Analysis
-
max time kernel
176s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 10:41
General
-
Target
3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe
-
Size
127KB
-
MD5
a328717e0e518b200ae9f9ecd6ccb89a
-
SHA1
f52bd30443937265f7bc89edfe94d67f4d878637
-
SHA256
3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9
-
SHA512
d9bf03fc468e235a8724f7c07ab8af21f634a88a01c9668add84c6915811b869b4e71029ba7e0bda11ef52da4d2e55271c9e722fdbaeb45fd3a70d00a784e96a
-
SSDEEP
1536:enqdu3rbBGy3G8V0iuoKYMUYU6U5jUdPQc+n35KZg8/nouy8Iu:eqYMPsLMYjUtQl78vout
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Disables RegEdit via registry modification 6 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 38 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Modifies registry class 48 IoCs
-
Runs ping.exe 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe"C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeC:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izap.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\izap.exe" csrss6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Executes dropped EXE
- Loads dropped DLL
- Runs ping.exe
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityC:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Users\Admin\AppData\Local\Temp\3c100791aeb6811711ad24edeafbb3d70471a3ce5c7f3b3773e2ea72ef46f6d9.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Users\Admin\AppData\Roaming\Microsoft\izap.exeFilesize
76KB
MD5fc70414ebd923673481d2b5e9cda6146
SHA1c012f1dff9c5b803f06782ec72f48af83ebfb931
SHA2563caf842114d5713b925033c6401c45b99c57efa390e28d748e4abed9e20d0512
SHA512012cbc84e7bc1fb1075d0d2b70b4258ee12583557a63560abcf623083a90b88c604dd7ad06981cd14adf2bd720763a0bf886055feb2f1f063b0fd4c3f025a36b
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLLFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_CommunityFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exeFilesize
50KB
MD5940d24de51296709ead002014ae37c40
SHA17cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d
SHA256d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6
SHA5126646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeFilesize
127KB
MD5b27872fbd73dbd1593b462d382142c38
SHA11781055ba33ce2057cb43fd053fc869730ece308
SHA25691c5350c7064f4001a58304d1928b5bd8960256bded58a17f22b4113fa544ba5
SHA51200a95bab0056acf59463340c5a8214ebb916f4fefae5158d6bf6ebda8b6fe9d2db3f6822f7cf64cb19e8a6089410e072595a6888db3934b9f1b257c979454840
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izap.exeFilesize
76KB
MD5fc70414ebd923673481d2b5e9cda6146
SHA1c012f1dff9c5b803f06782ec72f48af83ebfb931
SHA2563caf842114d5713b925033c6401c45b99c57efa390e28d748e4abed9e20d0512
SHA512012cbc84e7bc1fb1075d0d2b70b4258ee12583557a63560abcf623083a90b88c604dd7ad06981cd14adf2bd720763a0bf886055feb2f1f063b0fd4c3f025a36b
-
\??\c:\windows\SysWOW64\Windows 3D.scrFilesize
76KB
MD5865c5982e444dec511089953e3044457
SHA19b44bf6569a5e4537e56dcf0fabc766ac98479d9
SHA25661d32eef30716d0beda884945bde9a4069fa7164450a147d69209f67a51b640b
SHA5125794d9ba0a39e15f82c8d415691b4a60be0df74f5e31061bdb9fee205cc07a8e918eb060d49670d39798e52470d34f95cc428c00cb32d3d48418626290e59294
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
memory/316-391-0x0000000000000000-mapping.dmp
-
memory/316-401-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/640-179-0x0000000000000000-mapping.dmp
-
memory/724-400-0x0000000000000000-mapping.dmp
-
memory/800-139-0x0000000000000000-mapping.dmp
-
memory/856-377-0x0000000000000000-mapping.dmp
-
memory/864-178-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/864-420-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/864-148-0x0000000000000000-mapping.dmp
-
memory/908-236-0x0000000000000000-mapping.dmp
-
memory/996-424-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/996-427-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1032-314-0x0000000000000000-mapping.dmp
-
memory/1032-434-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1032-355-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1224-351-0x0000000000000000-mapping.dmp
-
memory/1252-324-0x0000000000000000-mapping.dmp
-
memory/1404-192-0x0000000000000000-mapping.dmp
-
memory/1620-382-0x0000000000000000-mapping.dmp
-
memory/1632-309-0x0000000000000000-mapping.dmp
-
memory/1656-204-0x0000000000000000-mapping.dmp
-
memory/1668-404-0x0000000000000000-mapping.dmp
-
memory/1864-159-0x0000000000000000-mapping.dmp
-
