Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 08:54
Static task
static1
Behavioral task
behavioral1
Sample
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe
Resource
win10v2004-20230220-en
General
-
Target
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe
-
Size
244KB
-
MD5
78860803c7f6f7e9a9a21034adc13db1
-
SHA1
c6ed85e97a01f2111af9ce5a376203cb8ea4594b
-
SHA256
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76
-
SHA512
e217b35d38740796a25700c90d1e657fc9d62bbe9b7149dd667b1fa453f0eb7e0ac5f3edb305a5167c666c632164bc1ae7a7329895f38051eeb4a48daded3270
-
SSDEEP
3072:atjySptLGcM23soO+xvmMwf7uRZDF0L3+OVnv+KxGyDnx4CR2a0:asYtLj3FO+af7qDF0L3+OVWKxGUuM2a
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Extracted
redline
02-700-2
167.235.133.96:43849
-
auth_value
8af50b3310e79fa317eef66b1e92900f
Extracted
redline
2
51.81.126.50:19836
-
auth_value
7be92ecdf2c2f5400aa90f72d61cb2a4
Extracted
amadey
3.65
hellomr.observer/7gjD0Vs3d/index.php
researchersgokick.rocks/7gjD0Vs3d/index.php
pleasetake.pictures/7gjD0Vs3d/index.php
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3852-745-0x00000000015F0000-0x000000000160C000-memory.dmp family_rhadamanthys behavioral2/memory/3852-755-0x0000000002F80000-0x0000000003F80000-memory.dmp family_rhadamanthys behavioral2/memory/3852-993-0x00000000015F0000-0x000000000160C000-memory.dmp family_rhadamanthys -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/4824-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-220-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-222-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-224-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-226-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-228-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-232-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-236-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-240-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-244-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4824-248-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral2/memory/4412-628-0x00000000054D0000-0x00000000054E0000-memory.dmp family_redline behavioral2/memory/3852-755-0x0000000002F80000-0x0000000003F80000-memory.dmp family_redline behavioral2/memory/296-1216-0x0000000000C50000-0x0000000000C72000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
8109.exedescription pid process target process PID 2468 created 2436 2468 8109.exe taskhostw.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
A1A5.exeBDDA.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ A1A5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BDDA.exe -
Downloads MZ/PE file
-
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
AppLaunch.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DismountUndo.crw.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\MergeJoin.png.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\PopCompress.png => C:\Users\Admin\Pictures\PopCompress.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\PopCompress.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\RestartCheckpoint.raw.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\BlockCompare.tif.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\StartEnable.png => C:\Users\Admin\Pictures\StartEnable.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\SubmitUnlock.png.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\UseBlock.tiff => C:\Users\Admin\Pictures\UseBlock.tiff.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\MergeJoin.png => C:\Users\Admin\Pictures\MergeJoin.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\ResolveClose.crw.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\RestartCheckpoint.raw => C:\Users\Admin\Pictures\RestartCheckpoint.raw.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\StartEnable.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\UseBlock.tiff.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\BlockCompare.tif => C:\Users\Admin\Pictures\BlockCompare.tif.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\DismountUndo.crw => C:\Users\Admin\Pictures\DismountUndo.crw.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\ResolveClose.crw => C:\Users\Admin\Pictures\ResolveClose.crw.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\SubmitUnlock.png => C:\Users\Admin\Pictures\SubmitUnlock.png.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\UseBlock.tiff AppLaunch.exe File renamed C:\Users\Admin\Pictures\RequestExpand.crw => C:\Users\Admin\Pictures\RequestExpand.crw.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\RequestExpand.crw.alice AppLaunch.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BDDA.exeA1A5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BDDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BDDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A1A5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A1A5.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
