Analysis
-
max time kernel
168s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
Downloads.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads.exe
Resource
win7v20201028
General
-
Target
Downloads.exe
-
Size
164.0MB
-
MD5
2e5f0d7f3b1505978fa81cf1e70d02d5
-
SHA1
99a6086d8a23ea12aba3a8ddd7f67c427981622f
-
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
-
SHA512
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Malware Config
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
cobaltstrike
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
0
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
60000
-
port_number
8443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.018915346e+09
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
year
0
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
smokeloader
2017
http://92.53.105.14/
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
resource yara_rule C:\Users\Admin\Desktop\senate.m4a cryptone C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869 cryptone -
RevengeRat Executable 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe revengerat C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe revengerat C:\Users\Admin\Desktop\KLwC6vii.exe revengerat C:\Users\Admin\Desktop\file.exe revengerat C:\Users\Admin\Desktop\file(1).exe revengerat C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe revengerat C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe revengerat C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe revengerat -
Executes dropped EXE 17 IoCs
Processes:
HYDRA.exeyaya.exeva.exeufx.exesant.exestarter.exepower.exeusc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exef4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exefb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exehyundai steel-pipe- job 8010.exegjMEi6eG.exehyundai steel-pipe- job 8010(1).exeKeygen.exepid process 320 HYDRA.exe 1776 yaya.exe 1300 va.exe 1160 ufx.exe 1672 sant.exe 1952 starter.exe 1660 power.exe 2020 usc.exe 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe 112 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe 2292 f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe 2280 fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe 2548 hyundai steel-pipe- job 8010.exe 2400 gjMEi6eG.exe 1212 hyundai steel-pipe- job 8010(1).exe 3012 Keygen.exe -
Processes:
resource yara_rule C:\Users\Admin\Desktop\good.exe upx C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe upx -
Drops startup file 3 IoCs
Processes:
va.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Loads dropped DLL 18 IoCs
Processes:
HYDRA.exeyaya.exeufx.exepid process 1272 1272 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 320 HYDRA.exe 1776 yaya.exe 1160 ufx.exe 1160 ufx.exe 1160 ufx.exe 1272 1272 1272 1272 -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
sant.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 sant.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sant.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\HYDRA.exe nsis_installer_1 C:\Users\Admin\Desktop\HYDRA.exe nsis_installer_2 C:\Users\Admin\Desktop\HYDRA.exe nsis_installer_1 C:\Users\Admin\Desktop\HYDRA.exe nsis_installer_2 C:\Users\Admin\Desktop\VyprVPN.exe nsis_installer_1 C:\Users\Admin\Desktop\VyprVPN.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2336 taskkill.exe 3636 taskkill.exe 956 taskkill.exe 1192 taskkill.exe 680 taskkill.exe 2272 taskkill.exe 2756 taskkill.exe 2792 taskkill.exe 2948 taskkill.exe 1624 taskkill.exe 3452 taskkill.exe 3600 taskkill.exe 3652 taskkill.exe 4060 taskkill.exe 1768 taskkill.exe 2392 taskkill.exe 2540 taskkill.exe 3468 taskkill.exe 2768 taskkill.exe 3000 taskkill.exe 3440 taskkill.exe 3508 taskkill.exe 2156 taskkill.exe 2324 taskkill.exe 2480 taskkill.exe 956 taskkill.exe 3708 taskkill.exe 3840 taskkill.exe 2932 taskkill.exe 3676 taskkill.exe 3924 taskkill.exe 4012 taskkill.exe 2140 taskkill.exe 2824 taskkill.exe 2368 taskkill.exe 3800 taskkill.exe 4044 taskkill.exe 2180 taskkill.exe 2248 taskkill.exe 2580 taskkill.exe 2224 taskkill.exe 2644 taskkill.exe 2872 taskkill.exe 3620 taskkill.exe 2216 taskkill.exe 3488 taskkill.exe 3788 taskkill.exe 1608 taskkill.exe 2100 taskkill.exe 3868 taskkill.exe 948 taskkill.exe 2680 taskkill.exe 2716 taskkill.exe 2920 taskkill.exe 2516 taskkill.exe 2456 taskkill.exe 2500 taskkill.exe 2652 taskkill.exe 3200 taskkill.exe 744 taskkill.exe 1180 taskkill.exe 3564 taskkill.exe 2372 taskkill.exe 2440 taskkill.exe -
