Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-02-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe
Resource
win10v2004-en-20220112
General
-
Target
2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe
-
Size
1.1MB
-
MD5
d163e4d75e3e115cce99679d08595c6e
-
SHA1
a859952a86158d2f60ed927a966d17eede94887d
-
SHA256
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
-
SHA512
e43b7db81a24c0b27df91f0fac967be0e2089b3b74ea3b431be47a900e73c5f5bf498da14921edbfa397ff3f5d767716ff60a5ca10d1ff7f213d9d20023b6413
Malware Config
Extracted
oski
pretorian.ug
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1720-195-0x0000000002DC0000-0x0000000002DDB000-memory.dmp modiloader_stage1 behavioral2/memory/3996-270-0x0000000002DC0000-0x0000000002DDB000-memory.dmp modiloader_stage1 -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
Processes:
kgen.exeKeygen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exeCHmfdgaYsHsd.exedfgasdme.exeDbvsdfe.exeCcmfdgsaYsd.exedfgasdme.exepm.execc.execc.exeaspnet_compiler.exefodhelper.exefodhelper.exepid process 3664 kgen.exe 2344 Keygen.exe 3768 kgen.exe 1400 CcmfdgsaYsd.exe 2988 Dbvsdfe.exe 1100 CHmfdgaYsHsd.exe 1960 dfgasdme.exe 3752 Dbvsdfe.exe 2680 CcmfdgsaYsd.exe 4076 dfgasdme.exe 3340 pm.exe 1720 cc.exe 3336 cc.exe 3876 aspnet_compiler.exe 3996 fodhelper.exe 3296 fodhelper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BC39.tmp\Keygen.exe upx -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CcmfdgsaYsd.exedfgasdme.exeDbvsdfe.exepm.exeWScript.exe2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exekgen.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation CcmfdgsaYsd.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation dfgasdme.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Dbvsdfe.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation pm.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation kgen.exe -
Loads dropped DLL 7 IoCs
Processes:
dfgasdme.exeDbvsdfe.exepid process 4076 dfgasdme.exe 3752 Dbvsdfe.exe 4076 dfgasdme.exe 4076 dfgasdme.exe 4076 dfgasdme.exe 3752 Dbvsdfe.exe 3752 Dbvsdfe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dfgasdme.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dfgasdme.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dfgasdme.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\"" pm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
kgen.exepid process 3768 kgen.exe 3768 kgen.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
kgen.exeDbvsdfe.exeCcmfdgsaYsd.exedfgasdme.execc.exepm.exefodhelper.exedescription pid process target process PID 3664 set thread context of 3768 3664 kgen.exe kgen.exe PID 2988 set thread context of 3752 2988 Dbvsdfe.exe Dbvsdfe.exe PID 1400 set thread context of 2680 1400 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1960 set thread context of 4076 1960 dfgasdme.exe dfgasdme.exe PID 1720 set thread context of 3336 1720 cc.exe cc.exe PID 3340 set thread context of 3876 3340 pm.exe aspnet_compiler.exe PID 3996 set thread context of 3296 3996 fodhelper.exe fodhelper.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dfgasdme.exeMusNotifyIcon.exeDbvsdfe.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfgasdme.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dbvsdfe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfgasdme.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3724 schtasks.exe 2624 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2284 timeout.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 996 ipconfig.exe 1676 ipconfig.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3868 taskkill.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.604266" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4048" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889885953428690" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Modifies registry class 1 IoCs
Processes:
pm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings pm.exe -
Processes:
cc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
dfgasdme.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepm.exeaspnet_compiler.exepid process 4076 dfgasdme.exe 4076 dfgasdme.exe 3852 powershell.exe 3852 powershell.exe 3052 powershell.exe 3052 powershell.exe 220 powershell.exe 220 powershell.exe 3168 powershell.exe 3168 powershell.exe 332 powershell.exe 332 powershell.exe 3340 pm.exe 3340 pm.exe 3876 aspnet_compiler.exe 3876 aspnet_compiler.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
kgen.exeDbvsdfe.exeCcmfdgsaYsd.exedfgasdme.exepid process 3664 kgen.exe 2988 Dbvsdfe.exe 1400 CcmfdgsaYsd.exe 1960 dfgasdme.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
pm.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 3340 pm.exe Token: SeDebugPrivilege 3852 powershell.exe Token: SeDebugPrivilege 3868 taskkill.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 332 powershell.exe Token: SeDebugPrivilege 3876 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
kgen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exeCHmfdgaYsHsd.exedfgasdme.exepid process 3664 kgen.exe 3768 kgen.exe 1400 CcmfdgsaYsd.exe 2988 Dbvsdfe.exe 1100 CHmfdgaYsHsd.exe 1960 dfgasdme.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.execmd.exekgen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exedfgasdme.exedfgasdme.exeDbvsdfe.exepm.execmd.execmd.exepowershell.execc.exedescription pid process target process PID 2628 wrote to memory of 1464 2628 2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe cmd.exe PID 2628 wrote to memory of 1464 2628 2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe cmd.exe PID 2628 wrote to memory of 1464 2628 2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe cmd.exe PID 1464 wrote to memory of 3664 1464 cmd.exe kgen.exe PID 1464 wrote to memory of 3664 1464 cmd.exe kgen.exe PID 1464 wrote to memory of 3664 1464 cmd.exe kgen.exe PID 1464 wrote to memory of 2344 1464 cmd.exe Keygen.exe PID 1464 wrote to memory of 2344 1464 cmd.exe Keygen.exe PID 1464 wrote to memory of 2344 1464 cmd.exe Keygen.exe PID 3664 wrote to memory of 3768 3664 kgen.exe kgen.exe PID 3664 wrote to memory of 3768 3664 kgen.exe kgen.exe PID 3664 wrote to memory of 3768 3664 kgen.exe kgen.exe PID 3664 wrote to memory of 3768 3664 kgen.exe kgen.exe PID 3768 wrote to memory of 1400 3768 kgen.exe CcmfdgsaYsd.exe PID 3768 wrote to memory of 1400 3768 kgen.exe CcmfdgsaYsd.exe PID 3768 wrote to memory of 1400 3768 kgen.exe CcmfdgsaYsd.exe PID 1400 wrote to memory of 2988 1400 CcmfdgsaYsd.exe Dbvsdfe.exe PID 1400 wrote to memory of 2988 1400 CcmfdgsaYsd.exe Dbvsdfe.exe PID 1400 wrote to memory of 2988 1400 CcmfdgsaYsd.exe Dbvsdfe.exe PID 3768 wrote to memory of 1100 3768 kgen.exe CHmfdgaYsHsd.exe PID 3768 wrote to memory of 1100 3768 kgen.exe CHmfdgaYsHsd.exe PID 3768 wrote to memory of 1100 3768 kgen.exe CHmfdgaYsHsd.exe PID 1400 wrote to memory of 1960 1400 CcmfdgsaYsd.exe dfgasdme.exe PID 1400 wrote to memory of 1960 1400 CcmfdgsaYsd.exe dfgasdme.exe PID 1400 wrote to memory of 1960 1400 CcmfdgsaYsd.exe dfgasdme.exe PID 2988 wrote to memory of 3752 2988 Dbvsdfe.exe Dbvsdfe.exe PID 2988 wrote to memory of 3752 2988 Dbvsdfe.exe Dbvsdfe.exe PID 2988 wrote to memory of 3752 2988 Dbvsdfe.exe Dbvsdfe.exe PID 2988 wrote to memory of 3752 2988 Dbvsdfe.exe Dbvsdfe.exe PID 1400 wrote to memory of 2680 1400 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1400 wrote to memory of 2680 1400 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1400 wrote to memory of 2680 1400 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1400 wrote to memory of 2680 1400 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1960 wrote to memory of 4076 1960 dfgasdme.exe dfgasdme.exe PID 1960 wrote to memory of 4076 1960 dfgasdme.exe dfgasdme.exe PID 1960 wrote to memory of 4076 1960 dfgasdme.exe dfgasdme.exe PID 1960 wrote to memory of 4076 1960 dfgasdme.exe dfgasdme.exe PID 4076 wrote to memory of 3340 4076 dfgasdme.exe pm.exe PID 4076 wrote to memory of 3340 4076 dfgasdme.exe pm.exe PID 4076 wrote to memory of 1720 4076 dfgasdme.exe cc.exe PID 4076 wrote to memory of 1720 4076 dfgasdme.exe cc.exe PID 4076 wrote to memory of 1720 4076 dfgasdme.exe cc.exe PID 4076 wrote to memory of 2452 4076 dfgasdme.exe cmd.exe PID 4076 wrote to memory of 2452 4076 dfgasdme.exe cmd.exe PID 4076 wrote to memory of 2452 4076 dfgasdme.exe cmd.exe PID 3752 wrote to memory of 1304 3752 Dbvsdfe.exe cmd.exe PID 3752 wrote to memory of 1304 3752 Dbvsdfe.exe cmd.exe PID 3752 wrote to memory of 1304 3752 Dbvsdfe.exe cmd.exe PID 3340 wrote to memory of 3852 3340 pm.exe powershell.exe PID 3340 wrote to memory of 3852 3340 pm.exe powershell.exe PID 1304 wrote to memory of 3868 1304 cmd.exe taskkill.exe PID 1304 wrote to memory of 3868 1304 cmd.exe taskkill.exe PID 1304 wrote to memory of 3868 1304 cmd.exe taskkill.exe PID 2452 wrote to memory of 2284 2452 cmd.exe timeout.exe PID 2452 wrote to memory of 2284 2452 cmd.exe timeout.exe PID 2452 wrote to memory of 2284 2452 cmd.exe timeout.exe PID 3852 wrote to memory of 996 3852 powershell.exe ipconfig.exe PID 3852 wrote to memory of 996 3852 powershell.exe ipconfig.exe PID 3340 wrote to memory of 3052 3340 pm.exe powershell.exe PID 3340 wrote to memory of 3052 3340 pm.exe powershell.exe PID 1720 wrote to memory of 3336 1720 cc.exe cc.exe PID 1720 wrote to memory of 3336 1720 cc.exe cc.exe PID 1720 wrote to memory of 3336 1720 cc.exe cc.exe PID 1720 wrote to memory of 3336 1720 cc.exe cc.exe -
outlook_office_path 1 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dfgasdme.exe -
outlook_win_path 1 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dfgasdme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe"C:\Users\Admin\AppData\Local\Temp\2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC39.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exekgen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exe"C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe" 05⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3752 & erase C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe & RD /S /Q C:\\ProgramData\\639225439249915\\* & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 37529⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\pm.exe"C:\Users\Admin\AppData\Local\Temp\pm.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release10⤵
- Gathers network information
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /renew10⤵
- Gathers network information
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mijezedarcutnmc.vbs"9⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Roaming\winda.exe'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cc.exe"C:\Users\Admin\AppData\Local\Temp\cc.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc.exeC:\Users\Admin\AppData\Local\Temp\cc.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "dfgasdme.exe"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 39⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exe"C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exe" 05⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
43391b412c650cde148653f76041c4c9
SHA1f01dede729775576d9b3f4055bcb2f266c6260ed
SHA256563836a148088af7fd35407fdb197f3b03198f89d7b44ec21efcdf87e03735ad
SHA512593874dcb37de114829dd0de6ea879324121f898d9201a4ed26668aa9b77886e0afb7103dd3e1a15a42d520b1987ec0ba116e371610093fa03b7649b0056e716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_1F4A11E5811034EBF23B87214B129489MD5
5000ae6bdaa4dea1f666b806ebd730fd
SHA12d0e92b224fdf9e72742ef7d89ec95fe9e3201c3
SHA25612b6e8adc80c96a2b36d50f07c08e6b7ee6d045b9ec4421168d100d3ef1090a3
SHA51201bb56bdd5b2c93df27e451a0a47eaaf8be551643dc7f0b8420cb289a50f623fd4a8c1aeb7e8f92343a08f96e5723c4c0285aa29e743e03a524178cc994d1503
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
09c39cd47a026a9f730cedcf0cd6c086
SHA1c496f857cdd321b0c233908e5cfca3a2741774db
SHA256dac2163db6f8f5efe2040c00e1af9f71605f892ea29a858f8b95cd5469a74e3b
SHA512722839ff8035ea20e14bdaeee553ecfcf8679ec7800c3f826163d3f978eb933c662fa3c66178a84463fd3aa6cd78469d275a26e0779b00b978665037d4736bfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
0811507e610e0beabdd849c854e29e0e
SHA1588e55d139ebd6dbbefe83412d0b29318b03a777
SHA2565223f8d9f0646dd66712da09c4389d4a7aa9f82126b7882c4a7f63e2e5fbe9fe
SHA51200c2c3d7da6ca2c6344d37980fde488850aee538d74075509232abefb258a479485bceacd0a2d8bea13f8274248dc0672d35111971b1b67dddd80a2722ee39f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_1F4A11E5811034EBF23B87214B129489MD5
