Analysis
-
max time kernel
213s -
max time network
216s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
04-07-2022 18:50
General
-
Target
https://dropmefiles.com/oOAIG
Malware Config
Extracted
asyncrat
1.0.7
Default
5.tcp.eu.ngrok.io:18640
kjqhelqiwobhn2lijk
-
delay
1
-
install
true
-
install_file
MsEdge.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Async RAT payload 6 IoCs
-
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
-
Nirsoft 12 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 40 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/oOAIG1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb09914f50,0x7ffb09914f60,0x7ffb09914f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5936 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,995369803953140048,16641901167268735101,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\1\" -ad -an -ai#7zMap25329:58:7zEvent158641⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\1\" -ad -an -ai#7zMap25879:58:7zEvent73581⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\1\1\Nemesis.exe"C:\Users\Admin\Desktop\1\1\Nemesis.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\1\1\test.exe"C:\Users\Admin\Desktop\1\1\test.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$Cache_2467\Edge.exe"C:\Users\Admin\AppData\Local\Temp\$Cache_2467\Edge.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"C:\Users\Admin\AppData\Local\Temp\MsEdge.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6CaNypdO0DCzmLh6iuROTWR5OwWqFog8ZXNLl7mdFnAiQ+FRdHxTP0Hxj5wGaoyD+dMmkCeeCgAjgekQr83tLaSurllnbvcRJ5WBiCfJP8h7Dzg4vVxrqMjJw7cC37ZhA=7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat9⤵
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat9⤵
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeC:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeC:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\hh.exeC:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat9⤵
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeC:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"8⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "MsEdge"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "MsEdge"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp485E.tmp.bat""4⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27330:60:7zEvent9637 -ad -saa -- "C:\Users\Admin\Desktop\1\1\1"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\CookiesFilesize
20KB
MD5148c6eafb09ab3ca9f1dfc80a8c20593
SHA174bd7678099cb9ade5013f29dd8a47809b447da0
SHA256525343bedeaa02e3dcfa05dbec79d877c54dc7eaed9d1a6e880b3e979db86a45
SHA512731a03e3bb5e11b2dccb772b8afb81db93e13693e794159ba9a2fcebac9a1f3a68a5f0cfc9132c3e0c3564a7454c4ccf54df17b401adcc9bfa9a071bc8149c1e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
88KB
MD55ba13ad4668ac24ab20869c7c422ad4a
SHA17aa1d64fe1e0c1794c127322c0c0b709a9ede54c
SHA2562c70fedcc34e5b4b08e9606d4347316a7fc453449335ad67d3a2e024811d782a
SHA512fb542d8bd9127dc9d06a18cd5d571a5836ccfd2f977b08669610c65c0083d7197222636180d017214f604fa4a7b26023a4c5a104acff63e348d55a665fd03a9e
-
C:\Users\Admin\AppData\Local\Temp\$Cache_2467\Edge.exeFilesize
28KB
MD50900fded4335b644fc5a6064236a2050
SHA1546e9292879e58e98af15fa56468a3f051e71ab9
SHA256acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8
SHA512237a98edbaaa5dd7d908dc289bf69b5ea9b8a6262142d5dc511547f15590d0481f5d4eadd59afeea488765239a07f24a9bca45112104fd36208d5f9ef13cf931
-
C:\Users\Admin\AppData\Local\Temp\$Cache_2467\Edge.exeFilesize
28KB
MD50900fded4335b644fc5a6064236a2050
SHA1546e9292879e58e98af15fa56468a3f051e71ab9
SHA256acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8
SHA512237a98edbaaa5dd7d908dc289bf69b5ea9b8a6262142d5dc511547f15590d0481f5d4eadd59afeea488765239a07f24a9bca45112104fd36208d5f9ef13cf931
-
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txtFilesize
4KB
MD52a2c44027367530650b09adec9a4ca69
SHA14318abf5b3cacbf2693b996529c9689a78b416e7
