Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 20:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
380KB
-
MD5
4ca2c6f98e9dcd7a4033f8c538a709d3
-
SHA1
bc4b09303da991614fc7f34ff4ca01b8cf394940
-
SHA256
6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc
-
SHA512
3ee08ca3dca33a1bf100e4f6ecb5c44e6f8802ca74028ca04a55065769627369e307ee9d4b302476137fbba716e72ce366fb6514c22bec34187ff38141d57f83
-
SSDEEP
6144:x/QiQXCKJm+ksmpk3U9jW1U4P9bGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3Ks6m6URA3PhGlL//plmW9bTXeVh8
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
redline
main
birja1.com:29658
-
auth_value
7a6d3334d5db5d02c16eec7633780063
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 4740 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
786fiyon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 786fiyon.exe -
Executes dropped EXE 14 IoCs
Processes:
file.tmp786fiyon.exeGijajadoshae.exeGijajadoshae.exepoweroff.exepoweroff.tmpPower Off.exegcleaner.exechenp.exepb1117.exechenp.exeCZWWADj.exeEngine.exeSapphire.exe.pifpid process 3980 file.tmp 3284 786fiyon.exe 1308 Gijajadoshae.exe 1344 Gijajadoshae.exe 3024 poweroff.exe 4860 poweroff.tmp 4796 Power Off.exe 5584 gcleaner.exe 5828 chenp.exe 1296 pb1117.exe 4376 chenp.exe 2128 CZWWADj.exe 4964 Engine.exe 5912 Sapphire.exe.pif -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe upx C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe upx behavioral2/memory/4964-221-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/4964-250-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/4964-262-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe vmprotect C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe vmprotect behavioral2/memory/1296-196-0x0000000140000000-0x000000014061C000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
786fiyon.exeGijajadoshae.exechenp.exegcleaner.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 786fiyon.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Gijajadoshae.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation chenp.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation gcleaner.exe -
Loads dropped DLL 2 IoCs
Processes:
file.tmpsvchost.exepid process 3980 file.tmp 3048 svchost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
786fiyon.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gijajadoshae.exe\"" 786fiyon.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sapphire.exe.pifdescription pid process target process PID 5912 set thread context of 1504 5912 Sapphire.exe.pif jsc.exe -
Drops file in Program Files directory 11 IoCs
Processes:
poweroff.tmpsetup.exe786fiyon.exedescription ioc process File created C:\Program Files (x86)\powerOff\unins000.dat poweroff.tmp File created C:\Program Files (x86)\powerOff\is-IMSJ2.tmp poweroff.tmp File opened for modification C:\Program Files (x86)\powerOff\unins000.dat poweroff.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2e0036c4-296c-41c7-a784-03797f92a185.tmp setup.exe File created C:\Program Files\Java\YHELLEWGIV\poweroff.exe.config 786fiyon.exe File created C:\Program Files (x86)\Internet Explorer\Gijajadoshae.exe.config 786fiyon.exe File opened for modification C:\Program Files (x86)\powerOff\Power Off.exe poweroff.tmp File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230129201348.pma setup.exe File created C:\Program Files\Java\YHELLEWGIV\poweroff.exe 786fiyon.exe File created C:\Program Files (x86)\Internet Explorer\Gijajadoshae.exe 786fiyon.exe File created C:\Program Files (x86)\powerOff\is-SVI9I.tmp poweroff.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3952 3048 WerFault.exe rundll32.exe 5096 5584 WerFault.exe gcleaner.exe 5840 5584 WerFault.exe gcleaner.exe 2296 5584 WerFault.exe gcleaner.exe 4720 5584 WerFault.exe gcleaner.exe 5732 5584 WerFault.exe gcleaner.exe 4224 5584 WerFault.exe gcleaner.exe 4376 5584 WerFault.exe gcleaner.exe 4060 5584 WerFault.exe gcleaner.exe 428 5584 WerFault.exe gcleaner.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5096 taskkill.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{D99E609B-36C0-4569-87BA-8DDFB5291B89} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{AEEC0295-B519-4D1E-9327-4A718454FCDE} svchost.exe -
Processes:
