Analysis
-
max time kernel
41s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-11-2022 10:41
General
-
Target
18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exe
-
Size
205KB
-
MD5
9bcde83b02d301d3f6408867d95aa67d
-
SHA1
1c7755486a31e4a1e6fdcdc0c2991feb7f42f971
-
SHA256
18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a
-
SHA512
07acd76840b2910235b2bed319ff6b6e34396bc96994a47d1c5aacd4d7fecd3c96c63554f1765620820097435e17ef48a204e3f1dbbd3ebdc72041ab7000c1bf
-
SSDEEP
3072:rqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:rqhMPssRARoiSoS3SsQLH5AK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
Modifies system executable filetype association 2 TTPs 5 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Disables RegEdit via registry modification 3 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 20 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 34 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies registry class 42 IoCs
-
Runs ping.exe 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exe"C:\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exeC:\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exe" csrss6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen13⤵
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe13⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134013⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe13⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen11⤵
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 134011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 121011⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe11⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe9⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12109⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13409⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe9⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe7⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12107⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13407⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe7⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen5⤵
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13405⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe5⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12105⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe5⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe4⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen3⤵
-
C:\Windows\SysWOW64\ping.exeping www.duniasex.com -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe3⤵
-
C:\Windows\SysWOW64\ping.exeping www.rasasayang.com.my -n 65500 -l 12103⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping www.data0.net -n 65500 -l 13403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im kspoold.exe /im kspool.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im tati.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im wscript.exe3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe taskkill /f /im sys.exe3⤵
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeC:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\scwg.exeFilesize
76KB
MD56fd58ac4bd7aac8224563daf1d17b2d6
SHA1af2addc4c1447ef991a4f16616db51d7d18bf6e9
SHA25610d9468188291a85d71c8a52ec5dff11fc72f92eeb1036ac33c9b6cd56c24a03
SHA512056037f626ecfa38e0f724c08eefbba8fbf16bc0edbfe0a0fd64e409080f567a67f53af0da74df50cbb70168c9259b2e6a5740d6d177f70b7934798748bb3524
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~Filesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exeFilesize
76KB
MD56fd58ac4bd7aac8224563daf1d17b2d6
SHA1af2addc4c1447ef991a4f16616db51d7d18bf6e9
SHA25610d9468188291a85d71c8a52ec5dff11fc72f92eeb1036ac33c9b6cd56c24a03
SHA512056037f626ecfa38e0f724c08eefbba8fbf16bc0edbfe0a0fd64e409080f567a67f53af0da74df50cbb70168c9259b2e6a5740d6d177f70b7934798748bb3524
-
\??\c:\windows\SysWOW64\Windows 3D.scrFilesize
76KB
MD5d745a3edc8fdc3eb382f371efc17ae29
SHA146d0c32e98dfb62ac48d49b2035f4eda0762f32e
SHA2560af7b56b387a2b0dcc1ba90cb8a02279cd2d5026c7feacb046fc487d6979c862
SHA5125144d3621a3936aa18318718b1243790a07e1ce21fa5d4550e9919b849853660e7d033dbec1d7a1599635bcef0999bedf2586464857695b246bf23293143e9a0
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\??\c:\windows\SysWOW64\maxtrox.txtFilesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Users\Admin\AppData\Local\Temp\18b9f7f4c8dbccacb15f13039655826e91c953347c4d36b6f847889b93bd4b7a.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Users\Admin\AppData\Roaming\Microsoft\scwg.exeFilesize
76KB
MD56fd58ac4bd7aac8224563daf1d17b2d6
SHA1af2addc4c1447ef991a4f16616db51d7d18bf6e9
SHA25610d9468188291a85d71c8a52ec5dff11fc72f92eeb1036ac33c9b6cd56c24a03
SHA512056037f626ecfa38e0f724c08eefbba8fbf16bc0edbfe0a0fd64e409080f567a67f53af0da74df50cbb70168c9259b2e6a5740d6d177f70b7934798748bb3524
-
\Users\Admin\AppData\Roaming\Microsoft\scwg.exeFilesize
76KB
MD56fd58ac4bd7aac8224563daf1d17b2d6
SHA1af2addc4c1447ef991a4f16616db51d7d18bf6e9
SHA25610d9468188291a85d71c8a52ec5dff11fc72f92eeb1036ac33c9b6cd56c24a03
SHA512056037f626ecfa38e0f724c08eefbba8fbf16bc0edbfe0a0fd64e409080f567a67f53af0da74df50cbb70168c9259b2e6a5740d6d177f70b7934798748bb3524
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
205KB
MD5ecd2f8ed83c84bff9ffe3715e2d48bef
SHA1a954e147d3057d7ee15714188af110662f5056b0
SHA2565b7ee6f65b91c93b540b5af4d4858c767066540aa953de81669d5ba6abaf9ad8
SHA5123cbe62e8a22d767fd5b02f3a521b464985faf1b094d0398c2af9576ab7ce631a82e7dcddc960bded35bf8d152afd51b355e2ddc60f06a14b2d8e3b2adead1476
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exeFilesize
129KB
MD5e2c33f1d5b2c10d0fff92ec379577f06
SHA1db52e7c71eb6e99ad6fa38305a7c62337246cc9e
SHA2566fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01
SHA5126a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8
-
memory/108-312-0x0000000000000000-mapping.dmp
-
memory/268-231-0x0000000000000000-mapping.dmp
-
memory/432-328-0x0000000000000000-mapping.dmp
-
memory/452-237-0x0000000000000000-mapping.dmp
-
memory/468-290-0x00000000002D0000-0x00000000002FA000-memory.dmpFilesize
168KB
-
memory/468-248-0x0000000000000000-mapping.dmp
-
memory/552-63-0x0000000000250000-0x000000000027A000-memory.dmpFilesize
168KB
-