781F.exeA908.exenbveek.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 781F.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation A908.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation nbveek.exe -
Executes dropped EXE 11 IoCs
Processes:
7129.exe781F.exe8109.exe880F.exe8D02.exe962A.exeA1A5.exeA908.exeBDDA.exenbveek.exe781F.exepid process 544 7129.exe 3944 781F.exe 2468 8109.exe 3536 880F.exe 4824 8D02.exe 4560 962A.exe 4412 A1A5.exe 4372 A908.exe 228 BDDA.exe 1800 nbveek.exe 4196 781F.exe -
Loads dropped DLL 1 IoCs
Processes:
8109.exepid process 2468 8109.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4412-607-0x0000000000A30000-0x0000000001218000-memory.dmp agile_net behavioral2/memory/4412-612-0x0000000000A30000-0x0000000001218000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\A1A5.exe themida C:\Users\Admin\AppData\Local\Temp\A1A5.exe themida behavioral2/memory/4412-607-0x0000000000A30000-0x0000000001218000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\BDDA.exe themida C:\Users\Admin\AppData\Local\Temp\BDDA.exe themida behavioral2/memory/4412-612-0x0000000000A30000-0x0000000001218000-memory.dmp themida behavioral2/memory/228-625-0x0000000000100000-0x000000000056A000-memory.dmp themida behavioral2/memory/228-829-0x0000000000100000-0x000000000056A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
781F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fnfmgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ifpyahw\\Fnfmgj.exe\"" 781F.exe -
Processes:
A1A5.exeBDDA.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A1A5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BDDA.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
AppLaunch.exedescription ioc process File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\V: AppLaunch.exe File opened (read-only) \??\M: AppLaunch.exe File opened (read-only) \??\Q: AppLaunch.exe File opened (read-only) \??\E: AppLaunch.exe File opened (read-only) \??\Y: AppLaunch.exe File opened (read-only) \??\K: AppLaunch.exe File opened (read-only) \??\Z: AppLaunch.exe File opened (read-only) \??\W: AppLaunch.exe File opened (read-only) \??\R: AppLaunch.exe File opened (read-only) \??\A: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe File opened (read-only) \??\J: AppLaunch.exe File opened (read-only) \??\X: AppLaunch.exe File opened (read-only) \??\N: AppLaunch.exe File opened (read-only) \??\M: File opened (read-only) \??\U: AppLaunch.exe File opened (read-only) \??\O: AppLaunch.exe File opened (read-only) \??\S: AppLaunch.exe File opened (read-only) \??\L: AppLaunch.exe File opened (read-only) \??\B: AppLaunch.exe File opened (read-only) \??\T: AppLaunch.exe File opened (read-only) \??\I: AppLaunch.exe File opened (read-only) \??\P: AppLaunch.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 187 ip-api.com 201 icanhazip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
A1A5.exeBDDA.exefontview.exepid process 4412 A1A5.exe 228 BDDA.exe 3852 fontview.exe 3852 fontview.exe 3852 fontview.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
7129.exe8109.exe962A.exe781F.exedescription pid process target process PID 544 set thread context of 3384 544 7129.exe AppLaunch.exe PID 2468 set thread context of 2320 2468 8109.exe ngentask.exe PID 4560 set thread context of 2980 4560 962A.exe AppLaunch.exe PID 3944 set thread context of 4196 3944 781F.exe 781F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4652 228 WerFault.exe BDDA.exe 1108 2468 WerFault.exe 8109.exe 1484 2468 WerFault.exe 8109.exe 1520 3520 WerFault.exe rundll32.exe 1280 4948 WerFault.exe rundll32.exe 4056 3928 WerFault.exe rundll32.exe 5008 4824 WerFault.exe 8D02.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exe6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
