Analysis
-
max time kernel
23s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
23-11-2022 10:41
General
-
Target
3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe
-
Size
127KB
-
MD5
a328717e0e518b200ae9f9ecd6ccb89a
-
SHA1
f52bd30443937265f7bc89edfe94d67f4d878637
-
SHA256
3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9
-
SHA512
d9bf03fc468e235a8724f7c07ab8af21f634a88a01c9668add84c6915811b869b4e71029ba7e0bda11ef52da4d2e55271c9e722fdbaeb45fd3a70d00a784e96a
-
SSDEEP
1536:enqdu3rbBGy3G8V0iuoKYMUYU6U5jUdPQc+n35KZg8/nouy8Iu:eqYMPsLMYjUtQl78vout
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
-
Modifies system executable filetype association 2 TTPs 14 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 14 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 14 IoCs
-
UAC bypass 3 TTPs 12 IoCs
-
Disables RegEdit via registry modification 12 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 11 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 24 IoCs
-
Modifies registry class 60 IoCs
-
Runs ping.exe 1 TTPs 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe"C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeC:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe" csrss6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe14⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe15⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe16⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen15⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134015⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe14⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe12⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe2⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community6⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13406⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13406⤵
- Executes dropped EXE
- Loads dropped DLL
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13406⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- Executes dropped EXE
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community2⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13402⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe1⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe1⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe1⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe2⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community4⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13404⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13404⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13404⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13402⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13402⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13402⤵
- Runs ping.exe
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9699946523708680091218684359-685153626-677999295507206956-1540504578365395010"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13603474711427741676-213993658185077129-4547005812067620965-235645711-452359052"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Users\Admin\AppData\Roaming\Microsoft\izav.exeFilesize
76KB
MD518e10aa6bfd049b81379508b2bc88bc7
SHA189c3ea367c82960749da5846086ebcd815efcd5a
SHA2565b4e6a1d55d5c3d159d8ed050c9a55834971854df8ec4ada750875a3d4092dc5
SHA512cbc944a9cd5e1eaf278f1a643112e1979ea137bf0f23a045eb9d4de6728e6001baa8a7e192aa79c2a66db01b8063ec595f9af0c8384bf806d2236d868b211a4c
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exeFilesize
76KB
MD518e10aa6bfd049b81379508b2bc88bc7
SHA189c3ea367c82960749da5846086ebcd815efcd5a
SHA2565b4e6a1d55d5c3d159d8ed050c9a55834971854df8ec4ada750875a3d4092dc5
SHA512cbc944a9cd5e1eaf278f1a643112e1979ea137bf0f23a045eb9d4de6728e6001baa8a7e192aa79c2a66db01b8063ec595f9af0c8384bf806d2236d868b211a4c
-
\??\c:\windows\SysWOW64\Windows 3D.scrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Users\Admin\AppData\Roaming\Microsoft\izav.exeFilesize
76KB
MD518e10aa6bfd049b81379508b2bc88bc7
SHA189c3ea367c82960749da5846086ebcd815efcd5a
SHA2565b4e6a1d55d5c3d159d8ed050c9a55834971854df8ec4ada750875a3d4092dc5
SHA512cbc944a9cd5e1eaf278f1a643112e1979ea137bf0f23a045eb9d4de6728e6001baa8a7e192aa79c2a66db01b8063ec595f9af0c8384bf806d2236d868b211a4c
-
\Users\Admin\AppData\Roaming\Microsoft\izav.exeFilesize
76KB
MD518e10aa6bfd049b81379508b2bc88bc7
SHA189c3ea367c82960749da5846086ebcd815efcd5a
SHA2565b4e6a1d55d5c3d159d8ed050c9a55834971854df8ec4ada750875a3d4092dc5
SHA512cbc944a9cd5e1eaf278f1a643112e1979ea137bf0f23a045eb9d4de6728e6001baa8a7e192aa79c2a66db01b8063ec595f9af0c8384bf806d2236d868b211a4c
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD586ccb68739d5e8989aa7797bd6687558
SHA108b54f456ac6f7762f4e773c642d86d98cb58870
SHA256b84e56c4f16cc7dac05fb3e897df0838e5b157954f15b84219de789a02931bb6
SHA5125e5ec1c26f493e35d31e1465665de2a34cf1a43bf518af31ac21afa541ae188ddbd10c4cb370e0cd70e92da1022c23fefc9bd81933d4b155197a5bbf42075712
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
memory/112-307-0x0000000000000000-mapping.dmp
-
memory/112-308-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/432-318-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/432-315-0x0000000000000000-mapping.dmp
-
memory/460-182-0x0000000000000000-mapping.dmp
-
memory/536-293-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/536-336-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/536-252-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/536-195-0x0000000000000000-mapping.dmp
-
memory/556-275-0x0000000000000000-mapping.dmp
-
memory/560-198-0x0000000000000000-mapping.dmp
-
memory/584-355-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/584-319-0x0000000000000000-mapping.dmp
-
memory/628-239-0x0000000000000000-mapping.dmp
-
memory/652-171-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/652-165-0x0000000000000000-mapping.dmp
-
memory/652-374-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/664-64-0x0000000000000000-mapping.dmp
-
memory/696-212-0x0000000000000000-mapping.dmp
-