Processes:
Downloads.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main Downloads.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sant.exepid process 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe 1672 sant.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Downloads.exepid process 1852 Downloads.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sant.exepid process 1672 sant.exe 1672 sant.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
usc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2020 usc.exe Token: SeDebugPrivilege 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe Token: SeDebugPrivilege 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 1192 taskkill.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 112 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 2516 taskkill.exe Token: SeDebugPrivilege 680 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 2156 taskkill.exe Token: SeDebugPrivilege 2180 taskkill.exe Token: SeDebugPrivilege 2216 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 2456 taskkill.exe Token: SeDebugPrivilege 2280 fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 2248 taskkill.exe Token: SeDebugPrivilege 2860 taskkill.exe Token: SeDebugPrivilege 2652 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 2324 taskkill.exe Token: SeDebugPrivilege 2372 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 2716 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2224 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe Token: SeDebugPrivilege 2540 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 2680 taskkill.exe Token: SeDebugPrivilege 2872 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 688 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exepid process 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exepid process 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Downloads.exexpsrchvw.exepid process 1852 Downloads.exe 1852 Downloads.exe 2308 xpsrchvw.exe 2308 xpsrchvw.exe 2308 xpsrchvw.exe 2308 xpsrchvw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HYDRA.exeyaya.exeufx.exeusc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exedescription pid process target process PID 320 wrote to memory of 1776 320 HYDRA.exe yaya.exe PID 320 wrote to memory of 1776 320 HYDRA.exe yaya.exe PID 320 wrote to memory of 1776 320 HYDRA.exe yaya.exe PID 320 wrote to memory of 1776 320 HYDRA.exe yaya.exe PID 320 wrote to memory of 1300 320 HYDRA.exe va.exe PID 320 wrote to memory of 1300 320 HYDRA.exe va.exe PID 320 wrote to memory of 1300 320 HYDRA.exe va.exe PID 320 wrote to memory of 1300 320 HYDRA.exe va.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1160 320 HYDRA.exe ufx.exe PID 320 wrote to memory of 1672 320 HYDRA.exe sant.exe PID 320 wrote to memory of 1672 320 HYDRA.exe sant.exe PID 320 wrote to memory of 1672 320 HYDRA.exe sant.exe PID 320 wrote to memory of 1672 320 HYDRA.exe sant.exe PID 320 wrote to memory of 1660 320 HYDRA.exe power.exe PID 320 wrote to memory of 1660 320 HYDRA.exe power.exe PID 320 wrote to memory of 1660 320 HYDRA.exe power.exe PID 320 wrote to memory of 1660 320 HYDRA.exe power.exe PID 1776 wrote to memory of 1952 1776 yaya.exe starter.exe PID 1776 wrote to memory of 1952 1776 yaya.exe starter.exe PID 1776 wrote to memory of 1952 1776 yaya.exe starter.exe PID 1776 wrote to memory of 1952 1776 yaya.exe starter.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 1160 wrote to memory of 2020 1160 ufx.exe usc.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 2020 wrote to memory of 1200 2020 usc.exe SCHTASKS.exe PID 952 wrote to memory of 1896 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 1896 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 1896 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 668 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe cmd.exe PID 1940 wrote to memory of 668 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe cmd.exe PID 1940 wrote to memory of 668 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe cmd.exe PID 952 wrote to memory of 608 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 608 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 608 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 1736 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 1736 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 952 wrote to memory of 1736 952 