344	powershell.exe
3884	powershell.exe
3884	powershell.exe
3516	powershell.exe
3516	powershell.exe
4980	powershell.exe
4980	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	4984	wscript.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeCreateGlobalPrivilege	1404	dwm.exe
Token: SeChangeNotifyPrivilege	1404	dwm.exe
Token: 33	1404	dwm.exe
Token: SeIncBasePriorityPrivilege	1404	dwm.exe
Token: SeShutdownPrivilege	1404	dwm.exe
Token: SeCreatePagefilePrivilege	1404	dwm.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

wscript.exeWScript.exeWScript.exeWScript.execscript.exeWScript.exeWScript.execscript.exe

description	pid	process	target process
PID 4984 wrote to memory of 3748	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3748	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 5068	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 5068	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4832	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4832	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2684	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2684	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3104	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3104	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4212	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4212	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3320	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3320	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 1324	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 1324	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4476	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4476	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3880	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 3880	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2092	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2092	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4700	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4700	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2564	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 2564	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 5056	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 5056	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4596	4984	wscript.exe	WScript.exe
PID 4984 wrote to memory of 4596	4984	wscript.exe	WScript.exe
PID 4832 wrote to memory of 2112	4832	WScript.exe	cscript.exe
PID 4832 wrote to memory of 2112	4832	WScript.exe	cscript.exe
PID 2684 wrote to memory of 4932	2684	WScript.exe	cscript.exe
PID 2684 wrote to memory of 4932	2684	WScript.exe	cscript.exe
PID 2092 wrote to memory of 4980	2092	WScript.exe	powershell.exe
PID 2092 wrote to memory of 4980	2092	WScript.exe	powershell.exe
PID 2092 wrote to memory of 4980	2092	WScript.exe	powershell.exe
PID 2112 wrote to memory of 2592	2112	cscript.exe	powershell.exe
PID 2112 wrote to memory of 2592	2112	cscript.exe	powershell.exe
PID 2112 wrote to memory of 2592	2112	cscript.exe	powershell.exe
PID 5056 wrote to memory of 3344	5056	WScript.exe	powershell.exe
PID 5056 wrote to memory of 3344	5056	WScript.exe	powershell.exe
PID 5056 wrote to memory of 3344	5056	WScript.exe	powershell.exe
PID 4700 wrote to memory of 3884	4700	WScript.exe	powershell.exe
PID 4700 wrote to memory of 3884	4700	WScript.exe	powershell.exe
PID 4700 wrote to memory of 3884	4700	WScript.exe	powershell.exe
PID 4932 wrote to memory of 3516	4932	cscript.exe	powershell.exe
PID 4932 wrote to memory of 3516	4932	cscript.exe	powershell.exe
PID 4932 wrote to memory of 3516	4932	cscript.exe	powershell.exe
PID 5056 wrote to memory of 1856	5056	WScript.exe	powershell.exe
PID 5056 wrote to memory of 1856	5056	WScript.exe	powershell.exe
PID 2092 wrote to memory of 4516	2092	WScript.exe	powershell.exe
PID 4700 wrote to memory of 4504	4700	WScript.exe	powershell.exe
PID 2092 wrote to memory of 4516	2092	WScript.exe	powershell.exe
PID 4700 wrote to memory of 4504	4700	WScript.exe	powershell.exe
PID 4932 wrote to memory of 3480	4932	cscript.exe	powershell.exe
PID 4932 wrote to memory of 3480	4932	cscript.exe	powershell.exe
PID 2112 wrote to memory of 308	2112	cscript.exe	powershell.exe
PID 2112 wrote to memory of 308	2112	cscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\blueline_0024.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern.js"
2⤵
PID:3748

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\unimcumbern2.js"
2⤵
PID:5068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js
3⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('60154affcadccf', 'User'))"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('60154affcadccf', 'User'))"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 308 -s 1668
5⤵
- Program crash
PID:2068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js
3⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46564affcadccf', 'User'))"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46564affcadccf', 'User'))"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\By0HWwdJuVCpJZLGG6K0.js"
2⤵
PID:3104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fyTBNtRD86e7YxN8Bg6Z.js"
2⤵
PID:4212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\v8UTQInQ4riGEfymPOY1.js"
2⤵
PID:3320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y6hq6beYYNKAKtLs9nWi.js"
2⤵
PID:1324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S6XogndmP4wJ0Y8A5mWI.js"
2⤵
PID:4476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\j5XLkEMI6Ab4MCTMsiUJ.js"
2⤵
PID:3880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\q2EoIIRtkGyoNzBV67pp.js"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39091affcadccf', 'User'))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('39091affcadccf', 'User'))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JeW9i6W4h48g7O8SFLO4.js"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46888affcadccf', 'User'))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46888affcadccf', 'User'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gMCQWlAtqIVyVUSXns2r.js"
2⤵
PID:2564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QH5Jj9d3Q8if2PHKUeOg.js"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46419affcadccf', 'User'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('46419affcadccf', 'User'))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mingo.js"
2⤵
PID:4596