memory/552-62-0x0000000000250000-0x000000000027A000-memory.dmpFilesize
168KB
-
memory/564-147-0x0000000000000000-mapping.dmp
-
memory/576-125-0x0000000000000000-mapping.dmp
-
memory/576-170-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/576-418-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/584-362-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/608-243-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/608-234-0x0000000000000000-mapping.dmp
-
memory/668-132-0x0000000000000000-mapping.dmp
-
memory/668-336-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/668-321-0x0000000000000000-mapping.dmp
-
memory/768-283-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/768-260-0x0000000000000000-mapping.dmp
-
memory/824-314-0x0000000000000000-mapping.dmp
-
memory/888-217-0x0000000000000000-mapping.dmp
-
memory/924-261-0x0000000000000000-mapping.dmp
-
memory/924-284-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/964-305-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/964-298-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/964-277-0x0000000000000000-mapping.dmp
-
memory/976-247-0x0000000000000000-mapping.dmp
-
memory/976-297-0x0000000000250000-0x000000000027A000-memory.dmpFilesize
168KB
-
memory/1068-295-0x0000000000000000-mapping.dmp
-
memory/1112-327-0x0000000000000000-mapping.dmp
-
memory/1140-155-0x0000000000000000-mapping.dmp
-
memory/1140-160-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1156-224-0x0000000000000000-mapping.dmp
-
memory/1160-227-0x0000000000000000-mapping.dmp
-
memory/1160-230-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1176-183-0x0000000000000000-mapping.dmp
-
memory/1176-186-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1180-202-0x0000000000000000-mapping.dmp
-
memory/1196-246-0x0000000000000000-mapping.dmp
-
memory/1196-289-0x00000000002C0000-0x00000000002EA000-memory.dmpFilesize
168KB
-
memory/1204-113-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1204-77-0x0000000000000000-mapping.dmp
-
memory/1224-341-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1224-317-0x0000000000000000-mapping.dmp
-
memory/1276-213-0x0000000000000000-mapping.dmp
-
memory/1276-216-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1380-139-0x0000000000000000-mapping.dmp
-
memory/1380-144-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1384-250-0x0000000000000000-mapping.dmp
-
memory/1384-288-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/1396-293-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/1396-253-0x0000000000000000-mapping.dmp
-
memory/1432-329-0x0000000000000000-mapping.dmp
-
memory/1496-343-0x0000000000000000-mapping.dmp
-
memory/1512-173-0x0000000000000000-mapping.dmp
-
memory/1524-200-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1524-168-0x0000000000000000-mapping.dmp
-
memory/1524-383-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1528-369-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1588-287-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1588-275-0x0000000000000000-mapping.dmp
-
memory/1612-180-0x0000000000000000-mapping.dmp
-
memory/1652-210-0x0000000000000000-mapping.dmp
-
memory/1652-324-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1652-306-0x0000000000000000-mapping.dmp
-
memory/1660-245-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1660-240-0x0000000000000000-mapping.dmp
-
memory/1660-244-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1672-342-0x0000000000000000-mapping.dmp
-
memory/1672-117-0x0000000000000000-mapping.dmp
-
memory/1672-353-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1672-169-0x0000000000270000-0x000000000029A000-memory.dmpFilesize
168KB
-
memory/1716-359-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1716-354-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1752-203-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1752-282-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/1752-197-0x0000000000000000-mapping.dmp
-
memory/1776-209-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1776-206-0x0000000000000000-mapping.dmp
-
memory/1828-338-0x0000000000000000-mapping.dmp
-
memory/1828-193-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1828-190-0x0000000000000000-mapping.dmp
-
memory/1836-301-0x0000000000000000-mapping.dmp
-
memory/1836-97-0x0000000000000000-mapping.dmp
-
memory/1836-102-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1900-64-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1900-419-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1900-249-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1900-58-0x0000000000000000-mapping.dmp
-
memory/1904-187-0x0000000000000000-mapping.dmp
-
memory/1912-285-0x0000000000420000-0x000000000044A000-memory.dmpFilesize
168KB
-
memory/1912-163-0x0000000000000000-mapping.dmp
-
memory/1928-112-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/1928-252-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/1928-251-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/1928-67-0x0000000000000000-mapping.dmp
-
memory/1948-334-0x0000000000000000-mapping.dmp
-
memory/1956-309-0x0000000000000000-mapping.dmp
-
memory/1956-326-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1968-220-0x0000000000000000-mapping.dmp
-
memory/1968-366-0x0000000000310000-0x000000000033A000-memory.dmpFilesize
168KB
-
memory/1968-223-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1972-115-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/1972-89-0x0000000000000000-mapping.dmp
-
memory/1980-105-0x0000000000000000-mapping.dmp
-
memory/1984-286-0x0000000000000000-mapping.dmp
-
memory/2000-291-0x0000000000000000-mapping.dmp
-
memory/2016-201-0x0000000000330000-0x000000000035A000-memory.dmpFilesize
168KB
-
memory/2016-194-0x0000000000000000-mapping.dmp
-
memory/2032-265-0x0000000000000000-mapping.dmp
-
memory/2032-176-0x0000000000000000-mapping.dmp
-
memory/2032-179-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2036-331-0x0000000000000000-mapping.dmp
-
memory/2040-352-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/2040-330-0x0000000000000000-mapping.dmp
-
memory/2044-302-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2044-292-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2044-264-0x0000000000000000-mapping.dmp