A1A5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 A1A5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier A1A5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 A1A5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString A1A5.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3656 vssadmin.exe 4348 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exepid process 4832 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe 4832 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2408 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exepid process 4832 6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exe8D02.exeA1A5.exe781F.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 4824 8D02.exe Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeDebugPrivilege 4412 A1A5.exe Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeDebugPrivilege 3944 781F.exe Token: SeBackupPrivilege 2324 vssvc.exe Token: SeRestorePrivilege 2324 vssvc.exe Token: SeAuditPrivilege 2324 vssvc.exe Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 Token: SeShutdownPrivilege 2408 Token: SeCreatePagefilePrivilege 2408 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pid process 2408 -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pid process 2408 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7129.exe781F.exe8109.exe962A.exeAppLaunch.exeA908.execmd.exenbveek.exedescription pid process target process PID 2408 wrote to memory of 544 2408 7129.exe PID 2408 wrote to memory of 544 2408 7129.exe PID 2408 wrote to memory of 544 2408 7129.exe PID 544 wrote to memory of 3384 544 7129.exe AppLaunch.exe PID 544 wrote to memory of 3384 544 7129.exe AppLaunch.exe PID 544 wrote to memory of 3384 544 7129.exe AppLaunch.exe PID 544 wrote to memory of 3384 544 7129.exe AppLaunch.exe PID 544 wrote to memory of 3384 544 7129.exe AppLaunch.exe PID 2408 wrote to memory of 3944 2408 781F.exe PID 2408 wrote to memory of 3944 2408 781F.exe PID 3944 wrote to memory of 3420 3944 781F.exe powershell.exe PID 3944 wrote to memory of 3420 3944 781F.exe powershell.exe PID 2408 wrote to memory of 2468 2408 8109.exe PID 2408 wrote to memory of 2468 2408 8109.exe PID 2408 wrote to memory of 2468 2408 8109.exe PID 2408 wrote to memory of 3536 2408 880F.exe PID 2408 wrote to memory of 3536 2408 880F.exe PID 2408 wrote to memory of 3536 2408 880F.exe PID 2408 wrote to memory of 4824 2408 8D02.exe PID 2408 wrote to memory of 4824 2408 8D02.exe PID 2408 wrote to memory of 4824 2408 8D02.exe PID 2408 wrote to memory of 4560 2408 962A.exe PID 2408 wrote to memory of 4560 2408 962A.exe PID 2408 wrote to memory of 4560 2408 962A.exe PID 2468 wrote to memory of 2320 2468 8109.exe ngentask.exe PID 2468 wrote to memory of 2320 2468 8109.exe ngentask.exe PID 2468 wrote to memory of 2320 2468 8109.exe ngentask.exe PID 2468 wrote to memory of 2320 2468 8109.exe ngentask.exe PID 2468 wrote to memory of 2320 2468 8109.exe ngentask.exe PID 4560 wrote to memory of 2980 4560 962A.exe AppLaunch.exe PID 4560 wrote to memory of 2980 4560 962A.exe AppLaunch.exe PID 4560 wrote to memory of 2980 4560 962A.exe AppLaunch.exe PID 4560 wrote to memory of 2980 4560 962A.exe AppLaunch.exe PID 4560 wrote to memory of 2980 4560 962A.exe AppLaunch.exe PID 2468 wrote to memory of 3852 2468 8109.exe fontview.exe PID 2468 wrote to memory of 3852 2468 8109.exe fontview.exe PID 2468 wrote to memory of 3852 2468 8109.exe fontview.exe PID 2468 wrote to memory of 3852 2468 8109.exe fontview.exe PID 2980 wrote to memory of 1832 2980 AppLaunch.exe cmd.exe PID 2980 wrote to memory of 1832 2980 AppLaunch.exe cmd.exe PID 2408 wrote to memory of 4412 2408 A1A5.exe PID 2408 wrote to memory of 4412 2408 A1A5.exe PID 2408 wrote to memory of 4412 2408 A1A5.exe PID 2408 wrote to memory of 4372 2408 A908.exe PID 2408 wrote to memory of 4372 2408 A908.exe PID 2408 wrote to memory of 4372 2408 A908.exe PID 2408 wrote to memory of 228 2408 BDDA.exe PID 2408 wrote to memory of 228 2408 BDDA.exe PID 2408 wrote to memory of 228 2408 BDDA.exe PID 4372 wrote to memory of 1800 4372 A908.exe nbveek.exe PID 4372 wrote to memory of 1800 4372 A908.exe nbveek.exe PID 4372 wrote to memory of 1800 4372 A908.exe nbveek.exe PID 1832 wrote to memory of 3656 1832 cmd.exe vssadmin.exe PID 1832 wrote to memory of 3656 1832 cmd.exe vssadmin.exe PID 1800 wrote to memory of 4544 1800 nbveek.exe schtasks.exe PID 1800 wrote to memory of 4544 1800 nbveek.exe schtasks.exe PID 1800 wrote to memory of 4544 1800 nbveek.exe schtasks.exe PID 1800 wrote to memory of 3880 1800 nbveek.exe cmd.exe PID 1800 wrote to memory of 3880 1800 nbveek.exe cmd.exe PID 1800 wrote to memory of 3880 1800 nbveek.exe cmd.exe PID 3944 wrote to memory of 4196 3944 781F.exe 781F.exe PID 3944 wrote to memory of 4196 3944 781F.exe 781F.exe PID 3944 wrote to memory of 4196 3944 781F.exe 781F.exe PID 3944 wrote to memory of 4196 3944 781F.exe 781F.