Gijajadoshae.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Gijajadoshae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Gijajadoshae.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 81 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
poweroff.tmpGijajadoshae.exepid process 4860 poweroff.tmp 4860 poweroff.tmp 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe 1308 Gijajadoshae.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
786fiyon.exeGijajadoshae.exeGijajadoshae.exepowershell.exetaskkill.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 3284 786fiyon.exe Token: SeDebugPrivilege 1344 Gijajadoshae.exe Token: SeDebugPrivilege 1308 Gijajadoshae.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 5096 taskkill.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1504 jsc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
poweroff.tmpmsedge.exeSapphire.exe.pifpid process 4860 poweroff.tmp 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe 5912 Sapphire.exe.pif 5912 Sapphire.exe.pif 5912 Sapphire.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Sapphire.exe.pifpid process 5912 Sapphire.exe.pif 5912 Sapphire.exe.pif 5912 Sapphire.exe.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4340 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exefile.tmp786fiyon.exepoweroff.exepoweroff.tmpGijajadoshae.exeGijajadoshae.exemsedge.execmd.execmd.exedescription pid process target process PID 516 wrote to memory of 3980 516 file.exe file.tmp PID 516 wrote to memory of 3980 516 file.exe file.tmp PID 516 wrote to memory of 3980 516 file.exe file.tmp PID 3980 wrote to memory of 3284 3980 file.tmp 786fiyon.exe PID 3980 wrote to memory of 3284 3980 file.tmp 786fiyon.exe PID 3284 wrote to memory of 1308 3284 786fiyon.exe Gijajadoshae.exe PID 3284 wrote to memory of 1308 3284 786fiyon.exe Gijajadoshae.exe PID 3284 wrote to memory of 3024 3284 786fiyon.exe poweroff.exe PID 3284 wrote to memory of 3024 3284 786fiyon.exe poweroff.exe PID 3284 wrote to memory of 3024 3284 786fiyon.exe poweroff.exe PID 3284 wrote to memory of 1344 3284 786fiyon.exe Gijajadoshae.exe PID 3284 wrote to memory of 1344 3284 786fiyon.exe Gijajadoshae.exe PID 3024 wrote to memory of 4860 3024 poweroff.exe poweroff.tmp PID 3024 wrote to memory of 4860 3024 poweroff.exe poweroff.tmp PID 3024 wrote to memory of 4860 3024 poweroff.exe poweroff.tmp PID 4860 wrote to memory of 4796 4860 poweroff.tmp Power Off.exe PID 4860 wrote to memory of 4796 4860 poweroff.tmp Power Off.exe PID 1308 wrote to memory of 2284 1308 Gijajadoshae.exe cmd.exe PID 1308 wrote to memory of 2284 1308 Gijajadoshae.exe cmd.exe PID 1344 wrote to memory of 5160 1344 Gijajadoshae.exe msedge.exe PID 1344 wrote to memory of 5160 1344 Gijajadoshae.exe msedge.exe PID 5160 wrote to memory of 5544 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5544 5160 msedge.exe msedge.exe PID 2284 wrote to memory of 5584 2284 cmd.exe gcleaner.exe PID 2284 wrote to memory of 5584 2284 cmd.exe gcleaner.exe PID 2284 wrote to memory of 5584 2284 cmd.exe gcleaner.exe PID 1308 wrote to memory of 5716 1308 Gijajadoshae.exe cmd.exe PID 1308 wrote to memory of 5716 1308 Gijajadoshae.exe cmd.exe PID 5716 wrote to memory of 5828 5716 cmd.exe chenp.exe PID 5716 wrote to memory of 5828 5716 cmd.exe chenp.exe PID 5716 wrote to memory of 5828 5716 cmd.exe chenp.exe PID 1308 wrote to memory of 5916 1308 Gijajadoshae.exe cmd.exe PID 1308 wrote to memory of 5916 1308 Gijajadoshae.exe cmd.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe PID 5160 wrote to memory of 5932 5160 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmp"C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmp" /SL5="$90060,140518,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe"C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe" /S /UID=953⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe"C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe /mixfive & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 4527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 7647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 7647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 7967⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 8047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 9847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 