Overview
overview
10Static
static
8©ɱ...08.exe
windows7-x64
1©ɱ...08.exe
windows10-2004-x64
1©ɱ...17.exe
windows7-x64
5©ɱ...17.exe
windows10-2004-x64
3©ɱ...20.exe
windows7-x64
3©ɱ...20.exe
windows10-2004-x64
1©ɱ...22.exe
windows7-x64
6©ɱ...22.exe
windows10-2004-x64
6©ɱ...40.exe
windows7-x64
5©ɱ...40.exe
windows10-2004-x64
5©ɱ...46.exe
windows7-x64
3©ɱ...46.exe
windows10-2004-x64
4©ɱ...53.exe
windows7-x64
6©ɱ...53.exe
windows10-2004-x64
6©ɱ...58.exe
windows7-x64
1©ɱ...58.exe
windows10-2004-x64
1©ɱ...77.exe
windows7-x64
3©ɱ...77.exe
windows10-2004-x64
3©ɱ...80.exe
windows7-x64
10©ɱ...80.exe
windows10-2004-x64
10©ɱ...83.exe
windows7-x64
8©ɱ...83.exe
windows10-2004-x64
8©ɱ...89.exe
windows7-x64
10©ɱ...89.exe
windows10-2004-x64
6©ɱ...93.exe
windows7-x64
1©ɱ...93.exe
windows10-2004-x64
1©ɱ...95.exe
windows7-x64
3©ɱ...95.exe
windows10-2004-x64
4©ɱ...98.exe
windows7-x64
10©ɱ...98.exe
windows10-2004-x64
6Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:08
Behavioral task
behavioral1
Sample
©ɱ/008.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
©ɱ/008.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
©ɱ/017.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
©ɱ/017.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
©ɱ/020.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
©ɱ/020.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
©ɱ/022.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
©ɱ/022.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
©ɱ/040.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
©ɱ/040.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
©ɱ/046.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
©ɱ/046.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
©ɱ/053.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
©ɱ/053.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
©ɱ/058.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
©ɱ/058.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
©ɱ/077.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
©ɱ/077.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
©ɱ/080.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
©ɱ/080.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
©ɱ/083.exe
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
©ɱ/083.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
©ɱ/089.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
©ɱ/089.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral25
Sample
©ɱ/093.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
©ɱ/093.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
©ɱ/095.exe
Resource
win7-20221111-en
Behavioral task
behavioral28
Sample
©ɱ/095.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral29
Sample
©ɱ/098.exe
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
©ɱ/098.exe
Resource
win10v2004-20221111-en
General
-
Target
©ɱ/098.exe
-
Size
128KB
-
MD5
51ce35af2290923c37c62e124ed09950
-
SHA1
8d5eb3e768111d6eb27d4677dd6178672b9f7b23
-
SHA256
70983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
-
SHA512
d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
SSDEEP
3072:ly72UA+oBj8JUiTWGO6K5+HAa/lzimsvZcwEfmS:liY98qytO66UYw
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
098.exeyaion.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 098.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yaion.exe -
Executes dropped EXE 2 IoCs
Processes:
yaion.exeyaion.exepid process 1372 yaion.exe 1580 yaion.exe -
Loads dropped DLL 2 IoCs
Processes:
098.exepid process 948 098.exe 948 098.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
yaion.exe098.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /h" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /b" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /j" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /r" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /e" yaion.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 098.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /v" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /k" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /w" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /u" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /s" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /m" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /d" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /c" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /a" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /z" 098.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /t" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /i" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /z" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /l" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /n" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /g" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /q" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /f" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /p" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /y" yaion.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /o" yaion.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaion = "C:\\Users\\Admin\\yaion.exe /x" yaion.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
098.exeyaion.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 098.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum yaion.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 yaion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 098.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
yaion.exedescription ioc process File created C:\Users\Admin\c\autorun.inf yaion.exe File opened for modification C:\Users\Admin\c\autorun.inf yaion.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
098.exeyaion.exedescription pid process target process PID 1048 set thread context of 948 1048 098.exe 098.exe PID 1372 set thread context of 1580 1372 yaion.exe yaion.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
098.exeyaion.exepid process 948 098.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe 1580 yaion.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
098.exe098.exeyaion.exeyaion.exepid process 1048 098.exe 948 098.exe 1372 yaion.exe 1580 yaion.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