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1148 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1148 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1148 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1644 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1644 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1644 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1708 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1708 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 1708 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 456 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe PID 1940 wrote to memory of 456 1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads.exe"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Users\Admin\Desktop\HYDRA.exe"C:\Users\Admin\Desktop\HYDRA.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\yaya.exeC:\Users\Admin\AppData\Roaming\yaya.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\va.exeC:\Users\Admin\AppData\Roaming\va.exe2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\ufx.exeC:\Users\Admin\AppData\Roaming\ufx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ucp\usc.exe"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sant.exeC:\Users\Admin\AppData\Roaming\sant.exe2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Users\Admin\AppData\Roaming\power.exeC:\Users\Admin\AppData\Roaming\power.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
-
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
-
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde1⤵
-
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe"C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\gjMEi6eG.exe"C:\Users\Admin\Desktop\gjMEi6eG.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe"C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\xpsrchvw.exe"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\MergeExpand.eprtx"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\june9.dll1⤵
-
C:\Users\Admin\Desktop\Keygen.exe"C:\Users\Admin\Desktop\Keygen.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FEE8.tmp\start.bat" C:\Users\Admin\Desktop\Keygen.exe"2⤵
-
C:\Users\Admin\Desktop\KLwC6vii.exe"C:\Users\Admin\Desktop\KLwC6vii.exe"1⤵
-
C:\Users\Admin\Desktop\infected dot net installer.exe"C:\Users\Admin\Desktop\infected dot net installer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ucp\usc.exe
-
C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
-
C:\Users\Admin\AppData\Roaming\power.exe
-
C:\Users\Admin\AppData\Roaming\sant.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\va.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Users\Admin\Desktop\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exeMD5
9e9bb42a965b89a9dce86c8b36b24799
SHA1e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
SHA25608751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
SHA512e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
-
C:\Users\Admin\Desktop\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
-
C:\Users\Admin\Desktop\0di3x.exe
-
C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip
-
C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\2019-09-02_22-41-10.exe
-
C:\Users\Admin\Desktop\2c01b007729230c415420ad641ad92eb.exe
-
C:\Users\Admin\Desktop\31.exe
-
C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe
-
C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe
-
C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeMD5
ead18f3a909685922d7213714ea9a183
SHA11270bd7fd62acc00447b30f066bb23f4745869bf
SHA2565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA5126e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
-
C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMD5
6fe3fb85216045fdf8186429c27458a7
SHA1ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
-
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exeMD5
aa0a434f00c138ef445bf89493a6d731
SHA12e798c079b179b736247cf20d1346657db9632c7
SHA256948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
SHA512e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
-
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exeMD5
aa0a434f00c138ef445bf89493a6d731
SHA12e798c079b179b736247cf20d1346657db9632c7
SHA256948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
SHA512e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952
-
C:\Users\Admin\Desktop\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exeMD5
