Analysis
-
max time kernel
154s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 14:30
General
-
Target
https://www.mediafire.com/file/242jgyoxwu0ze4j/OT2.rar/file
-
Sample
210927-rt4rnshcdl
Malware Config
Signatures
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 26 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Detects Pyinstaller 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.mediafire.com/file/242jgyoxwu0ze4j/OT2.rar/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7fffa0424f50,0x7fffa0424f60,0x7fffa0424f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1508 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4696 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,10742786046957076673,3831715166251911216,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:12⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\OT2.rar"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming/injector.exe3⤵
-
C:\Users\Admin\AppData\Roaming\injector.exeC:\Users\Admin\AppData\Roaming/injector.exe4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\injector.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\injector.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Updater.exe"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\Windows Updater.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\Windows Updater.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"' & exit10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"'11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"10⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"10⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\OT2\ot2.dll"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming/injector.exe3⤵
-
C:\Users\Admin\AppData\Roaming\injector.exeC:\Users\Admin\AppData\Roaming/injector.exe4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\injector.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\injector.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Updater" /tr '"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Updater.exe"C:\Users\Admin\AppData\Roaming\Windows Updater.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\VCRUNTIME140.dllMD5
0e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_bz2.pydMD5
3dc8af67e6ee06af9eec52fe985a7633
SHA11451b8c598348a0c0e50afc0ec91513c46fe3af6
SHA256c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929
SHA512da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_ctypes.pydMD5
f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA123c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA2569459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_hashlib.pydMD5
a6448bc5e5da21a222de164823add45c
SHA16c26eb949d7eb97d19e42559b2e3713d7629f2f9
SHA2563692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a
SHA512a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_lzma.pydMD5
37057c92f50391d0751f2c1d7ad25b02
SHA1a43c6835b11621663fa251da421be58d143d2afb
SHA2569442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764
SHA512953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_socket.pydMD5
d6bae4b430f349ab42553dc738699f0e
SHA17e5efc958e189c117eccef39ec16ebf00e7645a9
SHA256587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef
SHA512a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_ssl.pydMD5
8ee827f2fe931163f078acdc97107b64
SHA1149bb536f3492bc59bd7071a3da7d1f974860641
SHA256eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4
SHA512a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\base_library.zipMD5
19d34805782c4704d1e2a81fe32e9c27
SHA18c3d99a0616abc478d6230d07f9dc7b38313813e
SHA25606f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb
SHA512267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libcrypto-1_1.dllMD5
bf83f8ad60cb9db462ce62c73208a30d
SHA1f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libffi-7.dllMD5
4424baf6ed5340df85482fa82b857b03
SHA1181b641bf21c810a486f855864cd4b8967c24c44
SHA2568c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA5128adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libssl-1_1.dllMD5
fe1f3632af98e7b7a2799e3973ba03cf
SHA1353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA2561ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\python38.dllMD5
d2a8a5e7380d5f4716016777818a32c5
SHA1fb12f31d1d0758fe3e056875461186056121ed0c
SHA25659ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\select.pydMD5
6ae54d103866aad6f58e119d27552131
SHA1bc53a92a7667fd922ce29e98dfcf5f08f798a3d2
SHA25663b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88
SHA512ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0
-
C:\Users\Admin\AppData\Local\Temp\_MEI17962\unicodedata.pydMD5
4c0d43f1a31e76255cb592bb616683e7
SHA10a9f3d77a6e064baebacacc780701117f09169ad
SHA2560f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8
SHA512b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778
-
C:\Users\Admin\AppData\Roaming\injector.exeMD5
c3beb5621d7fc2840fbf6f3f2b57d9f8
SHA1fcdace16c2bc961e09f3de054fbc5104a8ba0145
SHA25671972883e6eb1cf2015c44c27559c750081025b00db29e89e86c07aa345bb14c
SHA5120b7a4d3b4562a2db15d1e0c0f53492ad7f8ed75b51076c0a1d93213dd4061829976822a520f2ff43c32df70955615c1d8a2abdab6236311417c9f9ad478efcac
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exeMD5
24be9c6a1fd6015658a063d4b928266d
SHA194a7a2a38feae24aedff09e8d869f6279f5b8945
SHA256d71036e4068936a95df2b37ab642cde38ced4792a001f25fcc8e4fb4629f10f2
SHA512add8d65d0c0f0980d7c877eec7a0dbeeb11e023ee7ad423d6ca5e42610b9f68897a86897b17447f562c0ff791c59aabca011876ec67806ac9b203084adb6cbde
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exeMD5
24be9c6a1fd6015658a063d4b928266d
SHA194a7a2a38feae24aedff09e8d869f6279f5b8945
SHA256d71036e4068936a95df2b37ab642cde38ced4792a001f25fcc8e4fb4629f10f2
SHA512add8d65d0c0f0980d7c877eec7a0dbeeb11e023ee7ad423d6ca5e42610b9f68897a86897b17447f562c0ff791c59aabca011876ec67806ac9b203084adb6cbde
-
C:\Users\Admin\Desktop\OT2\Extreme Injector v3.7.3.exeMD5
24be9c6a1fd6015658a063d4b928266d
SHA194a7a2a38feae24aedff09e8d869f6279f5b8945
SHA256d71036e4068936a95df2b37ab642cde38ced4792a001f25fcc8e4fb4629f10f2
SHA512add8d65d0c0f0980d7c877eec7a0dbeeb11e023ee7ad423d6ca5e42610b9f68897a86897b17447f562c0ff791c59aabca011876ec67806ac9b203084adb6cbde
-
C:\Users\Admin\Desktop\OT2\ot2.dllMD5
840eb2fa2e6afb1d75b201709c34ff48
SHA19c6fbd923a10aea41e1aefb0af63f4512f0f9969
SHA256ec0df4690b326a07e373dd2a76c0d180e55afa7523b91a48513597f7c683e62a
SHA5123eb925e63ec34fa29af31feba8a4cbedb08b93bef581898ec85217add65856de3aa35818a7fba7aeffb678e9eb61469131cd8c3779c8c6084f416796b1195f48
-
C:\Users\Admin\Downloads\OT2.rarMD5
2ca07944c7296fae44702a8798f93510
SHA10633884819815729df3a4fa3162bf4f2460e17d8
SHA2566be7b5fff4161ae6f297b12849846e2faadc5cc39a7d2eba9bebbf52d900b399
SHA512c3a97bdacea68965b362f450fe0e40e19f1ffc7fb13beb4de08e42df188999d8a55c27df8ab5dfbc00d4834cf0aeec8a99e7c1bc06f6b43b13ad7ab6366691d1
-
\??\pipe\crashpad_2492_HKBXJUQXDOCYCMJLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\_MEI17962\VCRUNTIME140.dllMD5
0e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_bz2.pydMD5
3dc8af67e6ee06af9eec52fe985a7633
SHA11451b8c598348a0c0e50afc0ec91513c46fe3af6
SHA256c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929
SHA512da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_ctypes.pydMD5