098.exe098.exeyaion.exeyaion.execmd.execmd.execonhost.exedescription pid process target process PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 1048 wrote to memory of 948 1048 098.exe 098.exe PID 948 wrote to memory of 1372 948 098.exe yaion.exe PID 948 wrote to memory of 1372 948 098.exe yaion.exe PID 948 wrote to memory of 1372 948 098.exe yaion.exe PID 948 wrote to memory of 1372 948 098.exe yaion.exe PID 948 wrote to memory of 2020 948 098.exe PhotoScreensaver.scr PID 948 wrote to memory of 2020 948 098.exe PhotoScreensaver.scr PID 948 wrote to memory of 2020 948 098.exe PhotoScreensaver.scr PID 948 wrote to memory of 2020 948 098.exe PhotoScreensaver.scr PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1372 wrote to memory of 1580 1372 yaion.exe yaion.exe PID 1580 wrote to memory of 632 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 632 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 632 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 632 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1984 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1984 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1984 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1984 1580 yaion.exe cmd.exe PID 632 wrote to memory of 1904 632 cmd.exe cmd.exe PID 632 wrote to memory of 1904 632 cmd.exe cmd.exe PID 632 wrote to memory of 1904 632 cmd.exe cmd.exe PID 632 wrote to memory of 1904 632 cmd.exe cmd.exe PID 1580 wrote to memory of 1716 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1716 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1716 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1716 1580 yaion.exe cmd.exe PID 1984 wrote to memory of 976 1984 ROUTE.EXE PID 1984 wrote to memory of 976 1984 ROUTE.EXE PID 1984 wrote to memory of 976 1984 ROUTE.EXE PID 1984 wrote to memory of 976 1984 ROUTE.EXE PID 1580 wrote to memory of 1664 1580 yaion.exe conhost.exe PID 1580 wrote to memory of 1664 1580 yaion.exe conhost.exe PID 1580 wrote to memory of 1664 1580 yaion.exe conhost.exe PID 1580 wrote to memory of 1664 1580 yaion.exe conhost.exe PID 1716 wrote to memory of 1172 1716 cmd.exe conhost.exe PID 1716 wrote to memory of 1172 1716 cmd.exe conhost.exe PID 1716 wrote to memory of 1172 1716 cmd.exe conhost.exe PID 1716 wrote to memory of 1172 1716 cmd.exe conhost.exe PID 1580 wrote to memory of 1076 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1076 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1076 1580 yaion.exe cmd.exe PID 1580 wrote to memory of 1076 1580 yaion.exe cmd.exe PID 1664 wrote to memory of 1408 1664 conhost.exe ROUTE.EXE PID 1664 wrote to memory of 1408 1664 conhost.exe ROUTE.EXE PID 1664 wrote to memory of 1408 1664 conhost.exe ROUTE.EXE PID 1664 wrote to memory of 1408 1664 conhost.exe ROUTE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"C:\Users\Admin\AppData\Local\Temp\©ɱ\098.exe"782⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\yaion.exe"C:\Users\Admin\yaion.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\yaion.exe"C:\Users\Admin\yaion.exe" 784⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.32.21 0.0.0.05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.32.21 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.34.21 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.34.21 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.36.21 0.0.0.05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.36.21 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.38.21 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.38.21 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 74.125.34.46 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 74.125.34.46 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 173.194.72.121 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 173.194.72.121 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 5.39.93.201 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 5.39.93.201 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 207.46.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 207.46.0.0/16 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 65.52.0.0/14 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 65.52.0.0/14 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.54.0.0/15 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.54.0.0/15 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.56.0.0/14 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.56.0.0/14 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.60.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.60.0.0/16 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 134.170.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 134.170.0.0/16 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 72.32.67.100 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 72.32.67.100 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.166.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.166.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.167.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.167.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 37.187.68.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 37.187.68.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.58.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.58.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.62.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.62.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.66.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.66.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.67.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.67.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.165.210.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.165.210.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 50.7.73.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 50.7.73.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 50.7.100.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 50.7.100.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 50.115.125.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 50.115.125.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 67.15.0.