9e9719483cc24dc0ab94b31f76981f42
SHA1dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
SHA25695560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
SHA51283cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309
-
C:\Users\Admin\Desktop\Archive.zip__ccacaxs2tbz2t6ob3e.exe
-
C:\Users\Admin\Desktop\BlockShow.au.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf
-
C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\ConvertRegister.ini.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\DisableRepair.vsw.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\DiskInternals_Uneraser_v5_keygen.exe
-
C:\Users\Admin\Desktop\DismountMove.xps.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\E2-20201118_141759.zip
-
C:\Users\Admin\Desktop\E2-20201118_141759.zip.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\FindUnblock.ppsx.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\ForceOp 2.8.7 - By RaiSence.exe
-
C:\Users\Admin\Desktop\GrantAssert.emz.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\HYDRA.exeMD5
c52bc39684c52886712971a92f339b23
SHA1c5cb39850affb7ed322bfb0a4900e17c54f95a11
SHA256f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
SHA5122d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
-
C:\Users\Admin\Desktop\HYDRA.exeMD5
c52bc39684c52886712971a92f339b23
SHA1c5cb39850affb7ed322bfb0a4900e17c54f95a11
SHA256f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
SHA5122d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
-
C:\Users\Admin\Desktop\HideSync.mp3.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\KLwC6vii.exeMD5
1ded740b925aa0c370e4e5bd02c0741f
SHA164731e77b65da3eb192783c074afdcb6a0a245a8
SHA256a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db
SHA512fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e
-
C:\Users\Admin\Desktop\Keygen.exe
-
C:\Users\Admin\Desktop\Keygen.exe
-
C:\Users\Admin\Desktop\LockExit.au3.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
-
C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe
-
C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe
-
C:\Users\Admin\Desktop\OnlineInstaller.exe
-
C:\Users\Admin\Desktop\PublishUpdate.docx.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\PublishWait.wmv.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\REVENGE-RAT.js.zip
-
C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
-
C:\Users\Admin\Desktop\RequestEdit.vbe.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985
-
C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869MD5
cde56cf0169830ee0059ee385c0c5eaf
SHA108aacb48ffcdc6b49af18d01155982984de230f7
SHA256cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
SHA512234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd
-
C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe
-
C:\Users\Admin\Desktop\ShowAssert.aif
-
C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
-
C:\Users\Admin\Desktop\VyprVPN.exeMD5
f1d5f022e71b8bc9e3241fbb72e87be2
SHA11b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
SHA25608fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
SHA512f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
-
C:\Users\Admin\Desktop\WSHSetup[1].exe
-
C:\Users\Admin\Desktop\Yard.dll
-
C:\Users\Admin\Desktop\api.exe
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exeMD5
6d2864f9d3349fc4292884e7baab4bcc
SHA1b4e7df23ccd50f4d136f66e62d56815eab09e720
SHA2562b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
SHA512dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip
-
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
-
C:\Users\Admin\Desktop\cobaltstrike_shellcode.exeMD5
8e4d8b8796d2188324a0cfd6fdc8de92
SHA19e7a053d34eb00e732e470bc28cc1fa4aa030b8f
SHA2561ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
SHA512db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3
-
C:\Users\Admin\Desktop\default.exe
-
C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
-
C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe
-
C:\Users\Admin\Desktop\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
-
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exeMD5
6029c37a32d7e4951449e197d4850213
SHA16ed7bb726b1e04d6858c084bc9bf475a13b77c95
SHA256fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c
SHA512bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f
-
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exeMD5
6029c37a32d7e4951449e197d4850213
SHA16ed7bb726b1e04d6858c084bc9bf475a13b77c95