SHA25677a569333255bcb58863abd0759924d2b80e02c178e1bf7fee0493080c6c5489
SHA512d31d7eb4f16654a9ecb4749263a293030ad485efd5fb02b9ad0b92978f41dc7951af9d1028f3a0c4a29bfdc8c98de0df68e9ce6e536ebbb11cbe4c50a9fd8380
-
C:\Users\Admin\AppData\Local\Temp\Cookies1Filesize
13KB
MD545dc4a2083ce43a37d4352c04f273ab0
SHA142d771297bcea8d7f751bce3794b29209720a29c
SHA256258bd4d718f73d13960f6adde1ceb453e2e8ae62c3ca17aea672a9db01ed1b4b
SHA512c15ea85d4f565e500ad74cb17502ba082cbfb120828be4658a6bc9aaf24bda282eef80553c7baac092e5a9763cbb5a4f2e72310ae24ee02c68e2d4bb10914b8e
-
C:\Users\Admin\AppData\Local\Temp\Cookies3Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\MsEdge.exeFilesize
118KB
MD523a4ae1a02b8056bf8c305711060db1a
SHA1988f757c8cd628289c311dcc6ee28af563dab9c0
SHA2568170cd47490cd0a0e8769cc662fe9d7a4e975c34e5fe494b209e0d73bc0d6433
SHA5125d18f038a1f002335172300b070e6ccf08ba5957e935350c6dc6989957a9be9825f286b368bba3554257197a942309b3fc2bbf0c5f6e7c4dc5cce0979468f883
-
C:\Users\Admin\AppData\Local\Temp\MsEdge.exeFilesize
118KB
MD523a4ae1a02b8056bf8c305711060db1a
SHA1988f757c8cd628289c311dcc6ee28af563dab9c0
SHA2568170cd47490cd0a0e8769cc662fe9d7a4e975c34e5fe494b209e0d73bc0d6433
SHA5125d18f038a1f002335172300b070e6ccf08ba5957e935350c6dc6989957a9be9825f286b368bba3554257197a942309b3fc2bbf0c5f6e7c4dc5cce0979468f883
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
4.5MB
MD50037943f6133c2d1c92a5f048be977bd
SHA10885e4acf99f3be450b7305f235b22da90282030
SHA25656927619425718dc21c0d0d3c81b708d2581e5b4e47b59c39583ddb4886ef8ff
SHA512e1025d06df595f8c1b6401258e66d492e985db050ff3919763676afa1a05b84f9ce45e401bb7c975c7f534ce2b615969f7180cb49f6733ce11a87ca53d4ee255
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
4.5MB
MD50037943f6133c2d1c92a5f048be977bd
SHA10885e4acf99f3be450b7305f235b22da90282030
SHA25656927619425718dc21c0d0d3c81b708d2581e5b4e47b59c39583ddb4886ef8ff
SHA512e1025d06df595f8c1b6401258e66d492e985db050ff3919763676afa1a05b84f9ce45e401bb7c975c7f534ce2b615969f7180cb49f6733ce11a87ca53d4ee255
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeFilesize
4.4MB
MD53405f654559010ca2ae38d786389f0f1
SHA18ac5552c64dfc3ccf0c678f6f946ee23719cf43d
SHA256bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30
SHA512cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeFilesize
4.4MB
MD53405f654559010ca2ae38d786389f0f1
SHA18ac5552c64dfc3ccf0c678f6f946ee23719cf43d
SHA256bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30
SHA512cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b
-
C:\Users\Admin\AppData\Local\Temp\compile.batFilesize
74B
MD5808099bfbd62ec04f0ed44959bbc6160
SHA1f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0
-
C:\Users\Admin\AppData\Local\Temp\compile.batFilesize
156B
MD5eb51755b637423154d1341c6ee505f50
SHA1d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsFilesize
265B
MD5ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsFilesize
265B
MD5ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\configFilesize
108B
MD51ba367d0f9aac0f650e65ab7401776c0
SHA175cf3295125cfaa0c247ebccc57e63f915198683
SHA25668c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03
SHA51245ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c
-
C:\Users\Admin\AppData\Local\Temp\hh.exeFilesize
103KB
MD54d4c98eca32b14aeb074db34cd0881e4
SHA192f213d609bba05d41d6941652a88c44936663a4
SHA2564182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf
-
C:\Users\Admin\AppData\Local\Temp\hh.exeFilesize
103KB
MD54d4c98eca32b14aeb074db34cd0881e4
SHA192f213d609bba05d41d6941652a88c44936663a4
SHA2564182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeFilesize
49KB
MD50d8360781e488e250587a17fbefa646c
SHA129bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e
-
C:\Users\Admin\AppData\Local\Temp\splwow64.exeFilesize
49KB
MD50d8360781e488e250587a17fbefa646c
SHA129bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e
-
C:\Users\Admin\AppData\Local\Temp\tmp485E.tmp.batFilesize