07c4abb9f0b549a6efec7fc116b56360
SHA19fc29e87e9019f9afb3449ad6ea48e511c50bb1b
SHA256da3f2df3d22079e96f0ac59703fe8184bb1ff808d41656bd5724f898e33933e3
SHA512ea5d656137ce9c6d194dd422c8df370a6927ea1211eaa29987bc75cdf4d009a07f101a1261211ec4eff31fa2c116593367dc17e624cb14617fd53fa24007abd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
e3b53bb328833e9cd578d6255d1d410b
SHA15f46b72e0e0819b4d9c09b434a6d8965e38cb672
SHA25698faa08ab9e1917d3e3e3ccc68035388f7d681bb1ff0ba0b2255d2a6f2fb32b7
SHA512802c15de72ce515bfe826bde4350d856aa8312362549364611a4dcb4da4e1dab06fdd28d55f6ea90fe9deb8f5b9bc781601bb0f2fe6d1d821f996738bcc30342
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKB7TTX\Abqtrvrhcjiuauawrxxwwmyxelgyffl[1].htmMD5
1f1d28875f2782638dd9ee072ebecb7e
SHA12dc58874eb002d0a9ec5ecded19d1e1523577421
SHA256849add4aa76d040ca6fc9fb886c61101a11f8ca472029921b6dd4829890b448b
SHA5120a17e30a8875875287bb1f1789084b0e38a500a10e354f3eae707a9aac5fc840bd5dc58e73315d48e75f93cb00bd8f781f88b8c86b7b936524f08881cfeef46d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\Abqtrvrhcjiuauawrxxwwmyxelgyffl[1].bmpMD5
476c36c2a9a28a5952e0fce37c03d09d
SHA1e70e70a2d01b4a1574040ba44d7f653e6944ce99
SHA256f517d401eb25a435831b72ba04e1f06acd6b960c6f52cba8c9045de963f59b90
SHA5121939753c3d1bc82c3ae419a0d0bdde6d59aec9dffc9ca8c761598a486012f9b8c104b449fc2ebf7204c7974c7d2988c976c35d21bb8b3c3c83a5fcd9c27c4bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
63e62e02ee9c90b7adfb2eefe7efa04f
SHA19bc1eda86f7f95345c2a3901288b6867447dee6b
SHA256cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11
SHA5123d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
C:\Users\Admin\AppData\Local\Temp\74A92AEB\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
C:\Users\Admin\AppData\Local\Temp\74A92AEB\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\74A92AEB\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
C:\Users\Admin\AppData\Local\Temp\74A92AEB\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\Keygen.exeMD5
381170fcadbe7a253f4b0bf3cc8ddf62
SHA1a6e6656c898767cc874cff40b84aa75523242ebe
SHA2561ba645e92ebd1ee549cdbd885a0b7ad40f5304eb123b6c3c8d7397013560fe80
SHA512b2c6cda8ce6e6d395e73965eb937dc15ea786aed883649b774582e8102d2868e23b6f294c4035b193c09d5b35a9a0e224541e09fb2c5a134e1ba523a65823ac8
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\BC39.tmp\start.batMD5
41b62aa43fb500043e95f85bed7c5877
SHA13585109e61c14745639adb0b43699482ce4be2fe
SHA25679bbb6cc02a9fde15e0e4aa84e27e2357a4c4dbf017bae7b235853d06cd6c00c
SHA5122d731c42313844d4cf8f4cc49da0dbaec585793bfc9e2abd75293c60ae3524bc51cce51639e199319faf8ce07791e7647871709a073096a3cf94df3f873b544e
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Mijezedarcutnmc.vbsMD5
5538f172ee41acfa7e101ec4ac13bf67
SHA1d250a0b0ecc2de3869f24461a889301e5e10d711
SHA256d1dcd271aaa9def8bfb39d134b2b625db8f2cc3788e111d29066c4208ca754f7
SHA5129091c13212df6c56b9189c6f9d7ea144357b08c639361a87d95c9917d93e92a53790b6147a1b3ee4cf9504bc28443f498c78a46f38f2bbdd87f324aa404da5c0
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
df5419b32657d2896514b6a1d041fe08
SHA1eae192043f75ca972697c3b1875988bebd66f713
SHA2569ed0aa0a40c864f65ff867fd6b8491467786ce1bc60fd1e55f300a0fae5a77b4
SHA512f1a7a409c99942b39060d327bbc2f0b7cf600e8c3d8e60164ae27a78e1a16c07de58872b8864a0783d71ccad5800c02ade0ac14954b30a75a6b5c8d4b1fcd560
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
df5419b32657d2896514b6a1d041fe08
SHA1eae192043f75ca972697c3b1875988bebd66f713
SHA2569ed0aa0a40c864f65ff867fd6b8491467786ce1bc60fd1e55f300a0fae5a77b4
SHA512f1a7a409c99942b39060d327bbc2f0b7cf600e8c3d8e60164ae27a78e1a16c07de58872b8864a0783d71ccad5800c02ade0ac14954b30a75a6b5c8d4b1fcd560
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\pm.exeMD5
27e6d5f08acbcc787e860da1229929c6
SHA1426120de8b17120c60013734e6553c1dd50129c2
SHA25605bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
SHA51256e93ffcef18302e24035d3b10a4fe0d6feaf73614616f910245da2937cdcb23fd0dd4e31278b94ca3db7581c8af3ef3722e6b566f74ca0d41e4f98b4e7e1326
-
C:\Users\Admin\AppData\Local\Temp\pm.exeMD5
27e6d5f08acbcc787e860da1229929c6
SHA1426120de8b17120c60013734e6553c1dd50129c2