SHA256fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c
SHA512bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f
-
C:\Users\Admin\Desktop\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
-
C:\Users\Admin\Desktop\file(1).exeMD5
9ca9044bbac6aa39072da89d05cb3dcf
SHA17cb6ec980704bf7eb109918a1cb037deed4341fe
SHA2563ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03
SHA5125f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd
-
C:\Users\Admin\Desktop\file.exeMD5
88dbffbc0062b913cbddfde8249ef2f3
SHA1e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
-
C:\Users\Admin\Desktop\gjMEi6eG.exe
-
C:\Users\Admin\Desktop\gjMEi6eG.exe
-
C:\Users\Admin\Desktop\good.exeMD5
b034e2a7cd76b757b7c62ce514b378b4
SHA127d15f36cb5e3338a19a7f6441ece58439f830f2
SHA25690d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
SHA5121cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
-
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
-
C:\Users\Admin\Desktop\infected dot net installer.exe
-
C:\Users\Admin\Desktop\inps_979.xls
-
C:\Users\Admin\Desktop\inps_979.xls.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\jar.jar
-
C:\Users\Admin\Desktop\jar.jar.energy[potentialenergy@mail.ru]
-
C:\Users\Admin\Desktop\june9.dll
-
C:\Users\Admin\Desktop\mouse_2.exe
-
C:\Users\Admin\Desktop\oof.exe
-
C:\Users\Admin\Desktop\openme.exe
-
C:\Users\Admin\Desktop\ou55sg33s_1.exe
-
C:\Users\Admin\Desktop\senate.m4aMD5
8bdb30d9f3c697d3f12aea9dd3d83a60
SHA1f89fc63457ce4914b5e41ed0b17af0a9e1ac6119
SHA2563bc843b534c96a38ab8f4b785f902f70dc8ebd48164aa0870562da285c49a9ec
SHA512bc7f688736b607baea107ea20d1e6686aed9619b7f10b81b95a74ac652c09696a83160f603c5b106498643c10c8eb60572ffbdcd23db6c12e68c15d9dec5f905
-
C:\Users\Admin\Desktop\str.dll
-
C:\Users\Admin\Desktop\svchost.exe
-
C:\Users\Admin\Desktop\update.exe
-
C:\Users\Admin\Desktop\vir1.xls
-
C:\Users\Admin\Desktop\wwf[1].exe
-
C:\Users\Admin\Desktop\xNet.dll
-
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
-
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
-
C:\Users\Public\Desktop\Adobe Reader 9.lnk
-
C:\Users\Public\Desktop\Firefox.lnk
-
C:\Users\Public\Desktop\Google Chrome.lnk
-
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
-
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.energy[potentialenergy@mail.ru]
-
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.energy[potentialenergy@mail.ru]
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
C:\\vcredist2010_x64.log-MSI_vc_red.msi.txt.energy[potentialenergy@mail.ru]
-
C:\\vcredist2010_x64.log.html.energy[potentialenergy@mail.ru]
-
C:\\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
-
C:\\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
-
C:\\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
-
C:\\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
-
C:\\vcredist2019_x64_001_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
-
C:\\vcredist2019_x64_002_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
-
\ProgramData\ucp\usc.exe
-
\ProgramData\ucp\usc.exe
-
\ProgramData\ucp\usc.exe
-
\Users\Admin\AppData\Roaming\power.exe
-
\Users\Admin\AppData\Roaming\power.exe
-
\Users\Admin\AppData\Roaming\sant.exe
-
\Users\Admin\AppData\Roaming\sant.exe
-
\Users\Admin\AppData\Roaming\ufx.exe
-
\Users\Admin\AppData\Roaming\va.exe
-
\Users\Admin\AppData\Roaming\va.exe
-
\Users\Admin\AppData\Roaming\yaya.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
memory/112-62-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/112-60-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/304-78-0x0000000000000000-mapping.dmp
-
memory/456-74-0x0000000000000000-mapping.dmp
-
memory/608-69-0x0000000000000000-mapping.dmp
-
memory/668-68-0x0000000000000000-mapping.dmp
-
memory/680-80-0x0000000000000000-mapping.dmp
-
memory/688-203-0x0000000000000000-mapping.dmp
-
memory/744-207-0x0000000000000000-mapping.dmp
-
memory/804-233-0x0000000000000000-mapping.dmp
-
memory/948-79-0x0000000000000000-mapping.dmp
-
memory/952-55-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmpFilesize
9.9MB
-
memory/952-63-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/956-189-0x0000000000000000-mapping.dmp
-
memory/956-76-0x0000000000000000-mapping.dmp
-
memory/1100-201-0x0000000000000000-mapping.dmp
-
memory/1148-71-0x0000000000000000-mapping.dmp
-
memory/1160-26-0x0000000000000000-mapping.dmp
-
memory/1180-209-0x0000000000000000-mapping.dmp
-
memory/1192-77-0x0000000000000000-mapping.dmp
-
memory/1200-52-0x0000000000000000-mapping.dmp