10167⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 13567⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 4927⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exeC:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe"C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe" -h7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exeC:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exeC:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe /TH_ID=_3164 /OriginExe="C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\CmD.exeC:\Windows\system32\CmD.exe /c cmd < 648⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil -decode 23 23DDdRqF10⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jdjfUCLAznmSSizqPiNAzpcaRJECVAbEQRcNMoxDprqvwRmVfhrHtNGeUUnlXpESwUewLGgHNpsdoZdqlJhIbQmela$" 23DDdRqF10⤵
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\24347\Sapphire.exe.pif24347\\Sapphire.exe.pif 24347\\a10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 810⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe"C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffccf546f8,0x7fffccf54708,0x7fffccf547186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff788e05460,0x7ff788e05470,0x7ff788e054807⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4204 /prefetch:26⤵
-
C:\Program Files\Java\YHELLEWGIV\poweroff.exe"C:\Program Files\Java\YHELLEWGIV\poweroff.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp"C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp" /SL5="$70028,490199,350720,C:\Program Files\Java\YHELLEWGIV\poweroff.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\powerOff\Power Off.exe"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 6043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3048 -ip 30481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5584 -ip 55841⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5584 -ip 55841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5584 -ip 55841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5584 -ip 55841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\powerOff\Power Off.exeFilesize
621KB
MD58d0b18eb87590fa654da3704092b122b
SHA1aaf4417695904bd718def564b2c1dae40623cc1d
SHA256f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457
SHA512fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828
-
C:\Program Files (x86)\powerOff\Power Off.exeFilesize
621KB
MD58d0b18eb87590fa654da3704092b122b
SHA1aaf4417695904bd718def564b2c1dae40623cc1d
SHA256f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457
SHA512fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828
-
C:\Program Files\Java\YHELLEWGIV\poweroff.exeFilesize
838KB
MD5c0538198613d60407c75c54c55e69d91
SHA1a2d713a098bc7b6d245c428dcdeb5614af3b8edd
SHA256c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed
SHA512121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529
-
C:\Program Files\Java\YHELLEWGIV\poweroff.exeFilesize
838KB
MD5c0538198613d60407c75c54c55e69d91
SHA1a2d713a098bc7b6d245c428dcdeb5614af3b8edd
SHA256c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed
SHA512121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD52fed33e740769b42681ce4b9d0d8955d
SHA13de687b3494114133e4c154b5d7a671615d13aaa
SHA25630b946b2512dc5849684b0a5ea05edb3c1ea07b6cd997f32a97b498e7f0f1136
SHA5121604bde447494e03c6223383cc4a3b0503e7ea40ab746c5d83407fb173b930b1d3a1a10afc5c8a770dcfb46f1fb018281704e57756572d68530f2a9047e9a959
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
28KB
MD5d0d4ca9ef8451751ff0535677dbcf8da
SHA15dde1d579605dd83e81b6590d44b717d9bd9f6ee
SHA256086af9fa57ca7035b56126bde2d8481b35ea5a86b24e3c95cddf1a0db3ff41f5
SHA512df87ec75c92bc5991294795fd05ad8aa0622e61f4338253ecc25a5284f66bbaa5cd51f74741534c7823018d9b3bd98e78c722e0755b4f7f9d6f9e1fa449cf36d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD59a4a28a1aa862cb5582e225faf40e210
SHA13d5b6d47a2234564a83ce7dfbc25f2307a430177
SHA256e6c0b71ecd5cb0620ff163d15967a1e91ac094757dad23c8a66dcf5c332a5f91
SHA5125c61fb2865613b035edf9648967b936bfa93a041470320c62d49a433e184c6bc25ce621cbac42c0cc410636e2e88f222fc65204decd831c409b3e7323c3aab6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5266798f8baf5678dd40cd8dea79836a5
SHA1aa3369f17eec312ed393b9036d608e6f32c96180
SHA2569f6596288e00bb7214c0061e3dfc5e2fa847e3285eac377be5319ba0443015f5