SHA25605bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
SHA51256e93ffcef18302e24035d3b10a4fe0d6feaf73614616f910245da2937cdcb23fd0dd4e31278b94ca3db7581c8af3ef3722e6b566f74ca0d41e4f98b4e7e1326
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
memory/220-235-0x000001B47D636000-0x000001B47D638000-memory.dmpFilesize
8KB
-
memory/220-233-0x000001B47D630000-0x000001B47D632000-memory.dmpFilesize
8KB
-
memory/220-234-0x000001B47D633000-0x000001B47D635000-memory.dmpFilesize
8KB
-
memory/220-232-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/332-263-0x000001C973176000-0x000001C973178000-memory.dmpFilesize
8KB
-
memory/332-262-0x000001C973173000-0x000001C973175000-memory.dmpFilesize
8KB
-
memory/332-261-0x000001C973170000-0x000001C973172000-memory.dmpFilesize
8KB
-
memory/332-260-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/1100-165-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/1400-155-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1400-154-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB
-
memory/1720-194-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/1720-195-0x0000000002DC0000-0x0000000002DDB000-memory.dmpFilesize
108KB
-
memory/1960-166-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2344-136-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/2680-177-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2680-176-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB
-
memory/2680-175-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2988-168-0x00000000007F0000-0x00000000007F6000-memory.dmpFilesize
24KB
-
memory/2988-158-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/3052-217-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/3052-218-0x0000020181700000-0x0000020181702000-memory.dmpFilesize
8KB
-
memory/3052-219-0x0000020181703000-0x0000020181705000-memory.dmpFilesize
8KB
-
memory/3052-220-0x0000020181706000-0x0000020181708000-memory.dmpFilesize
8KB
-
memory/3168-244-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/3168-247-0x000001E3324F6000-0x000001E3324F8000-memory.dmpFilesize
8KB
-
memory/3168-245-0x000001E3324F0000-0x000001E3324F2000-memory.dmpFilesize
8KB
-
memory/3168-246-0x000001E3324F3000-0x000001E3324F5000-memory.dmpFilesize
8KB
-
memory/3336-221-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3336-223-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3340-193-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/3340-203-0x000000001C6F0000-0x000000001C6F2000-memory.dmpFilesize
8KB
-
memory/3340-191-0x0000000000230000-0x000000000037A000-memory.dmpFilesize
1.3MB
-
memory/3664-138-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3664-137-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB
-
memory/3664-139-0x0000000002250000-0x0000000002257000-memory.dmpFilesize
28KB
-
memory/3752-172-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/3752-170-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3752-171-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB
-
memory/3768-144-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB
-
memory/3768-143-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3768-145-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/3852-205-0x00000210C04D0000-0x00000210C04D2000-memory.dmpFilesize
8KB
-
memory/3852-200-0x00000210C05E0000-0x00000210C0602000-memory.dmpFilesize
136KB
-
memory/3852-204-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/3852-206-0x00000210C04D3000-0x00000210C04D5000-memory.dmpFilesize
8KB
-
memory/3852-207-0x00000210C04D6000-0x00000210C04D8000-memory.dmpFilesize
8KB
-
memory/3876-264-0x00007FFB58933000-0x00007FFB58935000-memory.dmpFilesize
8KB
-
memory/3876-265-0x000001C8B2790000-0x000001C8B2792000-memory.dmpFilesize
8KB
-
memory/3876-257-0x0000000140000000-0x000000014006E000-memory.dmpFilesize
440KB
-
memory/3996-270-0x0000000002DC0000-0x0000000002DDB000-memory.dmpFilesize
108KB
-
memory/3996-271-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/4076-174-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/4076-178-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4076-179-0x00000000779B2000-0x00000000779B3000-memory.dmpFilesize
4KB