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 308 -ip 308
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
006e78aba2a7405dbaf44a0a92b13176

SHA1
127368fe6a3bab84d02773c84c5b84f1e5c2e63b

SHA256
42818dac73fc1d9ef5bdcf825bf96726f02085e53fc9c3001754f219daaa595c

SHA512
458e94a22e271d3fa94b6bee5bd5e2e38340fdf9551c90087059fa39dd15161513c2243aebef8938f62934d46d93227376f6fec944b5a31785a15118081eea81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7655fc4146f56aa0c9f381382c31dd57

SHA1
1510e183bec4a840f0b245564840e3c08328bda8

SHA256
d01414a7c2b5c825387d32835270e28898216b4bb04a2e92f45edb7145043ee1

SHA512
13bd528982b3782b191b0b418ff9e2a1aa62324f27e069a739a3cf4f01ec95d3f0e7da3b59fe5ca0a95b34c4dc67316339905b42989df15d8d2079ef4585608c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
280B

MD5
23d472db90357ca8caae90aabf198be6

SHA1
56f21e351d445239d6296222ff4747241760a662

SHA256
5739773327c979ffdcf59fd2a78476c47c4c43b31189f5b1b4cd39a5c6fd9de8

SHA512
8cdb92311db7ea3d6fe4b53a9faf8f1995ad0ac3316815529073cb61f5bff5d4dc43ed4959ab2a78f637c88ed71f03e0c683dee34e8ce4a022099b4e4efdfd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\By0HWwdJuVCpJZLGG6K0.js

Filesize
16.5MB

MD5
d447e3dcdac667ada7145c58fb42b0dc

SHA1
2c1b54997822a92fdd81c1091f779dfe41aa8d51

SHA256
a1d213d51ebba599f3f3b86c63f8bc0ac3ef1fba052acaba3e141f7cab34d07c

SHA512
b9595fda19ae47ed396cae76bc45abf1cb332032710f1ab2e6e3bb85e32fd8cd561680ba6a6e6f879fae54da88b36e2369c81b257a6daa0d5a728b2d62bb7f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeW9i6W4h48g7O8SFLO4.js

Filesize
211KB

MD5
748d757540bca88f79aa391291c3133d

SHA1
6d3c40adeb42ff2c9acb900911c66729e40a12a7

SHA256
17033f49578eb20c10cd492ff72b05bdd7eab17b8caa04d00e0777ade93ffcc3

SHA512
94201037ed8d254966577a4b7180c7023823a5d6a25172288bf8ffcefb543ad3f29102bc092e1f169b81a4ee9eede4fc380800fb4dbbf64377c78e42a2d0205c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QH5Jj9d3Q8if2PHKUeOg.js

Filesize
214KB

MD5
67ae3798c0e6a512c3dd0d202b2bfa17

SHA1
ac9ea30ccb51e486635abe57ef4d00628a13dea7

SHA256
1dd705f06b3ecb7528d6fc15a3ddef17fa89c3a44f24b46f62bb4e55f7132d88

SHA512
d32114d5a0d261e1d119adf5ef406759516102192e4ce81a5791ad027903c55a74f110a80b1002332a5bc22509f68f89b34f3b38d02049e160169b5229458eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6XogndmP4wJ0Y8A5mWI.js

Filesize
9.2MB

MD5
edc6877808b8532ec36dd967c57b31de

SHA1
852a5a91e0c9a3472a5c89aae2c421d920a8acde

SHA256
ca52043bdf4904b34e2a69aed0be4d77fa1b24c7caa2f4265292ef0677e0d49c

SHA512
3e7af7fe93f25ba95661ac0ddd7b278009ca44c6934707b9073a96f19693f12d5883eddcff0717c1a17fb4b58283e0770f7d581b1bc4143f1a0857d05a82c20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y6hq6beYYNKAKtLs9nWi.js

Filesize
9.2MB

MD5
63ad6f493f5c59783bc47316ef3b92af

SHA1
c305e179439a10794fdf2f268fe1e3ab645d5983

SHA256
67cbe3781f6f76624b4aa0190e5291be65126c254879bc301727d4407326a32a

SHA512
bde7492e1a50f685158545557e978691055c83152fd6b72f32ac0bf393c727ceba24f6fe705fff632524ef9cd24a7e0f32e9f307387b43d214047b7e0a04f993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ackjbasdcbjkdebfeq.js