f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA123c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA2569459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_hashlib.pydMD5
a6448bc5e5da21a222de164823add45c
SHA16c26eb949d7eb97d19e42559b2e3713d7629f2f9
SHA2563692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a
SHA512a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_lzma.pydMD5
37057c92f50391d0751f2c1d7ad25b02
SHA1a43c6835b11621663fa251da421be58d143d2afb
SHA2569442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764
SHA512953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_socket.pydMD5
d6bae4b430f349ab42553dc738699f0e
SHA17e5efc958e189c117eccef39ec16ebf00e7645a9
SHA256587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef
SHA512a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e
-
\Users\Admin\AppData\Local\Temp\_MEI17962\_ssl.pydMD5
8ee827f2fe931163f078acdc97107b64
SHA1149bb536f3492bc59bd7071a3da7d1f974860641
SHA256eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4
SHA512a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565
-
\Users\Admin\AppData\Local\Temp\_MEI17962\libcrypto-1_1.dllMD5
bf83f8ad60cb9db462ce62c73208a30d
SHA1f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e
-
\Users\Admin\AppData\Local\Temp\_MEI17962\libffi-7.dllMD5
4424baf6ed5340df85482fa82b857b03
SHA1181b641bf21c810a486f855864cd4b8967c24c44
SHA2568c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA5128adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33
-
\Users\Admin\AppData\Local\Temp\_MEI17962\libssl-1_1.dllMD5
fe1f3632af98e7b7a2799e3973ba03cf
SHA1353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA2561ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0
-
\Users\Admin\AppData\Local\Temp\_MEI17962\python38.dllMD5
d2a8a5e7380d5f4716016777818a32c5
SHA1fb12f31d1d0758fe3e056875461186056121ed0c
SHA25659ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7
-
\Users\Admin\AppData\Local\Temp\_MEI17962\select.pydMD5
6ae54d103866aad6f58e119d27552131
SHA1bc53a92a7667fd922ce29e98dfcf5f08f798a3d2
SHA25663b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88
SHA512ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0
-
\Users\Admin\AppData\Local\Temp\_MEI17962\unicodedata.pydMD5
4c0d43f1a31e76255cb592bb616683e7
SHA10a9f3d77a6e064baebacacc780701117f09169ad
SHA2560f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8
SHA512b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778
-
memory/520-447-0x0000000000000000-mapping.dmp
-
memory/520-479-0x000002536C093000-0x000002536C095000-memory.dmpFilesize
8KB
-
memory/520-481-0x000002536C096000-0x000002536C098000-memory.dmpFilesize
8KB
-
memory/520-477-0x000002536C090000-0x000002536C092000-memory.dmpFilesize
8KB
-
memory/520-499-0x000002536C098000-0x000002536C099000-memory.dmpFilesize
4KB
-
memory/672-440-0x000001E622133000-0x000001E622135000-memory.dmpFilesize
8KB
-
memory/672-476-0x000001E622138000-0x000001E622139000-memory.dmpFilesize
4KB
-
memory/672-442-0x000001E622136000-0x000001E622138000-memory.dmpFilesize
8KB
-
memory/672-438-0x000001E622130000-0x000001E622132000-memory.dmpFilesize
8KB
-
memory/672-407-0x0000000000000000-mapping.dmp
-
memory/692-140-0x0000000000000000-mapping.dmp
-
memory/776-130-0x0000000000000000-mapping.dmp
-
memory/828-719-0x0000000000000000-mapping.dmp
-
memory/828-750-0x0000020D2B223000-0x0000020D2B225000-memory.dmpFilesize
8KB
-
memory/828-787-0x0000020D2B228000-0x0000020D2B229000-memory.dmpFilesize
4KB
-
memory/828-753-0x0000020D2B226000-0x0000020D2B228000-memory.dmpFilesize
8KB
-
memory/828-749-0x0000020D2B220000-0x0000020D2B222000-memory.dmpFilesize
8KB
-
memory/856-876-0x00000229F8FC8000-0x00000229F8FC9000-memory.dmpFilesize
4KB
-
memory/856-851-0x00000229F8FC0000-0x00000229F8FC2000-memory.dmpFilesize