SHA5120cac0629769986ae383cc92dba04c6763d6996f0198c26abb55abbacf33861c72fae4d93b8b90f9334d839c9483baa6b8a4084d0a4d2fbbae38cb441093f87b3
-
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exeFilesize
586KB
MD5208e4cd441cdd40a55ee0fc96316e331
SHA1cddcd13535391b96c8ec650a22f1503f93ca092c
SHA2562f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431
SHA512bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651
-
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exeFilesize
586KB
MD5208e4cd441cdd40a55ee0fc96316e331
SHA1cddcd13535391b96c8ec650a22f1503f93ca092c
SHA2562f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431
SHA512bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651
-
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe.configFilesize
1KB
MD598d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exeFilesize
377KB
MD597627b2f5f03f91345b467a2a4b34e1a
SHA1863ef84ed38a90a5141b381d074f417e3ff0b5fc
SHA25645570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc
SHA5127a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0
-
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exeFilesize
377KB
MD597627b2f5f03f91345b467a2a4b34e1a
SHA1863ef84ed38a90a5141b381d074f417e3ff0b5fc
SHA25645570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc
SHA5127a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0
-
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe.configFilesize
1KB
MD598d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Kenessey.txtFilesize
9B
MD597384261b8bbf966df16e5ad509922db
SHA12fc42d37fee2c81d767e09fb298b70c748940f86
SHA2569c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00000#15Filesize
703KB
MD5df71877bb70145c158ee749484d637e5
SHA1af402cbddb2166c83fe4a22d542442b4e0690768
SHA256b645ec264e0cfb2bdc9551902fd026c32808c2b3d4837a43c2303151ed994144
SHA512ba024d5cadc7483f10566da88e99273d5d38c17f9206392f2f3d86fb0d8f75eaeedb11c7b8d57a378089b5e90d45cbd1e1a787b80a6cfdcc7e162342e7d86330
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00001#23Filesize
1.2MB
MD5701d6702294745ec4dacfa44185f3a1f
SHA12f10d2d401ea759b215df8f226f9aaef292b4078
SHA25600a8e70fa0887bf3f554be24e02b319c8d2cb272304faed4bcb78349902992e0
SHA51295ede9988f3cf0a549bf3b28667710683e7936ec7fdd3b4c0ad4e38fda17916d3e5c7cf54b859cea54ff88f25fe487d24db4b8f03ce2d16401b3958de0b8a190
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00002#64Filesize
14KB
MD5a298fc34bd36502c2feb227ab10877eb
SHA13e088657aa4207907e206194149185bc03bdee5d
SHA25652ba970eecdcb4253474ec350e960d6a4dc3a1e44680ea9a970119129d158191
SHA51211fb7c57fd29145781bd0ed2ebd0f277fdee06978791a2ccff1b0f84dd4ae4ec165a2622976493d27a852d7ca2118302002b685b1fbb6d71270e0ccaa14728a4
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Setup.txtFilesize
2KB
MD54659c49e470bbfee63e5fb5c3124b5f5
SHA1f6d8fec5e142f7bef189222876184e7a4f328d77
SHA25657be12e2d60db927a577b4b6b2a9fc3bb675a45b9800eea0e8f746d4da9baac2
SHA5123c3d59266297ef361c79c016dd6814e1c762d3d2fb5063d0c5c66a0ce214a163cbff4406c03f91268e967f7fdecd7cfd529a4e5ced5729322cc3d41f9890a895
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD576c3dbb1e9fea62090cdf53dadcbe28e
SHA1d44b32d04adc810c6df258be85dc6b62bd48a307
SHA256556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860
SHA512de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exeFilesize
575KB
MD56e622962e3b594986c6fb741209dae50
SHA1d3494b77672360358ca5b7cf8b71aab9efaac3c6
SHA25620abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279
SHA5124498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae
-
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exeFilesize
575KB
MD56e622962e3b594986c6fb741209dae50
SHA1d3494b77672360358ca5b7cf8b71aab9efaac3c6
SHA25620abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279
SHA5124498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae
-
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\idp.dllFilesize
216KB
MD58f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmpFilesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmpFilesize
981KB
MD501515376348a54ecef04f45b436cb104
SHA1111e709b21bf56181c83057dafba7b71ed41f1b2
SHA2568c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0
SHA5128d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28
-
C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmpFilesize
981KB
