formbook | 6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

太太希Jw的 rA.exe
Size

499KB
MD5

73aac8ac5dc4ded42398f9fe2a191c19
SHA1

4f3ed7fa592f4ae4c4462928543dcbd4997f2549
SHA256

6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5
SHA512

cc5459746e50fe49d87f5facbb7ee79c1554697e54df2a615ace177ef0f439d134f188e19f51a1f866486237d3a79fa381d362b7da942dc74e00f675bc3cb58d
SSDEEP

12288:0osBGYb7Hku+M1e02kE15gLXOCYeHcUiK9DRB1R5//+P25wENJYWfaBFyutY4ld2:cBGO7HkwGkE15AXOCYeHcU7

Score

10^/10

formbook xloader v4qp loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4300-134-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/4300-136-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3932-142-0x0000000000A70000-0x0000000000A9C000-memory.dmp	xloader
behavioral2/memory/3932-169-0x0000000000A70000-0x0000000000A9C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 54 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.execontrol.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	pid	process	target process
PID 3116 set thread context of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4300 set thread context of 2704	4300	太太希Jw的 rA.exe	Explorer.EXE
PID 4472 set thread context of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 set thread context of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3932 set thread context of 2704	3932	control.exe	Explorer.EXE
PID 3256 set thread context of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 set thread context of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 set thread context of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3780 set thread context of 1384	3780	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3840 set thread context of 1092	3840	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 960 set thread context of 1820	960	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3964 set thread context of 3748	3964	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2880 set thread context of 3056	2880	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1480 set thread context of 860	1480	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1180 set thread context of 4084	1180	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2692 set thread context of 1492	2692	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 228 set thread context of 840	228	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4752 set thread context of 3872	4752	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2252 set thread context of 3280	2252	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1628 set thread context of 1140	1628	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3476 set thread context of 4956	3476	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1340 set thread context of 4572	1340	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1824 set thread context of 3560	1824	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2444 set thread context of 3388	2444	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3464 set thread context of 2888	3464	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1512 set thread context of 1624	1512	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3336 set thread context of 4848	3336	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 776 set thread context of 3004	776	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 716 set thread context of 864	716	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3164 set thread context of 1212	3164	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4480 set thread context of 4016	4480	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4568 set thread context of 5112	4568	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2496 set thread context of 1888	2496	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1700 set thread context of 2236	1700	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3532 set thread context of 4424	3532	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3084 set thread context of 760	3084	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2716 set thread context of 4588	2716	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4420 set thread context of 3760	4420	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4920 set thread context of 3516	4920	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 5032 set thread context of 4272	5032	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1328 set thread context of 3912	1328	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4360 set thread context of 2892	4360	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1304 set thread context of 3388	1304	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4124 set thread context of 2888	4124	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1568 set thread context of 1792	1568	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2180 set thread context of 1876	2180	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3244 set thread context of 1688	3244	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2556 set thread context of 3964	2556	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4248 set thread context of 448	4248	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3000 set thread context of 4176	3000	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 888 set thread context of 4052	888	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4080 set thread context of 1600	4080	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3992 set thread context of 2352	3992	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2404 set thread context of 4972	2404	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 916 set thread context of 3116	916	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 772 set thread context of 2520	772	太太希Jw的 rA.exe	太太希Jw的 rA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3116	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
3116	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
3116	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
4472	太太希Jw的 rA.exe
4472	太太希Jw的 rA.exe
4472	太太希Jw的 rA.exe
4952	太太希Jw的 rA.exe
4952	太太希Jw的 rA.exe
4472	太太希Jw的 rA.exe
1140	太太希Jw的 rA.exe
1176	太太希Jw的 rA.exe
1176	太太希Jw的 rA.exe
1140	太太希Jw的 rA.exe
3256	太太希Jw的 rA.exe
3256	太太希Jw的 rA.exe
3256	太太希Jw的 rA.exe
1744	太太希Jw的 rA.exe
1744	太太希Jw的 rA.exe
3256	太太希Jw的 rA.exe
3712	太太希Jw的 rA.exe
3640	太太希Jw的 rA.exe
3640	太太希Jw的 rA.exe
3712	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
2984	太太希Jw的 rA.exe
4256	太太希Jw的 rA.exe
4256	太太希Jw的 rA.exe
2984	太太希Jw的 rA.exe
3780	太太希Jw的 rA.exe
1384	太太希Jw的 rA.exe
1384	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
3780	太太希Jw的 rA.exe
3840	太太希Jw的 rA.exe
1092	太太希Jw的 rA.exe
1092	太太希Jw的 rA.exe
3840	太太希Jw的 rA.exe
960	太太希Jw的 rA.exe
1820	太太希Jw的 rA.exe
1820	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
960	太太希Jw的 rA.exe
3964	太太希Jw的 rA.exe
3748	太太希Jw的 rA.exe
3748	太太希Jw的 rA.exe
3964	太太希Jw的 rA.exe
2880	太太希Jw的 rA.exe
2880	太太希Jw的 rA.exe
2880	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe
3056	太太希Jw的 rA.exe
3056	太太希Jw的 rA.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2704 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