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 67.15.0.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 67.228.112.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 67.228.112.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 74.86.245.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 74.86.245.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 75.126.120.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 75.126.120.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.234.41.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.234.41.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.234.43.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.234.43.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.234.44.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.234.44.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.213.143.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.213.143.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 95.211.196.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 95.211.196.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 109.123.114.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 109.123.114.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 109.123.117.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 109.123.117.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 199.115.116.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 199.115.116.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 173.193.20.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 173.193.20.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 173.193.138.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 173.193.138.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 173.193.216.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 173.193.216.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 174.37.222.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 174.37.222.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 174.36.55.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 174.36.55.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 174.36.237.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 174.36.237.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 199.115.116.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 199.115.116.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 208.43.71.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 208.43.71.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 208.53.149.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 208.53.149.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.185.103.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.185.103.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 4.28.136.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 4.28.136.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 38.124.168.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 38.124.168.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 38.117.98.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 38.117.98.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.74.183.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.74.183.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 80.239.169.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 80.239.169.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 80.239.174.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 80.239.174.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 80.239.197.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 80.239.197.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 85.12.58.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 85.12.58.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 85.17.72.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 85.17.72.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 93.159.230.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 93.159.230.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 94.75.236.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 94.75.236.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 93.191.13.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 93.191.13.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 95.167.139.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 95.167.139.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 95.211.85.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 95.211.85.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.16.117.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.16.117.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.122.169.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.122.169.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 130.117.190.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 130.117.190.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 144.140.113.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 144.140.113.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 212.73.221.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 212.73.221.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 125.39.66.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 125.39.66.0/24 0.0.0.06⤵
-
C:\Windows\SysWOW64\PhotoScreensaver.scr"C:\Windows\System32\PhotoScreensaver.scr" /S3⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1111028288-1003725932-21153933021176003123120903443-12254546912355766991204771885"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "935409602-1062993595765765045186243836131917711453302811940641879-1399143573"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-658610594-393362563317211575-115776618185517064218965395131765499291160031657"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-297723372-1651597770-1545184869709863409782730801980336030-1915247331-463676031"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1601498860-623956559-210387562513741168551730133061500702790890409680-505625190"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17083414041151175402262144520-93880553-569111863371579694-1613988875-590101883"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "651931000-907699476-9397025666587385402102796354108523411812131837031475630465