-
memory/1296-0-0x000007FEF7120000-0x000007FEF739A000-memory.dmpFilesize
2.5MB
-
memory/1300-22-0x0000000000000000-mapping.dmp
-
memory/1328-75-0x0000000000000000-mapping.dmp
-
memory/1608-190-0x0000000000000000-mapping.dmp
-
memory/1624-237-0x0000000000000000-mapping.dmp
-
memory/1644-72-0x0000000000000000-mapping.dmp
-
memory/1660-40-0x0000000000000000-mapping.dmp
-
memory/1672-34-0x0000000000000000-mapping.dmp
-
memory/1708-73-0x0000000000000000-mapping.dmp
-
memory/1736-70-0x0000000000000000-mapping.dmp
-
memory/1768-81-0x0000000000000000-mapping.dmp
-
memory/1776-35-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1776-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1776-18-0x0000000000000000-mapping.dmp
-
memory/1852-8-0x00000000055C0000-0x00000000055E3000-memory.dmpFilesize
140KB
-
memory/1896-67-0x0000000000000000-mapping.dmp
-
memory/1940-59-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmpFilesize
9.9MB
-
memory/1952-61-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/1952-46-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/1952-42-0x0000000000000000-mapping.dmp
-
memory/2020-50-0x0000000000000000-mapping.dmp
-
memory/2076-82-0x0000000000000000-mapping.dmp
-
memory/2088-84-0x0000000000000000-mapping.dmp
-
memory/2100-202-0x0000000000000000-mapping.dmp
-
memory/2140-85-0x0000000000000000-mapping.dmp
-
memory/2156-86-0x0000000000000000-mapping.dmp
-
memory/2180-87-0x0000000000000000-mapping.dmp
-
memory/2216-88-0x0000000000000000-mapping.dmp
-
memory/2224-183-0x0000000000000000-mapping.dmp
-
memory/2248-89-0x0000000000000000-mapping.dmp
-
memory/2272-90-0x0000000000000000-mapping.dmp
-
memory/2280-197-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/2280-199-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmpFilesize
9.6MB
-
memory/2324-92-0x0000000000000000-mapping.dmp
-
memory/2336-193-0x0000000000000000-mapping.dmp
-
memory/2368-204-0x0000000000000000-mapping.dmp
-
memory/2372-93-0x0000000000000000-mapping.dmp
-
memory/2392-94-0x0000000000000000-mapping.dmp
-
memory/2436-182-0x0000000000000000-mapping.dmp
-
memory/2440-95-0x0000000000000000-mapping.dmp
-
memory/2456-96-0x0000000000000000-mapping.dmp
-
memory/2480-187-0x0000000000000000-mapping.dmp
-
memory/2500-97-0x0000000000000000-mapping.dmp
-
memory/2516-98-0x0000000000000000-mapping.dmp
-
memory/2540-99-0x0000000000000000-mapping.dmp
-
memory/2580-100-0x0000000000000000-mapping.dmp
-
memory/2600-101-0x0000000000000000-mapping.dmp
-
memory/2644-102-0x0000000000000000-mapping.dmp
-
memory/2652-184-0x0000000000000000-mapping.dmp
-
memory/2680-103-0x0000000000000000-mapping.dmp
-
memory/2688-196-0x0000000000000000-mapping.dmp
-
memory/2688-200-0x0000000000910000-0x0000000000B91000-memory.dmpFilesize
2.5MB
-
memory/2716-104-0x0000000000000000-mapping.dmp
-
memory/2756-105-0x0000000000000000-mapping.dmp
-
memory/2768-191-0x0000000000000000-mapping.dmp
-
memory/2788-185-0x0000000000000000-mapping.dmp
-
memory/2792-106-0x0000000000000000-mapping.dmp
-
memory/2824-188-0x0000000000000000-mapping.dmp
-
memory/2860-107-0x0000000000000000-mapping.dmp
-
memory/2872-108-0x0000000000000000-mapping.dmp
-
memory/2920-186-0x0000000000000000-mapping.dmp
-
memory/2932-109-0x0000000000000000-mapping.dmp
-
memory/2948-110-0x0000000000000000-mapping.dmp
-
memory/2968-111-0x0000000000000000-mapping.dmp
-
memory/3000-195-0x0000000000000000-mapping.dmp
-
memory/3200-232-0x0000000000000000-mapping.dmp
-
memory/3440-211-0x0000000000000000-mapping.dmp
-
memory/3452-212-0x0000000000000000-mapping.dmp
-
memory/3468-213-0x0000000000000000-mapping.dmp
-
memory/3488-214-0x0000000000000000-mapping.dmp
-
memory/3508-215-0x0000000000000000-mapping.dmp
-
memory/3564-216-0x0000000000000000-mapping.dmp
-
memory/3600-217-0x0000000000000000-mapping.dmp
-
memory/3620-218-0x0000000000000000-mapping.dmp
-
memory/3636-234-0x0000000000000000-mapping.dmp
-
memory/3652-219-0x0000000000000000-mapping.dmp
-
memory/3676-220-0x0000000000000000-mapping.dmp
-
memory/3708-221-0x0000000000000000-mapping.dmp
-
memory/3788-222-0x0000000000000000-mapping.dmp
-
memory/3800-223-0x0000000000000000-mapping.dmp
-
memory/3840-224-0x0000000000000000-mapping.dmp
-
memory/3856-225-0x0000000000000000-mapping.dmp
-
memory/3868-226-0x0000000000000000-mapping.dmp
-
memory/3924-227-0x0000000000000000-mapping.dmp
-
memory/4012-229-0x0000000000000000-mapping.dmp
-
memory/4044-230-0x0000000000000000-mapping.dmp
-
memory/4060-231-0x0000000000000000-mapping.dmp