8KB
-
memory/856-856-0x00000229F8FC6000-0x00000229F8FC8000-memory.dmpFilesize
8KB
-
memory/856-853-0x00000229F8FC3000-0x00000229F8FC5000-memory.dmpFilesize
8KB
-
memory/872-137-0x0000000000000000-mapping.dmp
-
memory/1052-630-0x0000022AF5A38000-0x0000022AF5A39000-memory.dmpFilesize
4KB
-
memory/1052-578-0x0000000000000000-mapping.dmp
-
memory/1052-628-0x0000022AF5A36000-0x0000022AF5A38000-memory.dmpFilesize
8KB
-
memory/1052-591-0x0000022AF5A33000-0x0000022AF5A35000-memory.dmpFilesize
8KB
-
memory/1052-590-0x0000022AF5A30000-0x0000022AF5A32000-memory.dmpFilesize
8KB
-
memory/1056-901-0x000001DCF7EA6000-0x000001DCF7EA8000-memory.dmpFilesize
8KB
-
memory/1056-897-0x000001DCF7EA0000-0x000001DCF7EA2000-memory.dmpFilesize
8KB
-
memory/1056-899-0x000001DCF7EA3000-0x000001DCF7EA5000-memory.dmpFilesize
8KB
-
memory/1056-931-0x000001DCF7EA8000-0x000001DCF7EA9000-memory.dmpFilesize
4KB
-
memory/1192-713-0x0000000000000000-mapping.dmp
-
memory/1284-379-0x000000001C2B0000-0x000000001C2B2000-memory.dmpFilesize
8KB
-
memory/1284-362-0x0000000000000000-mapping.dmp
-
memory/1284-364-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1796-701-0x0000000000000000-mapping.dmp
-
memory/1796-710-0x00000000038D0000-0x00000000038D2000-memory.dmpFilesize
8KB
-
memory/1852-537-0x0000000000000000-mapping.dmp
-
memory/2236-671-0x000001FCB3D83000-0x000001FCB3D85000-memory.dmpFilesize
8KB
-
memory/2236-658-0x0000000000000000-mapping.dmp
-
memory/2236-670-0x000001FCB3D80000-0x000001FCB3D82000-memory.dmpFilesize
8KB
-
memory/2236-697-0x000001FCB3D86000-0x000001FCB3D88000-memory.dmpFilesize
8KB
-
memory/2236-698-0x000001FCB3D88000-0x000001FCB3D89000-memory.dmpFilesize
4KB
-
memory/2544-297-0x0000000000000000-mapping.dmp
-
memory/2600-117-0x0000000000000000-mapping.dmp
-
memory/2604-788-0x0000014462640000-0x0000014462642000-memory.dmpFilesize
8KB
-
memory/2604-820-0x0000014462648000-0x0000014462649000-memory.dmpFilesize
4KB
-
memory/2604-791-0x0000014462646000-0x0000014462648000-memory.dmpFilesize
8KB
-
memory/2604-789-0x0000014462643000-0x0000014462645000-memory.dmpFilesize
8KB
-
memory/2716-179-0x0000000000000000-mapping.dmp
-
memory/3492-122-0x0000000000000000-mapping.dmp
-
memory/3708-312-0x0000000000000000-mapping.dmp
-
memory/3708-176-0x0000000000000000-mapping.dmp
-
memory/3788-322-0x0000000000000000-mapping.dmp
-
memory/3788-486-0x0000000000000000-mapping.dmp
-
memory/3788-502-0x000002357EA80000-0x000002357EA82000-memory.dmpFilesize
8KB
-
memory/3788-503-0x000002357EA83000-0x000002357EA85000-memory.dmpFilesize
8KB
-
memory/3788-505-0x000002357EA86000-0x000002357EA88000-memory.dmpFilesize
8KB
-
memory/3788-526-0x000002357EA88000-0x000002357EA89000-memory.dmpFilesize
4KB
-
memory/3840-123-0x00007FFFA9B20000-0x00007FFFA9B21000-memory.dmpFilesize
4KB
-
memory/3840-121-0x0000000000000000-mapping.dmp
-
memory/3872-180-0x0000000000000000-mapping.dmp
-
memory/3876-186-0x0000000000000000-mapping.dmp
-
memory/3876-849-0x00000199B2F98000-0x00000199B2F99000-memory.dmpFilesize
4KB
-
memory/3876-822-0x00000199B2F90000-0x00000199B2F92000-memory.dmpFilesize
8KB
-
memory/3876-824-0x00000199B2F93000-0x00000199B2F95000-memory.dmpFilesize
8KB
-
memory/3876-827-0x00000199B2F96000-0x00000199B2F98000-memory.dmpFilesize
8KB
-
memory/3876-151-0x0000000000000000-mapping.dmp
-
memory/4004-307-0x0000000000000000-mapping.dmp
-
memory/4112-970-0x000001AB317D8000-0x000001AB317D9000-memory.dmpFilesize
4KB
-
memory/4112-933-0x000001AB317D0000-0x000001AB317D2000-memory.dmpFilesize
8KB
-
memory/4112-935-0x000001AB317D3000-0x000001AB317D5000-memory.dmpFilesize
8KB
-
memory/4112-969-0x000001AB317D6000-0x000001AB317D8000-memory.dmpFilesize
8KB
-