158B
MD57138ffe9a289bd24cbdc717487b398d4
SHA13b9fd096ca153f7d257fdb5a22339236d32f5a00
SHA2565df5895839ed15e15c7a59d6764c2161243b4c8d948ddeb2ba771093db0200c9
SHA5124b805b5b99556c96fc6751456f5976fda96a4658458da82bdda591ed65e308f293ccc6fb4e608b8539a855093cc852a01d83e9626859d4d5a30d19a2aee38bc9
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeFilesize
184KB
MD5a776e68f497c996788b406a3dc5089eb
SHA145bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA51202b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeFilesize
184KB
MD5a776e68f497c996788b406a3dc5089eb
SHA145bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA51202b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073
-
C:\Users\Admin\Desktop\1\1\1\test_dump.exeFilesize
3.9MB
MD5e9f1eb7f00446c69fbcc3b5ed33cb044
SHA1fa47a3e87e0a600ab8e5d04088c0e39fdd99e96f
SHA256997762279d181cedc329754ecc621d10f9fd726738e328f754875aeb0caf5d3c
SHA512c9b3aff32dc53cf871d23775bbffe48f34e0faf58539fdd723a94494a6e5ee729b4d0973a14b3fd1c76f6e5896955f2bb6f924eb288db0711f11319647b37b7b
-
C:\Users\Admin\Desktop\1\1\MetroFramework.Fonts.dllFilesize
656KB
MD565ef4b23060128743cef937a43b82aa3
SHA1cc72536b84384ec8479b9734b947dce885ef5d31
SHA256c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26
SHA512d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7
-
C:\Users\Admin\Desktop\1\1\MetroFramework.dllFilesize
345KB
MD534ea7f7d66563f724318e322ff08f4db
SHA1d0aa8038a92eb43def2fffbbf4114b02636117c5
SHA256c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
SHA512dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148
-
C:\Users\Admin\Desktop\1\1\Nemesis.dllFilesize
85KB
MD5cb105d3e5eb5a8f6ecedb6d8f4b757a1
SHA116f7830713eac8874bd04db23bed21c4197613ff
SHA25655db85679a03270f13c82afac7c09d61743b087c7337297ffd77a27d393a5f8e
SHA512d282bbc66eac7102cebf6bdefa1ed44874a3759f234116efb1f9bbaf1eab84f55cbab9b91fe76e64a5b332f5cdcef6658db6626b51a81179d72fc5a650ed9f07
-
C:\Users\Admin\Desktop\1\1\Nemesis.exeFilesize
42KB
MD59635d5391c79b7dd9836211e7782bd95
SHA15b611f7014ec17a2ded672a7c9f9c3cf32ba88cf
SHA256c794abac9761a004f8c2821fa745591d2bd641380fb17d020f6452f0a6b24328
SHA51266ae80c2d89eb8cc865562423f84992d155f8204e19c8b079de4265a1550ad4e857debbb1ef0c32489f0049692a4be649b56291aa2064ab0f312ab5cc373366b
-
C:\Users\Admin\Desktop\1\1\Nemesis.exeFilesize
42KB
MD59635d5391c79b7dd9836211e7782bd95
SHA15b611f7014ec17a2ded672a7c9f9c3cf32ba88cf
SHA256c794abac9761a004f8c2821fa745591d2bd641380fb17d020f6452f0a6b24328
SHA51266ae80c2d89eb8cc865562423f84992d155f8204e19c8b079de4265a1550ad4e857debbb1ef0c32489f0049692a4be649b56291aa2064ab0f312ab5cc373366b
-
C:\Users\Admin\Desktop\1\1\test.exeFilesize
2.6MB
MD53d77e6cec127ee4dfa7350ed7038db9f
SHA1e9daf9e0956bde131f9675adf9c858f145f7b448
SHA256f355620b09bac67c2b77aae7f2db6e3142abb547d63215127091d1288819f5a3
SHA512389d23ef28ffd42dd706c576950465032e203b924e1758e16e145aa5138ce039978f07c69213459f8eb2a8639dac4457eba9cf30a1ab2f0912d615dc7b64e148
-
C:\Users\Admin\Desktop\1\1\test.exeFilesize
2.6MB
MD53d77e6cec127ee4dfa7350ed7038db9f
SHA1e9daf9e0956bde131f9675adf9c858f145f7b448
SHA256f355620b09bac67c2b77aae7f2db6e3142abb547d63215127091d1288819f5a3
SHA512389d23ef28ffd42dd706c576950465032e203b924e1758e16e145aa5138ce039978f07c69213459f8eb2a8639dac4457eba9cf30a1ab2f0912d615dc7b64e148
-
\??\pipe\crashpad_2448_PGJEEEXIGSZCOCZKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\Desktop\1\1\Nemesis.dllFilesize
85KB
MD5cb105d3e5eb5a8f6ecedb6d8f4b757a1
SHA116f7830713eac8874bd04db23bed21c4197613ff
SHA25655db85679a03270f13c82afac7c09d61743b087c7337297ffd77a27d393a5f8e
SHA512d282bbc66eac7102cebf6bdefa1ed44874a3759f234116efb1f9bbaf1eab84f55cbab9b91fe76e64a5b332f5cdcef6658db6626b51a81179d72fc5a650ed9f07
-
memory/196-618-0x0000000000000000-mapping.dmp
-
memory/200-962-0x0000000000000000-mapping.dmp
-
memory/528-404-0x0000000000000000-mapping.dmp
-
memory/532-538-0x0000000000000000-mapping.dmp
-