太太希Jw的 rA.execontrol.exe

pid process

4300 太太希Jw的 rA.exe
4300 太太希Jw的 rA.exe
4300 太太希Jw的 rA.exe
3932 control.exe
3932 control.exe

pid	process
2704	Explorer.EXE

pid	process
4300	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
4300	太太希Jw的 rA.exe
3932	control.exe
3932	control.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.execontrol.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	pid	process
Token: SeDebugPrivilege	3116	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4300	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3932	control.exe
Token: SeDebugPrivilege	4472	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4952	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1140	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1176	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3256	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1744	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3712	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3640	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2984	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4256	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3780	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1384	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3840	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1092	太太希Jw的 rA.exe
Token: SeDebugPrivilege	960	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1820	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3964	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3748	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2880	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3056	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1480	太太希Jw的 rA.exe
Token: SeDebugPrivilege	860	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1180	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4084	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2692	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1492	太太希Jw的 rA.exe
Token: SeDebugPrivilege	228	太太希Jw的 rA.exe
Token: SeDebugPrivilege	840	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4752	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3872	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2252	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3280	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1628	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1140	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3476	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4956	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1340	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4572	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1824	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3560	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2444	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3388	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3464	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2888	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1512	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1624	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3336	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4848	太太希Jw的 rA.exe
Token: SeDebugPrivilege	776	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3004	太太希Jw的 rA.exe
Token: SeDebugPrivilege	716	太太希Jw的 rA.exe
Token: SeDebugPrivilege	864	太太希Jw的 rA.exe
Token: SeDebugPrivilege	3164	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1212	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4480	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4016	太太希Jw的 rA.exe
Token: SeDebugPrivilege	4568	太太希Jw的 rA.exe
Token: SeDebugPrivilege	5112	太太希Jw的 rA.exe
Token: SeDebugPrivilege	2496	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1888	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1700	太太希Jw的 rA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

太太希Jw的 rA.exeExplorer.EXEcontrol.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	pid	process	target process
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4300	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2704 wrote to memory of 3932	2704	Explorer.EXE	control.exe
PID 2704 wrote to memory of 3932	2704	Explorer.EXE	control.exe
PID 2704 wrote to memory of 3932	2704	Explorer.EXE	control.exe
PID 3932 wrote to memory of 116	3932	control.exe	cmd.exe
PID 3932 wrote to memory of 116	3932	control.exe	cmd.exe
PID 3932 wrote to memory of 116	3932	control.exe	cmd.exe
PID 3116 wrote to memory of 4472	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4472	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3116 wrote to memory of 4472	3116	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1396	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1396	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1396	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 4952	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1140	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1140	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 4472 wrote to memory of 1140	4472	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 1176	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 3256	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 3256	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1140 wrote to memory of 3256	1140	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 5036	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 5036	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 5036	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 1744	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 3712	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 3712	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3256 wrote to memory of 3712	3256	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 3640	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 2984	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 2984	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 3712 wrote to memory of 2984	3712	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 4256	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 2984 wrote to memory of 3780	2984	太太希Jw的 rA.exe	太太希Jw的 rA.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
4⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
6⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
13⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
26⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
28⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
30⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
32⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
33⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
34⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3532

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
35⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3084

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
36⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2716

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
37⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4420

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
38⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4920

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
39⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5032

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
40⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1328

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
41⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4360

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
42⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
42⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1304

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
43⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
43⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4124

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
44⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
44⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1568

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
45⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2180