MD501515376348a54ecef04f45b436cb104
SHA1111e709b21bf56181c83057dafba7b71ed41f1b2
SHA2568c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0
SHA5128d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28
-
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exeFilesize
1.4MB
MD5fd165fda80732035427ac5c9536506ac
SHA1f23998921c36740a05380fc53c1bc5747a19db05
SHA25606ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d
SHA512a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4
-
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exeFilesize
1.4MB
MD5fd165fda80732035427ac5c9536506ac
SHA1f23998921c36740a05380fc53c1bc5747a19db05
SHA25606ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d
SHA512a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4
-
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exeFilesize
365KB
MD560d0301fc7167e83b90d1a882b771105
SHA1f73f940aeaab5f0df6133e05257c39e839d29779
SHA2561aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa
SHA512e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c
-
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exeFilesize
365KB
MD560d0301fc7167e83b90d1a882b771105
SHA1f73f940aeaab5f0df6133e05257c39e839d29779
SHA2561aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa
SHA512e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c
-
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exeFilesize
3.5MB
MD56e7a0b3199263c35b19f7e4c129d3460
SHA1168fb1c154d0eca4dd386932a7a218c6bd3ca392
SHA2560d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48
SHA512ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6
-
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exeFilesize
3.5MB
MD56e7a0b3199263c35b19f7e4c129d3460
SHA1168fb1c154d0eca4dd386932a7a218c6bd3ca392
SHA2560d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48
SHA512ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\23DDdRqFFilesize
872KB
MD5bffb8a21a31753c1b89ed768421d6762
SHA1133606479ee6fc8a60dc2dd3f0a13b62b79da54a
SHA2565957bb04b17675dde4f67b46c0521ca34245ae2ef30d1107f3bf3a2d2c7b7db7
SHA5122a76dc72c5d02cfbdd2eba4823b6f62bdf7700ab21709bbbe8f2f13a0bca208ff1b3c4e189e9c93745f33d929b7609065c01b21cc45493f9fac42ebc46186677
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\24347\Sapphire.exe.pifFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exeFilesize
160KB
MD5861253a1ff4bdacab4ddd1a1df3efc50
SHA15512ad9b91d5c5972ac0a4c5f0f28d966054807c
SHA2569a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d
SHA51239751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927
-
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exeFilesize
160KB
MD5861253a1ff4bdacab4ddd1a1df3efc50
SHA15512ad9b91d5c5972ac0a4c5f0f28d966054807c
SHA2569a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d
SHA51239751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927
-
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exeFilesize
160KB
MD5861253a1ff4bdacab4ddd1a1df3efc50
SHA15512ad9b91d5c5972ac0a4c5f0f28d966054807c
SHA2569a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d
SHA51239751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927
-
\??\pipe\LOCAL\crashpad_5160_BTPBWNCFDNEEKVCFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/376-239-0x0000000000000000-mapping.dmp
-
memory/380-281-0x0000000000000000-mapping.dmp
-
memory/516-134-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/516-160-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/516-132-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/632-220-0x0000000000000000-mapping.dmp
-
memory/728-194-0x0000000000000000-mapping.dmp
-
memory/920-252-0x0000000000000000-mapping.dmp
-
memory/1040-264-0x0000000000000000-mapping.dmp
-
memory/1048-230-0x0000000000000000-mapping.dmp
-
memory/1296-187-0x0000000000000000-mapping.dmp
-
memory/1296-196-0x0000000140000000-0x000000014061C000-memory.dmpFilesize
6.1MB
-
memory/1300-229-0x0000000000000000-mapping.dmp
-
memory/1308-161-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmpFilesize
10.2MB
-
memory/1308-143-0x0000000000000000-mapping.dmp
-
memory/1344-145-0x0000000000000000-mapping.dmp
-
memory/1344-162-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmpFilesize
10.2MB
-
memory/1364-247-0x0000000000000000-mapping.dmp
-
memory/1436-258-0x0000000000000000-mapping.dmp
-
memory/1504-273-0x0000000007B40000-0x0000000007D02000-memory.dmpFilesize
