Analysis
-
max time kernel
124s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 06:48
General
-
Target
7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe
-
Size
189KB
-
MD5
e5f8880417891a0d527b29cad8e087b0
-
SHA1
9784587256aaeb4e6a68ba13d0848647928dfbb2
-
SHA256
7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732
-
SHA512
262a5ebff4525984d6d98f3831f142f3f695101d5067762ef4ceaca196bf0e5941ff0173b95a63c4355a49452e423805eb131ba53c711344619fa08d78510db6
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2017
C2
http://dogewareservice.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 44 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 47 IoCs
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 48 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 12164⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 11845⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"3⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"4⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 9927⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"5⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"6⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"7⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"7⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"8⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"8⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"9⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"9⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"10⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"10⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"11⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"11⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"12⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"12⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"12⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"13⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"13⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"14⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"14⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"15⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"15⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"16⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"16⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"17⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"17⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"18⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"18⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"19⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"19⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"20⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"20⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"21⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"21⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"22⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"22⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"23⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"23⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"24⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 112426⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"24⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"25⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 119627⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"25⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"26⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"26⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"27⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 118029⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"27⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"28⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 117230⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"28⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"29⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"29⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"30⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 118032⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"30⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"31⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe32⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"31⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"32⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe33⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 119634⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"32⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"33⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe34⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"33⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"34⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 96036⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"34⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"35⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe36⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 118837⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"35⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"36⤵
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe37⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"36⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"37⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe38⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"37⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"38⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"38⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe39⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 117640⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"38⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"39⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe40⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 112441⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"39⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"40⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe41⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"40⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"41⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe42⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"41⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"42⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe43⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 119244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"42⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"43⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe44⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"43⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"44⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe45⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"44⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"45⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe46⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 