memory/676-336-0x00000216B1FE0000-0x00000216B245E000-memory.dmpFilesize
4.5MB
-
memory/676-333-0x0000000000000000-mapping.dmp
-
memory/984-684-0x0000000000000000-mapping.dmp
-
memory/1196-265-0x0000000000990000-0x000000000099E000-memory.dmpFilesize
56KB
-
memory/1196-227-0x0000000000000000-mapping.dmp
-
memory/1484-700-0x0000000000000000-mapping.dmp
-
memory/1484-730-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1484-774-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1580-472-0x0000000000000000-mapping.dmp
-
memory/1580-768-0x0000000000000000-mapping.dmp
-
memory/1712-399-0x000000001C0A0000-0x000000001C104000-memory.dmpFilesize
400KB
-
memory/1712-305-0x0000000000000000-mapping.dmp
-
memory/1712-309-0x0000000000440000-0x0000000000464000-memory.dmpFilesize
144KB
-
memory/1712-311-0x000000001BEF0000-0x000000001BF66000-memory.dmpFilesize
472KB
-
memory/1712-312-0x00000000024F0000-0x00000000024FC000-memory.dmpFilesize
48KB
-
memory/1712-313-0x000000001B050000-0x000000001B06E000-memory.dmpFilesize
120KB
-
memory/1712-338-0x000000001BFD0000-0x000000001BFE0000-memory.dmpFilesize
64KB
-
memory/1760-314-0x0000000000000000-mapping.dmp
-
memory/1980-455-0x0000000005D10000-0x0000000005D18000-memory.dmpFilesize
32KB
-
memory/1980-417-0x0000000001B40000-0x0000000001B4C000-memory.dmpFilesize
48KB
-
memory/1980-458-0x0000000009FD0000-0x0000000009FD8000-memory.dmpFilesize
32KB
-
memory/1980-422-0x0000000008730000-0x0000000008796000-memory.dmpFilesize
408KB
-
memory/1980-421-0x0000000005BC0000-0x0000000005BCA000-memory.dmpFilesize
40KB
-
memory/1980-423-0x00000000087A0000-0x0000000008842000-memory.dmpFilesize
648KB
-
memory/1980-397-0x0000000005C80000-0x0000000005CF6000-memory.dmpFilesize
472KB
-
memory/1980-392-0x0000000005B00000-0x0000000005BB0000-memory.dmpFilesize
704KB
-
memory/1980-383-0x0000000000E10000-0x000000000128A000-memory.dmpFilesize
4.5MB
-
memory/1980-459-0x0000000009FE0000-0x0000000009FE8000-memory.dmpFilesize
32KB
-
memory/1980-463-0x000000000A1C0000-0x000000000A1DE000-memory.dmpFilesize
120KB
-
memory/1980-339-0x0000000000000000-mapping.dmp
-
memory/1980-416-0x0000000005BE0000-0x0000000005C02000-memory.dmpFilesize
136KB
-
memory/1980-420-0x0000000008680000-0x00000000086BC000-memory.dmpFilesize
240KB
-
memory/1980-419-0x0000000005C10000-0x0000000005C40000-memory.dmpFilesize
192KB
-
memory/1980-456-0x0000000009BF0000-0x0000000009F40000-memory.dmpFilesize
3.3MB
-
memory/1980-418-0x0000000001B70000-0x0000000001B8A000-memory.dmpFilesize
104KB
-
memory/2288-828-0x0000000000000000-mapping.dmp
-
memory/3840-401-0x0000000000000000-mapping.dmp
-
memory/3848-553-0x0000000000000000-mapping.dmp
-
memory/3872-124-0x00000296D8180000-0x00000296D81A2000-memory.dmpFilesize
136KB
-
memory/3872-173-0x00000296F0AE9000-0x00000296F0AEF000-memory.dmpFilesize
24KB
-
memory/3872-310-0x00000296F0AE9000-0x00000296F0AEF000-memory.dmpFilesize
24KB
-
memory/3872-126-0x00000296F28E0000-0x00000296F298A000-memory.dmpFilesize
680KB
-
memory/3872-123-0x00000296D81B0000-0x00000296D820C000-memory.dmpFilesize
368KB
-
memory/3872-121-0x00000296D64A0000-0x00000296D64B0000-memory.dmpFilesize
64KB
-
memory/3872-337-0x00000296F0AE9000-0x00000296F0AEF000-memory.dmpFilesize
24KB
-
memory/3984-400-0x0000000000000000-mapping.dmp
-
memory/3992-893-0x0000000000000000-mapping.dmp
-
memory/4240-970-0x0000000000000000-mapping.dmp
-
memory/4280-159-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-164-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-188-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-207-0x000000000ABF0000-0x000000000AFB0000-memory.dmpFilesize
3.8MB
-
memory/4280-196-0x000000000A6F0000-0x000000000ABEE000-memory.dmpFilesize
5.0MB
-
memory/4280-202-0x000000000A290000-0x000000000A29A000-memory.dmpFilesize
40KB
-
memory/4280-200-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-199-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-198-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-197-0x000000000A2D0000-0x000000000A362000-memory.dmpFilesize
584KB
-
memory/4280-194-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-195-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-193-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-192-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-191-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-190-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-189-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-187-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-186-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-185-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-184-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-183-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-182-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-181-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-180-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-179-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-178-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-177-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-176-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-175-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-174-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-172-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-171-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-168-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-167-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-166-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-165-0x0000000000CB0000-0x00000000010A2000-memory.dmpFilesize
3.9MB
-
memory/4280-212-0x0000000006920000-0x00000000069BC000-memory.dmpFilesize
624KB
-
memory/4280-163-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-162-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-161-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-160-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-158-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-157-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-156-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-155-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-154-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-153-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-152-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-151-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-150-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-149-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-148-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-147-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-146-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-145-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-144-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-143-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-142-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-130-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-131-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-132-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-140-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-141-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-139-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-138-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-133-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-134-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-136-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4280-135-0x0000000077310000-0x000000007749E000-memory.dmpFilesize
1.6MB
-
memory/4320-402-0x0000000000000000-mapping.dmp
-
memory/4348-907-0x0000000000000000-mapping.dmp
-
memory/4536-315-0x0000000000000000-mapping.dmp
-
memory/5072-797-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5072-733-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5072-716-0x0000000000000000-mapping.dmp