1.8MB
-
memory/1504-270-0x0000000005580000-0x0000000005592000-memory.dmpFilesize
72KB
-
memory/1504-279-0x00000000070F0000-0x0000000007166000-memory.dmpFilesize
472KB
-
memory/1504-274-0x0000000008240000-0x000000000876C000-memory.dmpFilesize
5.2MB
-
memory/1504-272-0x0000000006100000-0x0000000006192000-memory.dmpFilesize
584KB
-
memory/1504-277-0x0000000006DC0000-0x0000000006E10000-memory.dmpFilesize
320KB
-
memory/1504-266-0x0000000000F80000-0x0000000000FB2000-memory.dmpFilesize
200KB
-
memory/1504-268-0x0000000005AE0000-0x00000000060F8000-memory.dmpFilesize
6.1MB
-
memory/1504-271-0x00000000055E0000-0x000000000561C000-memory.dmpFilesize
240KB
-
memory/1504-269-0x0000000005650000-0x000000000575A000-memory.dmpFilesize
1.0MB
-
memory/1504-265-0x0000000000000000-mapping.dmp
-
memory/1820-227-0x0000000000000000-mapping.dmp
-
memory/1896-186-0x0000000000000000-mapping.dmp
-
memory/2128-203-0x0000000000000000-mapping.dmp
-
memory/2284-169-0x0000000000000000-mapping.dmp
-
memory/2496-244-0x0000000007390000-0x0000000007934000-memory.dmpFilesize
5.6MB
-
memory/2496-236-0x00000000054A0000-0x0000000005506000-memory.dmpFilesize
408KB
-
memory/2496-243-0x00000000060A0000-0x00000000060C2000-memory.dmpFilesize
136KB
-
memory/2496-238-0x0000000005B60000-0x0000000005B7E000-memory.dmpFilesize
120KB
-
memory/2496-237-0x0000000005580000-0x00000000055E6000-memory.dmpFilesize
408KB
-
memory/2496-242-0x0000000006050000-0x000000000606A000-memory.dmpFilesize
104KB
-
memory/2496-232-0x0000000000000000-mapping.dmp
-
memory/2496-233-0x00000000045A0000-0x00000000045D6000-memory.dmpFilesize
216KB
-
memory/2496-234-0x0000000004CC0000-0x00000000052E8000-memory.dmpFilesize
6.2MB
-
memory/2496-235-0x0000000004BC0000-0x0000000004BE2000-memory.dmpFilesize
136KB
-
memory/2496-241-0x0000000006D40000-0x0000000006DD6000-memory.dmpFilesize
600KB
-
memory/2564-207-0x0000000000000000-mapping.dmp
-
memory/2576-201-0x0000000000000000-mapping.dmp
-
memory/2660-256-0x0000000000000000-mapping.dmp
-
memory/3024-190-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3024-144-0x0000000000000000-mapping.dmp
-
memory/3024-155-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3024-153-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3048-209-0x0000000000000000-mapping.dmp
-
memory/3092-251-0x0000000000000000-mapping.dmp
-
memory/3284-138-0x0000000000000000-mapping.dmp
-
memory/3284-141-0x0000000000BD0000-0x0000000000C64000-memory.dmpFilesize
592KB
-
memory/3284-142-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmpFilesize
10.8MB
-
memory/3284-157-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmpFilesize
10.8MB
-
memory/3640-197-0x0000000000000000-mapping.dmp
-
memory/3768-257-0x0000000000000000-mapping.dmp
-
memory/3920-282-0x0000000000000000-mapping.dmp
-
memory/3980-135-0x0000000000000000-mapping.dmp
-
memory/4044-259-0x0000000000000000-mapping.dmp
-
memory/4376-191-0x0000000000000000-mapping.dmp
-
memory/4796-167-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmpFilesize
10.2MB
-
memory/4796-164-0x0000000000000000-mapping.dmp
-
memory/4860-158-0x0000000000000000-mapping.dmp
-
memory/4964-250-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/4964-262-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/4964-221-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/4964-215-0x0000000000000000-mapping.dmp
-
memory/5096-240-0x0000000000000000-mapping.dmp
-
memory/5160-170-0x0000000000000000-mapping.dmp
-
memory/5344-231-0x0000000000000000-mapping.dmp
-
memory/5544-171-0x0000000000000000-mapping.dmp
-
memory/5584-212-0x0000000000868000-0x000000000088E000-memory.dmpFilesize
152KB
-
memory/5584-213-0x0000000001FA0000-0x0000000001FE0000-memory.dmpFilesize
256KB
-
memory/5584-245-0x0000000000868000-0x000000000088E000-memory.dmpFilesize
152KB
-
memory/5584-246-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/5584-214-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/5584-172-0x0000000000000000-mapping.dmp
-
memory/5716-175-0x0000000000000000-mapping.dmp
-
memory/5828-176-0x0000000000000000-mapping.dmp
-
memory/5912-254-0x0000000000000000-mapping.dmp
-
memory/5916-179-0x0000000000000000-mapping.dmp
-
memory/5932-181-0x0000000000000000-mapping.dmp
-
memory/5980-182-0x0000000000000000-mapping.dmp
-
memory/6000-185-0x0000000000000000-mapping.dmp