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
46⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
46⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3244

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
47⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2556

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
48⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
48⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4248

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
49⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
49⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
49⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
49⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3000

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
50⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:888

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
51⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
51⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4080

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
52⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3992

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
53⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2404

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
54⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
54⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:916

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
55⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
55⤵
- Suspicious use of SetThreadContext
PID:772

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
56⤵
PID:2520

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
3⤵
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\太太希Jw的 rA.exe.log
Filesize
224B

MD5
9c4b66f77f12558c48b620ddfb44029d

SHA1
446651db643b943ec37b9b3599655e211a4bc73e

SHA256
42f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708

SHA512
983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e

Download Submit
memory/116-143-0x0000000000000000-mapping.dmp

Download
memory/228-231-0x0000000000000000-mapping.dmp

Download
memory/228-238-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/228-235-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/716-305-0x0000000000000000-mapping.dmp

Download
memory/776-298-0x0000000000000000-mapping.dmp

Download
memory/840-236-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/840-233-0x0000000000000000-mapping.dmp

Download
memory/860-216-0x0000000000000000-mapping.dmp

Download
memory/860-218-0x00000000010B0000-0x00000000013FA000-memory.dmp

Filesize
3.3MB

Download
memory/864-307-0x0000000000000000-mapping.dmp

Download
memory/960-201-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/960-198-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/960-194-0x0000000000000000-mapping.dmp

Download
memory/1092-193-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/1092-191-0x0000000000000000-mapping.dmp

Download
memory/1140-157-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1140-251-0x0000000000000000-mapping.dmp

Download
memory/1140-152-0x0000000000000000-mapping.dmp

Download
memory/1140-254-0x0000000001960000-0x0000000001CAA000-memory.dmp

Filesize
3.3MB

Download
memory/1140-162-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1176-155-0x0000000000000000-mapping.dmp

Download
memory/1176-158-0x0000000001680000-0x00000000019CA000-memory.dmp

Filesize
3.3MB

Download
memory/1180-226-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1180-219-0x0000000000000000-mapping.dmp

Download
memory/1180-223-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1212-315-0x0000000000000000-mapping.dmp

Download
memory/1224-209-0x0000000000000000-mapping.dmp

Download
memory/1340-261-0x0000000000000000-mapping.dmp

Download
memory/1384-183-0x0000000000000000-mapping.dmp

Download
memory/1384-186-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/1396-147-0x0000000000000000-mapping.dmp

Download
memory/1480-213-0x0000000000000000-mapping.dmp

Download
memory/1480-220-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1480-215-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1492-229-0x00000000010A0000-0x00000000013EA000-memory.dmp

Filesize
3.3MB

Download
memory/1492-227-0x0000000000000000-mapping.dmp

Download
memory/1512-285-0x0000000000000000-mapping.dmp

Download
memory/1624-288-0x0000000000000000-mapping.dmp

Download
memory/1628-249-0x0000000000000000-mapping.dmp

Download
memory/1628-256-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1628-253-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/1744-164-0x0000000000000000-mapping.dmp

Download
memory/1744-167-0x0000000001900000-0x0000000001C4A000-memory.dmp

Filesize
3.3MB

Download
memory/1820-199-0x0000000000E90000-0x00000000011DA000-memory.dmp

Filesize
3.3MB

Download
memory/1820-196-0x0000000000000000-mapping.dmp

Download
memory/1824-267-0x0000000000000000-mapping.dmp

Download
memory/2252-245-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2252-250-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2252-243-0x0000000000000000-mapping.dmp

Download
memory/2444-273-0x0000000000000000-mapping.dmp

Download
memory/2692-232-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2692-225-0x0000000000000000-mapping.dmp

Download
memory/2692-230-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2704-161-0x0000000007990000-0x0000000007B05000-memory.dmp

Filesize
1.5MB

Download
memory/2704-139-0x0000000002950000-0x0000000002A37000-memory.dmp

Filesize
924KB

Download
memory/2704-187-0x0000000007990000-0x0000000007B05000-memory.dmp

Filesize
1.5MB

Download
memory/2880-214-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2880-206-0x0000000000000000-mapping.dmp

Download
memory/2880-208-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2888-282-0x0000000000000000-mapping.dmp