Filesize
206KB

MD5
721271c51c6611c82c7d1d335c01b92c

SHA1
e0021c9fe85517ae724f4584bca19e6e392c5197

SHA256
f09227bb0197b6b20409c4a7e6dacb5662d594b6e54a12421bb90cb9ac9680cb

SHA512
a800aa46ea268cea016b53054baedf46371da3db3443669d06d30d2ea20c99a21f1130fddc03499815fa14a6a1082bb22fb9d557d70b18751eb1fd890f9771b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascjkncaskew.js

Filesize
205KB

MD5
1631086ce2efffca6ffab9ae97b8f3ff

SHA1
75ca403dd06a741af86b109c0b720d33c0af4b71

SHA256
5bfdb3c2a9763232dde5f3fce4646d7688fe1f70598ca94fa13c29a1c7273510

SHA512
ced54d2e3d99218e3b3024dce627e495a6f688a41580cd1bfcb14bb9ea5c1614a3516fbb27bac284bc2fd618cd912a859326f3e839ddeceb2ebbe7cab8511254

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyTBNtRD86e7YxN8Bg6Z.js

Filesize
12.5MB

MD5
93da6927a8d751ee017242a470d9b7da

SHA1
30aaa5686e10174b7925c3f1db372f006b771c58

SHA256
1003bdb0c719dd600468cf91fceea53f110830fa8888f48755efcdd6b0b08ccc

SHA512
89731aeda0dd6c0c05a98b4291b731dff60f182f6651a3ddcb01b4187f0b76dc0472999f270daa68393be32441338a8734a25eb9a31974386761f809d31b1666

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMCQWlAtqIVyVUSXns2r.js

Filesize
208KB

MD5
724aac2641b067d08e6cf9370d86273e

SHA1
2dc6fd3d9433f6ff2cfb1e25ee7b4543db8a1529

SHA256
8a8e43a32b5f80a79b2352afa9eac07dfd49d55cb6263538212e6cbe41d7db0f

SHA512
49b7b588b2acd2416c5a6aabec583b88e683ec1f66ee4b5bd3ae51720756eb5a91d33e0f266e4b823aa87f01804245807577b26c31ae92705f810d10fc83ef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5XLkEMI6Ab4MCTMsiUJ.js

Filesize
9.2MB

MD5
a7a3245cb1379140e6d83c3935098a13

SHA1
a19b46abe6e48f80806dfd84e59b9eece8d1de82

SHA256
aa5d60235c292f3935ffa7ed8c18d7583c79363b1f72ca4fd2ba2d394a1367d5

SHA512
063f5a15c06d4a681ca47dbd781fc851fd703ab8a5c4df0993732be3c2ceecd69bee2104917cdd6572750d1fe48d281a462274acf80e22489d42a23e714522c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mingo.js

Filesize
12.8MB

MD5
b536ab652207d07e6a46efc613eda4ad

SHA1
fc33612371acdb6f70e2c10c81639f6a92321a00

SHA256
3784958b2a1bc5cce2e05ce5d26f6d72a6fddde4b0ff10c716b598cf78c59e42

SHA512
28d8ac9f6172c7344dafe6fd38005e30d41f25dc303b4f4dd01f981861f3f1d4c5fb6aac5f48e9b2aab2d16bbe729b21f30dba832fbc9c626235640789d77d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2EoIIRtkGyoNzBV67pp.js

Filesize
208KB

MD5
8ac34eab182f9ff242fa0fa7f141b6a2

SHA1
864c2bcc37392141fe520bf825a7003ba1056eb4

SHA256
d5b3e3d59ce04590d5a621288b8615a2d26acc73bdbccde347af9e88115796fc

SHA512
bb81fc9b75875251a44747ea358b48a1d5c22ec173b3f31aaaf3dd5cf0a620aeae0b99ed52f7c37f7c69c1b128a4451ad512d94a2dfc7d3d3dd86da8685edbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\unimcumbern.js

Filesize
16.2MB

MD5
c0f2e303dd3ed98a3c87db633daf3c3b

SHA1
2d0b1123bf586cc6e2e5ca69603224c7f6a74825

SHA256
ab607c2f6794fde7454be02b77627c3e4c68831c7f31c0925cb165c97ea32231

SHA512
ff4ef8d079aa9eaa225b864ad4924d52db3e6a9a0bd02a07f4ff0cbf304e8c342d70e589ec818090890347c0dad68fe9e15a10b78c7f24c82671a882e951ca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\unimcumbern2.js

Filesize
14.3MB

MD5
fe4ff2491a8e61f9d64b583a6fecba7a

SHA1
040cf16a2ddb6deb561406507d35f7a5f3fae51a

SHA256
4736b0dd694e384230f6385f920a76d40da44af8f8e047c9c75cb41f0be5a897

SHA512
620c8c85c75b6b8131cf2afad712b9e00b3767a35025372100e848acfd6601da30fcd12375099d85e0aa2262d7eea103e24a5f07cac3ef31c988fd734792f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8UTQInQ4riGEfymPOY1.js