"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1508095783-19067322451848632655-497700163-1972635833-642224708-689440232-1982896676"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1198182482-956718880-474440032444924235-1776691426-1868763321406917062-79092440"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "92905872667447991-2037231086-1109753181-2107628755-56936870196319083505857537"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-138609520911717181011081603345-1264305789-1076757288-950028986-1467282769762748954"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-88455588883978169-316763198-1885913931144265900-477790916778295073367566698"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15640989691493183488-15255021316268758581090068621-1373780970-965259993-1926992433"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-632278528-1566745464252869424-19263293211033301442-19326789341326333425-1954337874"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-328677624-1614038537391706709-546654150-1532414805-51096830354829005-660293883"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2088071804-1402297946162454832621131668741523179006-1063289818592124805-2051484077"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "143764575813703810621285860842-1774038897-1321798512-535179037251380097-1234389868"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1651646863-683047381158215659-756157064-1311845175276218895171105777590346077"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\yaion.exeFilesize
128KB
MD551ce35af2290923c37c62e124ed09950
SHA18d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA25670983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
C:\Users\Admin\yaion.exeFilesize
128KB
MD551ce35af2290923c37c62e124ed09950
SHA18d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA25670983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
C:\Users\Admin\yaion.exeFilesize
128KB
MD551ce35af2290923c37c62e124ed09950
SHA18d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA25670983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
\Users\Admin\yaion.exeFilesize
128KB
MD551ce35af2290923c37c62e124ed09950
SHA18d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA25670983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
\Users\Admin\yaion.exeFilesize
128KB
MD551ce35af2290923c37c62e124ed09950
SHA18d5eb3e768111d6eb27d4677dd6178672b9f7b23
SHA25670983b6aef6f0cb1e34133876f3410534756219e0c2644fe3a91fc89a47d31e6
SHA512d39c4b1e3cab4c6ddd7a98b33b18b285b84135e8d5387abb0051d8ee21eb27c0f85a82256633c160b49ea3ecdf4304fcd2ef94470231f42800814f4a640b0f60
-
memory/296-171-0x0000000000000000-mapping.dmp
-
memory/324-159-0x0000000000000000-mapping.dmp
-
memory/336-144-0x0000000000000000-mapping.dmp
-
memory/360-112-0x0000000000000000-mapping.dmp
-
memory/388-160-0x0000000000000000-mapping.dmp
-
memory/388-126-0x0000000000000000-mapping.dmp
-
memory/520-138-0x0000000000000000-mapping.dmp
-
memory/584-105-0x0000000000000000-mapping.dmp
-
memory/588-151-0x0000000000000000-mapping.dmp
-
memory/632-86-0x0000000000000000-mapping.dmp
-
memory/864-166-0x0000000000000000-mapping.dmp
-
memory/864-101-0x0000000000000000-mapping.dmp
-
memory/944-163-0x0000000000000000-mapping.dmp
-
memory/948-56-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/948-83-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/948-63-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/948-62-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/948-59-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/948-57-0x00000000004010E0-mapping.dmp
-
memory/960-130-0x0000000000000000-mapping.dmp
-
memory/972-121-0x0000000000000000-mapping.dmp
-
memory/976-92-0x0000000000000000-mapping.dmp
-
memory/992-133-0x0000000000000000-mapping.dmp
-
memory/1076-97-0x0000000000000000-mapping.dmp
-
memory/1112-115-0x0000000000000000-mapping.dmp
-
memory/1172-95-0x0000000000000000-mapping.dmp
-
memory/1176-117-0x0000000000000000-mapping.dmp
-
memory/1180-100-0x0000000000000000-mapping.dmp
-
memory/1208-132-0x0000000000000000-mapping.dmp
-
memory/1256-114-0x0000000000000000-mapping.dmp
-
memory/1372-66-0x0000000000000000-mapping.dmp
-
memory/1380-106-0x0000000000000000-mapping.dmp
-
memory/1408-98-0x0000000000000000-mapping.dmp
-
memory/1408-158-0x0000000000000000-mapping.dmp
-
memory/1408-127-0x0000000000000000-mapping.dmp
-
memory/1488-176-0x0000000000000000-mapping.dmp
-
memory/1524-154-0x0000000000000000-mapping.dmp
-
memory/1536-123-0x0000000000000000-mapping.dmp
-
memory/1564-145-0x0000000000000000-mapping.dmp
-
memory/1568-165-0x0000000000000000-mapping.dmp
-
memory/1580-84-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1580-124-0x0000000003E10000-0x00000000048CA000-memory.dmpFilesize
10.7MB
-
memory/1580-81-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1580-75-0x00000000004010E0-mapping.dmp
-
memory/1580-85-0x0000000003250000-0x0000000003D0A000-memory.dmpFilesize
10.7MB
-
memory/1616-141-0x0000000000000000-mapping.dmp
-
memory/1620-135-0x0000000000000000-mapping.dmp
-
memory/1632-125-0x0000000000000000-mapping.dmp
-
memory/1632-156-0x0000000000000000-mapping.dmp
-
memory/1640-111-0x0000000000000000-mapping.dmp
-
memory/1640-173-0x0000000000000000-mapping.dmp
-
memory/1664-94-0x0000000000000000-mapping.dmp
-
memory/1684-170-0x0000000000000000-mapping.dmp
-
memory/1700-108-0x0000000000000000-mapping.dmp
-
memory/1704-162-0x0000000000000000-mapping.dmp
-
memory/1716-91-0x0000000000000000-mapping.dmp
-
memory/1724-109-0x0000000000000000-mapping.dmp
-
memory/1784-136-0x0000000000000000-mapping.dmp
-
memory/1792-148-0x0000000000000000-mapping.dmp
-
memory/1816-174-0x0000000000000000-mapping.dmp
-
memory/1872-139-0x0000000000000000-mapping.dmp
-
memory/1884-153-0x0000000000000000-mapping.dmp
-
memory/1904-89-0x0000000000000000-mapping.dmp
-
memory/1904-118-0x0000000000000000-mapping.dmp
-
memory/1960-150-0x0000000000000000-mapping.dmp
-
memory/1984-88-0x0000000000000000-mapping.dmp
-
memory/1988-120-0x0000000000000000-mapping.dmp
-
memory/1992-147-0x0000000000000000-mapping.dmp
-
memory/1996-129-0x0000000000000000-mapping.dmp
-
memory/2000-143-0x0000000000000000-mapping.dmp
-
memory/2020-71-0x0000000000000000-mapping.dmp
-
memory/2024-103-0x0000000000000000-mapping.dmp
-
memory/2028-168-0x0000000000000000-mapping.dmp