memory/1968-256-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1968-232-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1968-229-0x0000000000000000-mapping.dmp
-
memory/1996-262-0x0000000000000000-mapping.dmp
-
memory/2012-368-0x0000000000000000-mapping.dmp
-
memory/2012-379-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2072-410-0x0000000000000000-mapping.dmp
-
memory/2112-417-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2132-171-0x0000000000000000-mapping.dmp
-
memory/2292-288-0x0000000000000000-mapping.dmp
-
memory/2440-147-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2440-134-0x0000000000000000-mapping.dmp
-
memory/2440-438-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2464-374-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2464-363-0x0000000000000000-mapping.dmp
-
memory/2492-278-0x0000000000000000-mapping.dmp
-
memory/2492-291-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2572-373-0x0000000000000000-mapping.dmp
-
memory/2620-170-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2620-165-0x0000000000000000-mapping.dmp
-
memory/2652-311-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2652-277-0x0000000000000000-mapping.dmp
-
memory/2652-426-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2700-267-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2700-245-0x0000000000000000-mapping.dmp
-
memory/2804-352-0x0000000000000000-mapping.dmp
-
memory/2980-317-0x0000000000000000-mapping.dmp
-
memory/2980-326-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3132-335-0x0000000000000000-mapping.dmp
-
memory/3136-244-0x0000000000000000-mapping.dmp
-
memory/3376-328-0x0000000000000000-mapping.dmp
-
memory/3416-261-0x0000000000000000-mapping.dmp
-
memory/3416-275-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3416-280-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3420-354-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3420-341-0x0000000000000000-mapping.dmp
-
memory/3456-365-0x0000000000000000-mapping.dmp
-
memory/3604-307-0x0000000000000000-mapping.dmp
-
memory/3868-333-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3868-320-0x0000000000000000-mapping.dmp
-
memory/3872-403-0x0000000000000000-mapping.dmp
-
memory/3944-289-0x0000000000000000-mapping.dmp
-
memory/3944-300-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4064-279-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4064-416-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4064-243-0x0000000000000000-mapping.dmp
-
memory/4124-350-0x0000000000000000-mapping.dmp
-
memory/4124-358-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4124-366-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4128-303-0x0000000000000000-mapping.dmp
-
memory/4208-220-0x0000000000000000-mapping.dmp
-
memory/4304-390-0x0000000000000000-mapping.dmp
-
memory/4304-402-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4304-398-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4336-380-0x0000000000000000-mapping.dmp
-
memory/4376-298-0x0000000000000000-mapping.dmp
-
memory/4376-310-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4540-359-0x0000000000000000-mapping.dmp
-
memory/4616-406-0x0000000000000000-mapping.dmp
-
memory/4720-283-0x0000000000000000-mapping.dmp
-
memory/4748-217-0x0000000000000000-mapping.dmp
-
memory/4756-308-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4756-299-0x0000000000000000-mapping.dmp
-
memory/4824-216-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4824-211-0x0000000000000000-mapping.dmp
-
memory/4824-238-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4856-389-0x0000000000000000-mapping.dmp
-
memory/4856-399-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4872-385-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4872-370-0x0000000000000000-mapping.dmp
-
memory/4920-219-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4920-185-0x0000000000000000-mapping.dmp
-
memory/4920-191-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4920-437-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4928-203-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4928-198-0x0000000000000000-mapping.dmp
-
memory/4928-206-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4932-405-0x0000000000000000-mapping.dmp
-
memory/4960-343-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4960-332-0x0000000000000000-mapping.dmp
-
memory/5016-265-0x0000000000000000-mapping.dmp
-
memory/5024-337-0x0000000000000000-mapping.dmp
-
memory/5104-290-0x0000000000000000-mapping.dmp
-
memory/5112-344-0x0000000000000000-mapping.dmp