memory/756-362-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/756-341-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/760-157-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/760-152-0x0000000000000000-mapping.dmp
-
memory/784-238-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/784-136-0x0000000000000000-mapping.dmp
-
memory/784-235-0x0000000000000000-mapping.dmp
-
memory/884-86-0x0000000000000000-mapping.dmp
-
memory/892-358-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/892-356-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/892-322-0x0000000000000000-mapping.dmp
-
memory/916-255-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/916-144-0x0000000000000000-mapping.dmp
-
memory/916-256-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/916-249-0x0000000000000000-mapping.dmp
-
memory/920-170-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/920-122-0x0000000000000000-mapping.dmp
-
memory/952-229-0x0000000000000000-mapping.dmp
-
memory/952-254-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/952-283-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/952-274-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/972-246-0x0000000000000000-mapping.dmp
-
memory/1080-289-0x0000000000000000-mapping.dmp
-
memory/1116-310-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/1116-288-0x0000000000000000-mapping.dmp
-
memory/1116-309-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/1120-179-0x0000000000000000-mapping.dmp
-
memory/1124-278-0x0000000000000000-mapping.dmp
-
memory/1132-242-0x0000000000000000-mapping.dmp
-
memory/1132-245-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1148-219-0x0000000000000000-mapping.dmp
-
memory/1148-290-0x0000000000000000-mapping.dmp
-
memory/1156-168-0x0000000000310000-0x0000000000339000-memory.dmpFilesize
164KB
-
memory/1156-114-0x0000000000000000-mapping.dmp
-
memory/1156-166-0x0000000000310000-0x0000000000339000-memory.dmpFilesize
164KB
-
memory/1356-281-0x0000000000000000-mapping.dmp
-
memory/1376-94-0x0000000000000000-mapping.dmp
-
memory/1376-99-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1464-105-0x0000000000000000-mapping.dmp
-
memory/1468-331-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1468-328-0x0000000000000000-mapping.dmp
-
memory/1472-226-0x0000000000000000-mapping.dmp
-
memory/1500-100-0x00000000001C0000-0x00000000001E9000-memory.dmpFilesize
164KB
-
memory/1516-285-0x0000000000000000-mapping.dmp
-
memory/1556-211-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1556-208-0x0000000000000000-mapping.dmp
-
memory/1588-311-0x0000000000000000-mapping.dmp
-
memory/1588-271-0x0000000000000000-mapping.dmp
-
memory/1592-185-0x0000000000000000-mapping.dmp
-
memory/1640-312-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1640-294-0x0000000000000000-mapping.dmp
-
memory/1640-369-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1676-218-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1676-215-0x0000000000000000-mapping.dmp
-
memory/1680-192-0x0000000000000000-mapping.dmp
-
memory/1680-250-0x0000000000240000-0x0000000000269000-memory.dmpFilesize
164KB
-
memory/1716-270-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1716-267-0x0000000000000000-mapping.dmp
-
memory/1740-287-0x0000000000000000-mapping.dmp
-
memory/1768-303-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1768-300-0x0000000000000000-mapping.dmp
-
memory/1780-257-0x0000000000000000-mapping.dmp
-
memory/1824-160-0x0000000000000000-mapping.dmp
-
memory/1892-263-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1892-260-0x0000000000000000-mapping.dmp
-
memory/1892-297-0x0000000000000000-mapping.dmp
-
memory/1900-264-0x0000000000000000-mapping.dmp
-
memory/1908-129-0x0000000000000000-mapping.dmp
-
memory/1908-142-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1928-101-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1928-58-0x0000000000000000-mapping.dmp
-
memory/1928-449-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1940-74-0x0000000000000000-mapping.dmp
-
memory/1940-102-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1952-232-0x0000000000000000-mapping.dmp
-
memory/1956-205-0x0000000000000000-mapping.dmp
-
memory/1976-346-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1976-178-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1976-175-0x0000000000000000-mapping.dmp
-
memory/2000-172-0x0000000000000000-mapping.dmp
-
memory/2004-304-0x0000000000000000-mapping.dmp
-
memory/2008-325-0x0000000000000000-mapping.dmp
-
memory/2008-277-0x0000000000000000-mapping.dmp
-
memory/2028-188-0x0000000000000000-mapping.dmp
-
memory/2028-191-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2036-222-0x0000000000000000-mapping.dmp
-
memory/2036-225-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2040-282-0x0000000000000000-mapping.dmp
-
memory/2040-204-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2040-201-0x0000000000000000-mapping.dmp
-
memory/2060-381-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/2060-383-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/2100-464-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2152-382-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2216-384-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2340-389-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2384-412-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2436-398-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2476-405-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2548-413-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2548-414-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2608-423-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2616-424-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2660-466-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/2696-468-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2740-439-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2764-444-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2848-455-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2996-457-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3056-462-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB