Analysis
-
max time kernel
38s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-09-2022 12:38
General
-
Target
Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
-
Size
149KB
-
MD5
e8583ee36603531bcf5001346c7474a7
-
SHA1
4a740bc0de76cf7597d001f5cb659b220de6dccd
-
SHA256
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
-
SHA512
fb813d434cea07aea28bf52834a125a8bd46ae7f34034a96793785c1d8cda3adc3c811af98dc6a1337a1bc6b73397d177c29d1c9ff282f29415b616b236c7e13
-
SSDEEP
3072:p+OvuAoccS2sTQMMBXZ+YSuwydCcGmDceCd4aMc9KDouBIOQ:p+OvujS2sTFOXZ+YKmADd4alwJN
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
mimikatz is an open source tool to dump credentials on Windows 2 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 24 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 27 IoCs
-
Drops file in Windows directory 15 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
NSIS installer 4 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 9 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 37 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\net.exenet start wscsvc3⤵
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof3⤵
-
C:\Windows\SysWOW64\net.exenet start winmgmt3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:004⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:005⤵
- Creates scheduled task(s)
-
C:\Windows\F477.tmp"C:\Windows\F477.tmp" \\.\pipe\{6585464F-839D-47B2-B7BD-756B959F407A}4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 5843⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\rCAEUsck\vUkoMAkg.exe"C:\Users\Admin\rCAEUsck\vUkoMAkg.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM jScUEcko.exe4⤵
- Kills process with taskkill
-
C:\ProgramData\TygIoQoY\jScUEcko.exe"C:\ProgramData\TygIoQoY\jScUEcko.exe"4⤵
-
C:\ProgramData\TygIoQoY\jScUEcko.exe"C:\ProgramData\TygIoQoY\jScUEcko.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIgYkAE.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAcgMko.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exe""5⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp"C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp" /SL4 $20168 "C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exe" 779923 558083⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 7124⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefender.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\ProgramData\0a51d5ab-9f5b-4d21-8b20-abb07c2ea2ba_31.avi", start3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrk34FC.tmp", start install worker3⤵
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityDefener2015.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 4923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityScanner.exe"2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\qfubqe.exeC:\Users\Admin\AppData\Roaming\qfubqe.exe3⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@SmartDefragmenter.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@VAV2008.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Xyeta.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 4483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 4403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exeC:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEMscow.bat" "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock.exe""3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 7883⤵
- Program crash
-
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECD6.tmp\302746537.bat" "1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\comctl32.ocx2⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\mscomctl.ocx2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h c:\windows\antivirus-platinum.exe2⤵
- Views/modifies file attributes
-
\??\c:\windows\antivirus-platinum.exec:\windows\antivirus-platinum.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 25441⤵
-
C:\WINDOWS\302746537.exe"C:\WINDOWS\302746537.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5708 -ip 57081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6036 -ip 60361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 3632 -ip 36321⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3664 -ip 36641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5676 -ip 56761⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3664 -s 15441⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5980 -ip 59801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3960 -ip 39601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5676 -ip 56761⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 636 -p 2812 -ip 28121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5676 -ip 56761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2828 -ip 28281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
2Modify Existing Service
2Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7Impair Defenses
1File Permissions Modification
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exeFilesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4
-
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exeFilesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exeFilesize
9.0MB
MD5c18a7323332b3292a8e0f1c81df65698
SHA1bcb8f34cbe0137e888d06acbcb6508417851a087
SHA2569c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA5124d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exeFilesize
9.0MB
MD5c18a7323332b3292a8e0f1c81df65698
SHA1bcb8f34cbe0137e888d06acbcb6508417851a087
SHA2569c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA5124d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad
-
C:\Program Files (x86)\antiviruspc2009\bzip2.dllFilesize
67KB
MD54143d4973e0f5a5180e114bdd868d4d2
SHA1b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc
-
C:\Program Files (x86)\antiviruspc2009\bzip2.dllFilesize
67KB
MD54143d4973e0f5a5180e114bdd868d4d2
SHA1b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc
-
C:\Program Files (x86)\antiviruspc2009\libltdl3.dllFilesize
34KB
MD500a71b4afda8033235432b1c433fecc7
SHA1d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA51296635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a
-
C:\Program Files (x86)\antiviruspc2009\libltdl3.dllFilesize
34KB
MD500a71b4afda8033235432b1c433fecc7
SHA1d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA51296635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a
-
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dllFilesize
84KB
MD50ab7d0e87f3843f8104b3670f5a9af62
SHA110c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA2568aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375
-
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dllFilesize
84KB
MD50ab7d0e87f3843f8104b3670f5a9af62
SHA110c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA2568aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375
-
C:\ProgramData\TygIoQoY\jScUEcko.exeFilesize
188KB
MD5f1b057a38c69267744b4901859f61a11
SHA17a828b0713427b035bdf9e136e93a62a6129e42d
SHA2562564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4
SHA512f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f
-
C:\ProgramData\TygIoQoY\jScUEcko.exeFilesize
188KB
MD5f1b057a38c69267744b4901859f61a11
SHA17a828b0713427b035bdf9e136e93a62a6129e42d
SHA2562564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4
SHA512f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exeFilesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exeFilesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exeFilesize
1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exeFilesize
1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exeFilesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exeFilesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exeFilesize
816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exeFilesize
816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exeFilesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exeFilesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exeFilesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exeFilesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@FakeAdwCleaner.exeFilesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exeFilesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HappyAntivirus.exeFilesize
1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exeFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exeFilesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Krotten.exeFilesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exeFilesize
1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@LPS2019.exeFilesize
1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exeFilesize
414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Movie.mpeg.exeFilesize
414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exeFilesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exeFilesize
878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exeFilesize
878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Petya.A.exeFilesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom.exeFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exeFilesize
1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@RegistrySmart.exeFilesize
1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exeFilesize
2.4MB
MD502f471d1fefbdc07af5555dbfd6ea918
SHA12a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA25636619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SE2011.exeFilesize
2.4MB
MD502f471d1fefbdc07af5555dbfd6ea918
SHA12a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA25636619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@SecurityCentral.exeFilesize
904KB
MD50315c3149c7dc1d865dc5a89043d870d
SHA1f74546dda99891ca688416b1a61c9637b3794108
SHA25690c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA5127168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112
-
C:\Users\Admin\rCAEUsck\vUkoMAkg.exeFilesize
191KB
MD57090b2738e7f8b0e9e8a1c144c83b26c
SHA16448095a8217136c04978d9d97b2ff2204dda3e5
SHA256b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862
SHA51243762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb
-
C:\Users\Admin\rCAEUsck\vUkoMAkg.exeFilesize
191KB
MD57090b2738e7f8b0e9e8a1c144c83b26c
SHA16448095a8217136c04978d9d97b2ff2204dda3e5
SHA256b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862
SHA51243762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb
-
C:\WINDOWS\302746537.exeFilesize
22KB
MD58703ff2e53c6fd3bc91294ef9204baca
SHA13dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA2563028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204
-
C:\Windows\302746537.exeFilesize
22KB
MD58703ff2e53c6fd3bc91294ef9204baca
SHA13dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA2563028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204
-
C:\Windows\F477.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\F477.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
memory/400-248-0x0000000000000000-mapping.dmp
-
memory/628-211-0x0000000000000000-mapping.dmp
-
memory/736-156-0x0000000000000000-mapping.dmp
-
memory/1016-205-0x0000000000000000-mapping.dmp
-
memory/1120-333-0x00000000023B0000-0x0000000002410000-memory.dmpFilesize
384KB
-
memory/1120-325-0x0000000000400000-0x0000000000843000-memory.dmpFilesize
4.3MB
-
memory/1168-260-0x0000000000000000-mapping.dmp
-
memory/1168-315-0x00007FF888EF0000-0x00007FF889926000-memory.dmpFilesize
10.2MB
-
memory/1288-135-0x0000000000000000-mapping.dmp
-
memory/1296-242-0x0000000000000000-mapping.dmp
-
memory/1308-253-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1308-238-0x0000000000000000-mapping.dmp
-
memory/1388-210-0x0000000000000000-mapping.dmp
-
memory/1464-147-0x0000000000000000-mapping.dmp
-
memory/1504-196-0x0000000004900000-0x000000000490A000-memory.dmpFilesize
40KB
-
memory/1504-171-0x0000000000030000-0x00000000000B2000-memory.dmpFilesize
520KB
-
memory/1504-172-0x0000000004930000-0x00000000049CC000-memory.dmpFilesize
624KB
-
memory/1504-153-0x0000000000000000-mapping.dmp
-
memory/1504-177-0x0000000004FB0000-0x0000000005554000-memory.dmpFilesize
5.6MB
-
memory/1504-181-0x0000000004AA0000-0x0000000004B32000-memory.dmpFilesize
584KB
-
memory/1672-348-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1856-208-0x00000000010F0000-0x0000000001158000-memory.dmpFilesize
416KB
-
memory/1856-175-0x0000000000000000-mapping.dmp
-
memory/1856-195-0x00000000010F0000-0x0000000001158000-memory.dmpFilesize
416KB
-
memory/1868-216-0x0000000000000000-mapping.dmp
-
memory/1868-341-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/1868-247-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/1868-237-0x0000000000780000-0x00000000007AE000-memory.dmpFilesize
184KB
-
memory/1912-310-0x0000000000000000-mapping.dmp
-
memory/1928-192-0x0000000000000000-mapping.dmp
-
memory/2040-187-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2040-336-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2040-149-0x0000000000000000-mapping.dmp
-
memory/2040-162-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2040-161-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2040-166-0x0000000000550000-0x0000000000556000-memory.dmpFilesize
24KB
-
memory/2520-144-0x0000000000000000-mapping.dmp
-
memory/2544-193-0x0000000000000000-mapping.dmp
-
memory/2576-219-0x0000000000000000-mapping.dmp
-
memory/2828-323-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2828-331-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2828-330-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2828-335-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/3076-255-0x0000000000000000-mapping.dmp
-
memory/3100-251-0x0000000000000000-mapping.dmp
-
memory/3128-176-0x00000000002E0000-0x00000000004D2000-memory.dmpFilesize
1.9MB
-
memory/3128-165-0x0000000000000000-mapping.dmp
-
memory/3600-137-0x0000000000000000-mapping.dmp
-
memory/3632-332-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/3744-334-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/3744-342-0x00000000027B0000-0x0000000002809000-memory.dmpFilesize
356KB
-
memory/3744-343-0x0000000010000000-0x0000000010126000-memory.dmpFilesize
1.1MB
-
memory/3856-180-0x0000000000000000-mapping.dmp
-
memory/4024-246-0x0000000000000000-mapping.dmp
-
memory/4048-307-0x0000000000000000-mapping.dmp
-
memory/4068-308-0x0000000000000000-mapping.dmp
-
memory/4184-185-0x0000000000000000-mapping.dmp
-
memory/4188-256-0x0000000000000000-mapping.dmp
-
memory/4276-157-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/4276-139-0x0000000000000000-mapping.dmp
-
memory/4276-191-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/4276-152-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/4276-339-0x0000000000400000-0x0000000000A06000-memory.dmpFilesize
6.0MB
-
memory/4368-258-0x0000000000000000-mapping.dmp
-
memory/4380-245-0x0000000000000000-mapping.dmp
-
memory/4408-340-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/4408-217-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/4408-198-0x0000000000000000-mapping.dmp
-
memory/4408-218-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/4408-215-0x0000000002280000-0x000000000234E000-memory.dmpFilesize
824KB
-
memory/4440-249-0x0000000000000000-mapping.dmp
-
memory/4456-133-0x000002BA4C140000-0x000002BA4C16C000-memory.dmpFilesize
176KB
-
memory/4456-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/4456-132-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/4456-321-0x00007FF883FC0000-0x00007FF884A81000-memory.dmpFilesize
10.8MB
-
memory/4512-173-0x0000000000000000-mapping.dmp
-
memory/4512-186-0x0000000000B20000-0x0000000000B5C000-memory.dmpFilesize
240KB
-
memory/4512-207-0x00000000056D0000-0x0000000005726000-memory.dmpFilesize
344KB
-
memory/4548-222-0x0000000000000000-mapping.dmp
-
memory/4548-254-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4548-250-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4552-337-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4552-184-0x0000000001520000-0x0000000001551000-memory.dmpFilesize
196KB
-
memory/4552-168-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4552-151-0x0000000000000000-mapping.dmp
-
memory/4612-311-0x0000000000000000-mapping.dmp
-
memory/4708-239-0x0000000000000000-mapping.dmp
-
memory/4708-259-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4900-346-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4904-252-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4904-221-0x0000000000000000-mapping.dmp
-
memory/5004-284-0x00000000006B0000-0x00000000006C2000-memory.dmpFilesize
72KB
-
memory/5004-214-0x0000000000000000-mapping.dmp
-
memory/5004-283-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/5176-261-0x0000000000000000-mapping.dmp
-
memory/5424-314-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5424-265-0x0000000000000000-mapping.dmp
-
memory/5424-270-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5452-267-0x0000000000000000-mapping.dmp
-
memory/5464-268-0x0000000000000000-mapping.dmp
-
memory/5464-306-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/5464-287-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/5472-269-0x0000000000000000-mapping.dmp
-
memory/5528-288-0x0000000000000000-mapping.dmp
-
memory/5544-298-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/5544-281-0x0000000000400000-0x0000000000CFB000-memory.dmpFilesize
9.0MB
-
memory/5544-272-0x0000000000000000-mapping.dmp
-
memory/5620-275-0x0000000000000000-mapping.dmp
-
memory/5676-277-0x0000000000000000-mapping.dmp
-
memory/5676-305-0x0000000001400000-0x0000000001547000-memory.dmpFilesize
1.3MB
-
memory/5676-338-0x0000000003D10000-0x0000000003DD1000-memory.dmpFilesize
772KB
-
memory/5676-347-0x0000000003D10000-0x0000000003DD1000-memory.dmpFilesize
772KB
-
memory/5708-280-0x0000000000DF0000-0x0000000000F2B000-memory.dmpFilesize
1.2MB
-
memory/5708-279-0x0000000000000000-mapping.dmp
-
memory/5796-285-0x0000000000000000-mapping.dmp
-
memory/5796-344-0x0000000000AF0000-0x0000000000B50000-memory.dmpFilesize
384KB
-
memory/5796-345-0x0000000000400000-0x0000000000843000-memory.dmpFilesize
4.3MB
-
memory/5796-304-0x0000000000AF0000-0x0000000000B50000-memory.dmpFilesize
384KB
-
memory/5796-303-0x0000000000400000-0x0000000000843000-memory.dmpFilesize
4.3MB
-
memory/5796-309-0x00000000035D0000-0x00000000035D3000-memory.dmpFilesize
12KB
-
memory/5812-289-0x0000000000000000-mapping.dmp
-
memory/5836-328-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/5836-317-0x0000000000400000-0x000000000054F000-memory.dmpFilesize
1.3MB
-
memory/5836-286-0x0000000000000000-mapping.dmp
-
memory/5836-316-0x00000000009D0000-0x0000000000A37000-memory.dmpFilesize
412KB
-
memory/5880-290-0x0000000000000000-mapping.dmp
-
memory/5880-312-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/5912-318-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/5912-292-0x0000000000000000-mapping.dmp
-
memory/5924-293-0x0000000000000000-mapping.dmp
-
memory/5956-294-0x0000000000000000-mapping.dmp
-
memory/5980-319-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/5980-295-0x0000000000000000-mapping.dmp
-
memory/6000-296-0x0000000000000000-mapping.dmp
-
memory/6036-327-0x0000000000480000-0x0000000000483000-memory.dmpFilesize
12KB
-
memory/6036-329-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/6036-297-0x0000000000000000-mapping.dmp
-
memory/6064-299-0x0000000000000000-mapping.dmp
-
memory/6072-300-0x0000000000000000-mapping.dmp
-
memory/6096-302-0x0000000000000000-mapping.dmp