Filesize
10.7MB

MD5
4cfc15db60ca867669359829c71cbd07

SHA1
850697050b30f28c86888e1613a331852642c55f

SHA256
701402fd306b645e0e4cf9b49eba5c921cbfbe38416a8d29c2085166205f57f1

SHA512
b67e357812e5f5668fc393c5d2694f77570bcf8a7145e77164f36273a706b59d8d634c8d730beed0d398e9beb7ceaf5787403e6674341ee415f266acbb3bf497

Download Submit
memory/308-184-0x0000000000000000-mapping.dmp

Download
memory/308-216-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/308-189-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/308-195-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/1324-156-0x0000000000000000-mapping.dmp

Download
memory/1856-191-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/1856-219-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/1856-185-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/1856-180-0x0000000000000000-mapping.dmp

Download
memory/2092-161-0x0000000000000000-mapping.dmp

Download
memory/2112-172-0x0000000000000000-mapping.dmp

Download
memory/2564-165-0x0000000000000000-mapping.dmp

Download
memory/2592-207-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/2592-179-0x0000000000000000-mapping.dmp

Download
memory/2592-209-0x0000000004B10000-0x0000000004B32000-memory.dmp

Filesize
136KB

Download
memory/2684-148-0x0000000000000000-mapping.dmp

Download
memory/3104-150-0x0000000000000000-mapping.dmp

Download
memory/3320-154-0x0000000000000000-mapping.dmp

Download
memory/3344-200-0x0000000006400000-0x0000000006466000-memory.dmp

Filesize
408KB

Download
memory/3344-176-0x0000000000000000-mapping.dmp

Download
memory/3344-201-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/3344-199-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/3344-198-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/3480-194-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/3480-223-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/3480-183-0x0000000000000000-mapping.dmp

Download
memory/3480-188-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/3516-177-0x0000000000000000-mapping.dmp

Download
memory/3516-210-0x00000000085D0000-0x0000000008B74000-memory.dmp

Filesize
5.6MB

Download
memory/3516-208-0x0000000005FB0000-0x0000000006046000-memory.dmp

Filesize
600KB

Download
memory/3748-142-0x0000000000000000-mapping.dmp

Download
memory/3880-160-0x0000000000000000-mapping.dmp

Download
memory/3884-178-0x0000000000000000-mapping.dmp

Download
memory/3884-206-0x0000000004C30000-0x0000000004C4A000-memory.dmp

Filesize
104KB

Download
memory/4212-152-0x0000000000000000-mapping.dmp

Download
memory/4476-158-0x0000000000000000-mapping.dmp

Download
memory/4504-187-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4504-190-0x0000025761680000-0x00000257616A2000-memory.dmp

Filesize
136KB

Download
memory/4504-221-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4504-181-0x0000000000000000-mapping.dmp

Download
memory/4504-193-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4516-182-0x0000000000000000-mapping.dmp

Download
memory/4516-186-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4516-192-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4596-170-0x0000000000000000-mapping.dmp

Download
memory/4700-163-0x0000000000000000-mapping.dmp

Download
memory/4832-146-0x0000000000000000-mapping.dmp

Download
memory/4932-173-0x0000000000000000-mapping.dmp

Download
memory/4980-196-0x00000000024F0000-0x0000000002526000-memory.dmp

Filesize
216KB

Download
memory/4980-175-0x0000000000000000-mapping.dmp

Download
memory/4980-197-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4984-135-0x0000024AFFD80000-0x0000024AFFE8A000-memory.dmp

Filesize
1.0MB

Download
memory/4984-132-0x0000024B00000000-0x0000024B0017E000-memory.dmp

Filesize
1.5MB

Download
memory/4984-141-0x0000024AFFBD0000-0x0000024AFFC20000-memory.dmp

Filesize
320KB

Download
memory/4984-140-0x0000024AFFE90000-0x0000024AFFF06000-memory.dmp

Filesize
472KB

Download
memory/4984-139-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4984-138-0x0000024B00350000-0x0000024B00512000-memory.dmp

Filesize
1.8MB

Download
memory/4984-137-0x0000024AFFB40000-0x0000024AFFB7C000-memory.dmp

Filesize
240KB

Download
memory/4984-136-0x0000024AFFAE0000-0x0000024AFFAF2000-memory.dmp

Filesize
72KB

Download
memory/4984-134-0x0000024AACA20000-0x0000024AACF48000-memory.dmp

Filesize
5.2MB

Download
memory/4984-133-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/4984-174-0x00007FFE7F380000-0x00007FFE7FE41000-memory.dmp

Filesize
10.8MB

Download
memory/5056-167-0x0000000000000000-mapping.dmp

Download
memory/5068-144-0x0000000000000000-mapping.dmp

Download