Download
memory/2984-175-0x0000000000000000-mapping.dmp

Download
memory/2984-182-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2984-179-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3004-301-0x0000000000000000-mapping.dmp

Download
memory/3012-300-0x0000000000000000-mapping.dmp

Download
memory/3056-210-0x0000000000000000-mapping.dmp

Download
memory/3056-212-0x0000000001830000-0x0000000001B7A000-memory.dmp

Filesize
3.3MB

Download
memory/3116-146-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3116-132-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3164-311-0x0000000000000000-mapping.dmp

Download
memory/3256-170-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3256-159-0x0000000000000000-mapping.dmp

Download
memory/3256-166-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3280-246-0x0000000000000000-mapping.dmp

Download
memory/3280-248-0x00000000017D0000-0x0000000001B1A000-memory.dmp

Filesize
3.3MB

Download
memory/3336-292-0x0000000000000000-mapping.dmp

Download
memory/3388-275-0x0000000000000000-mapping.dmp

Download
memory/3464-279-0x0000000000000000-mapping.dmp

Download
memory/3476-255-0x0000000000000000-mapping.dmp

Download
memory/3560-269-0x0000000000000000-mapping.dmp

Download
memory/3640-174-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download
memory/3640-171-0x0000000000000000-mapping.dmp

Download
memory/3712-168-0x0000000000000000-mapping.dmp

Download
memory/3712-173-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3712-176-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3748-205-0x00000000015D0000-0x000000000191A000-memory.dmp

Filesize
3.3MB

Download
memory/3748-203-0x0000000000000000-mapping.dmp

Download
memory/3780-181-0x0000000000000000-mapping.dmp

Download
memory/3780-185-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3780-189-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3840-195-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3840-188-0x0000000000000000-mapping.dmp

Download
memory/3840-190-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3872-239-0x0000000000000000-mapping.dmp

Download
memory/3872-242-0x00000000012E0000-0x000000000162A000-memory.dmp

Filesize
3.3MB

Download
memory/3932-140-0x0000000000000000-mapping.dmp

Download
memory/3932-142-0x0000000000A70000-0x0000000000A9C000-memory.dmp

Filesize
176KB

Download
memory/3932-169-0x0000000000A70000-0x0000000000A9C000-memory.dmp

Filesize
176KB

Download
memory/3932-141-0x0000000000A30000-0x0000000000A57000-memory.dmp

Filesize
156KB

Download
memory/3932-144-0x0000000002BD0000-0x0000000002F1A000-memory.dmp

Filesize
3.3MB

Download
memory/3932-160-0x0000000002970000-0x0000000002A00000-memory.dmp

Filesize
576KB

Download
memory/3964-200-0x0000000000000000-mapping.dmp

Download
memory/3964-202-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3964-207-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4084-224-0x0000000001280000-0x00000000015CA000-memory.dmp

Filesize
3.3MB

Download
memory/4084-221-0x0000000000000000-mapping.dmp

Download
memory/4256-180-0x0000000001270000-0x00000000015BA000-memory.dmp

Filesize
3.3MB

Download
memory/4256-177-0x0000000000000000-mapping.dmp

Download
memory/4300-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4300-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4300-137-0x0000000001170000-0x00000000014BA000-memory.dmp

Filesize
3.3MB

Download
memory/4300-138-0x0000000001010000-0x0000000001021000-memory.dmp

Filesize
68KB

Download
memory/4300-133-0x0000000000000000-mapping.dmp

Download
memory/4472-154-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4472-149-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4472-145-0x0000000000000000-mapping.dmp

Download
memory/4480-318-0x0000000000000000-mapping.dmp

Download
memory/4572-263-0x0000000000000000-mapping.dmp

Download
memory/4712-287-0x0000000000000000-mapping.dmp

Download
memory/4752-244-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4752-241-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/4752-237-0x0000000000000000-mapping.dmp

Download
memory/4848-294-0x0000000000000000-mapping.dmp

Download
memory/4952-148-0x0000000000000000-mapping.dmp

Download
memory/4952-151-0x00000000010B0000-0x00000000013FA000-memory.dmp

Filesize
3.3MB

Download
memory/4956-258-0x0000000000000000-mapping.dmp

Download
memory/5036-163-0x0000000000000000-mapping.dmp

Download
memory/5052-314-0x0000000000000000-mapping.dmp

Download