119247⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"45⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"46⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe47⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 118848⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"46⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"47⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"47⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe48⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"47⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"48⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe49⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"48⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"49⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe50⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 117651⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"49⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"50⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe51⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"50⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"51⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe52⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 97253⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"51⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"52⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe53⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"52⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"53⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe54⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"53⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"54⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe55⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 117256⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"54⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"55⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe56⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"55⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"56⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe57⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"56⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"57⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe58⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"57⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"58⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe59⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"58⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"59⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe60⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"59⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"60⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe61⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"60⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"61⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe62⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"61⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"62⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe63⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"62⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"63⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe64⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"63⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"64⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe65⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"64⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"65⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe66⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"65⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"66⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"66⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"67⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"68⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"68⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"69⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"70⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"71⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"71⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"72⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"72⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"73⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"73⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"74⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"74⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"74⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"74⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"75⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"75⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"76⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"76⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"77⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"77⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"78⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"78⤵
-
C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"C:\Users\Admin\AppData\Local\Temp\7afc896ff5590bde1e2533e40573e20b365c1f0ed261e8d7ca0e1fe01ef7f732.exe"78⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 46281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4656 -ip 46561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3924 -ip 39241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4244 -ip 42441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4376 -ip 43761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2260 -ip 22601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2520 -ip 25201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3556 -ip 35561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1720 -ip 17201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3836 -ip 38361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4516 -ip 45161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2816 -ip 28161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4928 -ip 49281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2416 -ip 24161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3872 -ip 38721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 13921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-257-0x0000000000000000-mapping.dmp
-
memory/344-205-0x0000000000000000-mapping.dmp
-
memory/344-212-0x0000000001090000-0x000000000109A000-memory.dmpFilesize
40KB
-
memory/344-211-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/532-190-0x0000000000000000-mapping.dmp
-
memory/532-193-0x0000000000DE0000-0x0000000000DEA000-memory.dmpFilesize
40KB
-
memory/716-224-0x0000000000000000-mapping.dmp
-
memory/716-228-0x0000000000BF0000-0x0000000000BFA000-memory.dmpFilesize
40KB
-
memory/716-233-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/796-249-0x0000000000000000-mapping.dmp
-
memory/872-191-0x0000000005570000-0x0000000005A9C000-memory.dmpFilesize
5.2MB
-
memory/872-189-0x0000000000000000-mapping.dmp
-
memory/1080-179-0x0000000000FB0000-0x0000000000FBA000-memory.dmpFilesize