memory/4172-700-0x0000000000000000-mapping.dmp
-
memory/4176-550-0x000000001C260000-0x000000001C262000-memory.dmpFilesize
8KB
-
memory/4176-535-0x0000000000000000-mapping.dmp
-
memory/4180-668-0x000002389EEF6000-0x000002389EEF8000-memory.dmpFilesize
8KB
-
memory/4180-632-0x000002389EEF0000-0x000002389EEF2000-memory.dmpFilesize
8KB
-
memory/4180-669-0x000002389EEF8000-0x000002389EEF9000-memory.dmpFilesize
4KB
-
memory/4180-618-0x0000000000000000-mapping.dmp
-
memory/4180-633-0x000002389EEF3000-0x000002389EEF5000-memory.dmpFilesize
8KB
-
memory/4180-278-0x0000000000000000-mapping.dmp
-
memory/4200-533-0x0000000000000000-mapping.dmp
-
memory/4224-200-0x0000000000000000-mapping.dmp
-
memory/4244-203-0x0000000000000000-mapping.dmp
-
memory/4252-282-0x0000000000000000-mapping.dmp
-
memory/4268-211-0x0000000000000000-mapping.dmp
-
memory/4288-712-0x0000000000000000-mapping.dmp
-
memory/4300-529-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/4300-534-0x00000000018D0000-0x00000000018D2000-memory.dmpFilesize
8KB
-
memory/4300-528-0x0000000000000000-mapping.dmp
-
memory/4300-531-0x00000000018F0000-0x00000000018F1000-memory.dmpFilesize
4KB
-
memory/4332-215-0x0000000000000000-mapping.dmp
-
memory/4372-718-0x0000000000000000-mapping.dmp
-
memory/4400-715-0x0000000000000000-mapping.dmp
-
memory/4400-748-0x000000001C630000-0x000000001C632000-memory.dmpFilesize
8KB
-
memory/4436-373-0x000002827D320000-0x000002827D321000-memory.dmpFilesize
4KB
-
memory/4436-367-0x0000000000000000-mapping.dmp
-
memory/4436-403-0x000002827D376000-0x000002827D378000-memory.dmpFilesize
8KB
-
memory/4436-381-0x000002827D373000-0x000002827D375000-memory.dmpFilesize
8KB
-
memory/4436-436-0x000002827D378000-0x000002827D379000-memory.dmpFilesize
4KB
-
memory/4436-380-0x000002827D370000-0x000002827D372000-memory.dmpFilesize
8KB
-
memory/4436-376-0x000002827DD90000-0x000002827DD91000-memory.dmpFilesize
4KB
-
memory/4476-287-0x0000000000000000-mapping.dmp
-
memory/4492-539-0x0000000000000000-mapping.dmp
-
memory/4500-895-0x0000000001690000-0x0000000001692000-memory.dmpFilesize
8KB
-
memory/4504-230-0x0000000000000000-mapping.dmp
-
memory/4508-880-0x000000001CE10000-0x000000001CE12000-memory.dmpFilesize
8KB
-
memory/4540-235-0x0000000000000000-mapping.dmp
-
memory/4548-292-0x0000000000000000-mapping.dmp
-
memory/4556-361-0x0000000000000000-mapping.dmp
-
memory/4560-302-0x0000000000000000-mapping.dmp
-
memory/4584-244-0x0000000000000000-mapping.dmp
-
memory/4612-541-0x0000000000000000-mapping.dmp
-
memory/4672-527-0x0000000000000000-mapping.dmp
-
memory/4676-366-0x0000000000000000-mapping.dmp
-
memory/4776-553-0x000001CADE9E3000-0x000001CADE9E5000-memory.dmpFilesize
8KB
-
memory/4776-552-0x000001CADE9E0000-0x000001CADE9E2000-memory.dmpFilesize
8KB
-
memory/4776-540-0x0000000000000000-mapping.dmp
-
memory/4776-588-0x000001CADE9E6000-0x000001CADE9E8000-memory.dmpFilesize
8KB
-
memory/4776-589-0x000001CADE9E8000-0x000001CADE9E9000-memory.dmpFilesize
4KB
-
memory/4808-532-0x0000000000000000-mapping.dmp
-
memory/4808-708-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/4808-706-0x0000000000000000-mapping.dmp
-
memory/4808-711-0x000000001C250000-0x000000001C252000-memory.dmpFilesize
8KB
-
memory/4888-260-0x0000000000000000-mapping.dmp
-
memory/4920-331-0x0000000000000000-mapping.dmp
-
memory/4924-707-0x0000000000000000-mapping.dmp
-
memory/4952-699-0x0000000000000000-mapping.dmp
-
memory/4952-264-0x0000000000000000-mapping.dmp
-
memory/4976-705-0x0000000000000000-mapping.dmp
-
memory/5064-269-0x0000000000000000-mapping.dmp
-
memory/5076-318-0x0000000000000000-mapping.dmp
-
memory/5080-714-0x0000000000000000-mapping.dmp
-
memory/5116-274-0x0000000000000000-mapping.dmp