40KB
-
memory/1080-134-0x0000000000000000-mapping.dmp
-
memory/1080-135-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1080-138-0x0000000000FB0000-0x0000000000FBA000-memory.dmpFilesize
40KB
-
memory/1080-136-0x0000000000FB0000-0x0000000000FBA000-memory.dmpFilesize
40KB
-
memory/1152-238-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/1152-232-0x0000000000000000-mapping.dmp
-
memory/1188-137-0x0000000005540000-0x0000000005A6C000-memory.dmpFilesize
5.2MB
-
memory/1188-132-0x0000000005700000-0x0000000005792000-memory.dmpFilesize
584KB
-
memory/1188-130-0x0000000000C10000-0x0000000000C46000-memory.dmpFilesize
216KB
-
memory/1188-131-0x0000000005A70000-0x0000000005F9C000-memory.dmpFilesize
5.2MB
-
memory/1188-133-0x0000000005540000-0x0000000005A6C000-memory.dmpFilesize
5.2MB
-
memory/1204-175-0x0000000000AA0000-0x0000000000AAA000-memory.dmpFilesize
40KB
-
memory/1204-170-0x0000000000000000-mapping.dmp
-
memory/1312-167-0x0000000000000000-mapping.dmp
-
memory/1312-231-0x0000000004940000-0x0000000004E6C000-memory.dmpFilesize
5.2MB
-
memory/1312-174-0x0000000004940000-0x0000000004E6C000-memory.dmpFilesize
5.2MB
-
memory/1336-147-0x0000000000000000-mapping.dmp
-
memory/1336-149-0x00000000009D0000-0x00000000009DA000-memory.dmpFilesize
40KB
-
memory/1392-155-0x0000000004B80000-0x00000000050AC000-memory.dmpFilesize
5.2MB
-
memory/1392-150-0x0000000000000000-mapping.dmp
-
memory/1404-145-0x0000000000B10000-0x0000000000B1A000-memory.dmpFilesize
40KB
-
memory/1404-143-0x0000000000000000-mapping.dmp
-
memory/1628-168-0x0000000005340000-0x000000000586C000-memory.dmpFilesize
5.2MB
-
memory/1628-165-0x0000000000000000-mapping.dmp
-
memory/1716-215-0x0000000000000000-mapping.dmp
-
memory/1716-219-0x0000000001200000-0x000000000120A000-memory.dmpFilesize
40KB
-
memory/1748-240-0x0000000000000000-mapping.dmp
-
memory/2008-236-0x0000000000000000-mapping.dmp
-
memory/2008-245-0x0000000004880000-0x0000000004DAC000-memory.dmpFilesize
5.2MB
-
memory/2032-142-0x0000000000000000-mapping.dmp
-
memory/2032-144-0x0000000004EB0000-0x00000000053DC000-memory.dmpFilesize
5.2MB
-
memory/2068-227-0x00000000007E0000-0x00000000007EA000-memory.dmpFilesize
40KB
-
memory/2068-222-0x0000000000000000-mapping.dmp
-
memory/2148-198-0x0000000000000000-mapping.dmp
-
memory/2380-171-0x0000000000000000-mapping.dmp
-
memory/2380-173-0x0000000004A70000-0x0000000004F9C000-memory.dmpFilesize
5.2MB
-
memory/2412-201-0x0000000000000000-mapping.dmp
-
memory/2412-209-0x00000000052D0000-0x00000000057FC000-memory.dmpFilesize
5.2MB
-
memory/2500-164-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/2500-161-0x0000000000000000-mapping.dmp
-
memory/2512-270-0x0000000000000000-mapping.dmp
-
memory/2528-216-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/2528-217-0x0000000000A10000-0x0000000000A1A000-memory.dmpFilesize
40KB
-
memory/2528-214-0x0000000000000000-mapping.dmp
-
memory/2736-169-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/2736-166-0x0000000000000000-mapping.dmp
-
memory/2968-182-0x0000000005180000-0x00000000056AC000-memory.dmpFilesize
5.2MB
-
memory/2968-178-0x0000000000000000-mapping.dmp
-
memory/3096-241-0x0000000000000000-mapping.dmp
-
memory/3096-244-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/3136-221-0x0000000000000000-mapping.dmp
-
memory/3136-226-0x0000000005520000-0x0000000005A4C000-memory.dmpFilesize
5.2MB
-
memory/3344-154-0x0000000004860000-0x0000000004D8C000-memory.dmpFilesize
5.2MB
-
memory/3344-152-0x0000000000000000-mapping.dmp
-
memory/3432-183-0x0000000000E50000-0x0000000000E5A000-memory.dmpFilesize
40KB
-
memory/3432-180-0x0000000000000000-mapping.dmp
-
memory/3592-194-0x0000000000000000-mapping.dmp
-
memory/3592-197-0x0000000000790000-0x000000000079A000-memory.dmpFilesize
40KB
-
memory/3676-256-0x0000000000000000-mapping.dmp
-
memory/3720-223-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/3720-225-0x0000000000EF0000-0x0000000000EFA000-memory.dmpFilesize
40KB
-
memory/3720-220-0x0000000000000000-mapping.dmp
-
memory/3776-235-0x0000000000990000-0x000000000099A000-memory.dmpFilesize
40KB
-
memory/3776-230-0x0000000000000000-mapping.dmp
-
memory/3836-151-0x0000000000000000-mapping.dmp
-
memory/3836-156-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/3844-159-0x0000000000000000-mapping.dmp
-
memory/3844-163-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/3924-208-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/3924-207-0x0000000000000000-mapping.dmp
-
memory/3924-213-0x00000000012F0000-0x00000000012FA000-memory.dmpFilesize
40KB
-
memory/4024-210-0x0000000000000000-mapping.dmp
-
memory/4024-218-0x0000000005610000-0x0000000005B3C000-memory.dmpFilesize
5.2MB
-
memory/4124-248-0x0000000000000000-mapping.dmp
-
memory/4132-187-0x0000000005120000-0x000000000564C000-memory.dmpFilesize
5.2MB
-
memory/4132-185-0x0000000000000000-mapping.dmp
-
memory/4164-255-0x0000000000000000-mapping.dmp
-
memory/4280-162-0x0000000005580000-0x0000000005AAC000-memory.dmpFilesize
5.2MB
-
memory/4280-160-0x0000000000000000-mapping.dmp
-
memory/4376-176-0x0000000000000000-mapping.dmp
-
memory/4376-181-0x00000000053B0000-0x00000000053C4000-memory.dmpFilesize
80KB
-
memory/4424-258-0x0000000000000000-mapping.dmp
-
memory/4424-146-0x0000000000000000-mapping.dmp
-
memory/4424-148-0x00000000050F0000-0x000000000561C000-memory.dmpFilesize
5.2MB
-
memory/4512-263-0x0000000000000000-mapping.dmp
-
memory/4516-158-0x0000000000000000-mapping.dmp
-
memory/4576-261-0x0000000000000000-mapping.dmp
-
memory/4584-262-0x0000000000000000-mapping.dmp
-
memory/4628-141-0x0000000000750000-0x000000000075A000-memory.dmpFilesize
40KB
-
memory/4628-200-0x0000000000750000-0x000000000075A000-memory.dmpFilesize
40KB
-
memory/4628-140-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/4628-139-0x0000000000000000-mapping.dmp
-
memory/4656-204-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/4656-203-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/4656-199-0x0000000000000000-mapping.dmp
-
memory/4704-234-0x0000000004BB0000-0x00000000050DC000-memory.dmpFilesize
5.2MB
-
memory/4704-229-0x0000000000000000-mapping.dmp
-
memory/4740-206-0x0000000000000000-mapping.dmp
-
memory/4792-172-0x0000000000000000-mapping.dmp
-
memory/4808-186-0x0000000000000000-mapping.dmp
-
memory/4808-188-0x0000000000A40000-0x0000000000A4A000-memory.dmpFilesize
40KB
-
memory/4840-195-0x0000000000000000-mapping.dmp
-
memory/4840-202-0x0000000005130000-0x000000000565C000-memory.dmpFilesize
5.2MB
-
memory/4936-242-0x0000000000000000-mapping.dmp
-
memory/4956-196-0x0000000004AE0000-0x000000000500C000-memory.dmpFilesize
5.2MB
-
memory/4956-192-0x0000000000000000-mapping.dmp
-
memory/4968-184-0x0000000000980000-0x000000000098A000-memory.dmpFilesize
40KB
-
memory/4968-177-0x0000000000000000-mapping.dmp
-
memory/5004-239-0x0000000000180000-0x000000000018A000-memory.dmpFilesize
40KB
-
memory/5004-243-0x0000000000210000-0x0000000000643000-memory.dmpFilesize
4.2MB
-
memory/5004-237-0x0000000000000000-mapping.dmp
-
memory/5052-253-0x0000000000000000-mapping.dmp
-
memory/5084-271-0x0000000000000000-mapping.dmp
-
memory/5112-153-0x0000000000000000-mapping.dmp
-
memory/5112-157-0x00000000007B0000-0x00000000007BA000-memory.dmpFilesize
40KB