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe"C:\Users\Admin\AppData\Local\Temp\6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7129.exeC:\Users\Admin\AppData\Local\Temp\7129.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\781F.exeC:\Users\Admin\AppData\Local\Temp\781F.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\781F.exeC:\Users\Admin\AppData\Local\Temp\781F.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8109.exeC:\Users\Admin\AppData\Local\Temp\8109.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 12762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 12842⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\880F.exeC:\Users\Admin\AppData\Local\Temp\880F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8D02.exeC:\Users\Admin\AppData\Local\Temp\8D02.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12282⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\962A.exeC:\Users\Admin\AppData\Local\Temp\962A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\A1A5.exeC:\Users\Admin\AppData\Local\Temp\A1A5.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\A908.exeC:\Users\Admin\AppData\Local\Temp\A908.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4948 -s 6485⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3520 -s 6445⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dll, Main4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3928 -s 6445⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dll, Main3⤵
-
C:\Users\Admin\AppData\Local\Temp\BDDA.exeC:\Users\Admin\AppData\Local\Temp\BDDA.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 6682⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 228 -ip 2281⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2468 -ip 24681⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2468 -ip 24681⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeC:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 4948 -ip 49481⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 512 -p 3520 -ip 35201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 3928 -ip 39281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4824 -ip 48241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\How To Restore Your Files.txtFilesize
272B
MD59cee3cd6590c1a7902e92daf03ef467b
SHA1ef31096205e95601d124de1e69652a24fb0a0968
SHA256bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d
SHA51213d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e
-
C:\Users\Admin\AppData\Local\5SUROQUSZ5NI976VS1SW\IN_Windows 10 Pro (64 Bit)_0KZ7S7CVRPNJBSSYNBA4\InstalledApp.txtFilesize
2KB
MD56663276c1da7e9c18116cf5ade6dfdce
SHA13f6b4e377dc16b1a957bc3afffc5eee4e6ab6f19
SHA2562bbb710d13901ef441fce2a62b0d14a92f3ff03a8f8965a4d31271e327f687a6
SHA51264859282ad16eebaa1f8f37c72a50710e1f9e5464a58f782b879a86cacd44d866457177283bd6236b83f4e27a60f780249928a14eb6974f617ef8d495e31c7a2
-
C:\Users\Admin\AppData\Local\5SUROQUSZ5NI976VS1SW\IN_Windows 10 Pro (64 Bit)_0KZ7S7CVRPNJBSSYNBA4\ProcessList.txtFilesize
4KB
MD522e3b4c404de2e626062b0953f1ab7f1
SHA10e1bb7800fd9a4040dedb17adaf8cdf6e2a60286
SHA256fb2b0c9568396425c981b84ea291454c191956146afcba3768fc9bc0b9c8a492
SHA5123ec532363e491eb0426a5472a3641d2f9438d85081641b9bb882851f662a4fa3edd37de3417960cbed8336bd67e7a0ced9bdf75a63c2eb69314f18e2b8b03351
-
C:\Users\Admin\AppData\Local\Temp\240622281.dllFilesize
334KB
MD54cb75f40755bf606f8a5f1b0bc1db511
SHA10e4fd3965245063a55ab411016a98c52e3498bca
SHA2564c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f
SHA5122e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48
-
C:\Users\Admin\AppData\Local\Temp\443549032550Filesize
68KB
MD56b786130d18dc366304fbf3f96a735e9
SHA1bc37a520f5e87a165b5413a37e7498a417996220
SHA25624ca8b58d9e735de87a874be844da02188a207a4634b1b8b09add06a514fb655
SHA51251c93e1120dbdcc148f2e79446d5099948eaf82072e7bd7fdea0858b1765376ed3bc3ab0b55440d6a4fa1ab1bb9e929638ff658e10998aacb3b3bc74f373f5e5
-
C:\Users\Admin\AppData\Local\Temp\7129.exeFilesize
151KB
MD54504c34ff49b4e4f7bad5e1d03a12119
SHA1cc944092c03c8375e8672a4210cb62bb41ce2ada
SHA2568017b9f673f7158c4118e63f7733afeaf47e756227d41b034863653a14ba0917
SHA512a33b605e5c4fa7e5cb5d417982b49b459bd39b19e84bd0ecffc45b6692582360e3f8e26d4e48a2bb975488ce711aaeed7177674746fb8202e67e7772412ff9ea
-
C:\Users\Admin\AppData\Local\Temp\7129.exeFilesize
151KB
MD54504c34ff49b4e4f7bad5e1d03a12119
SHA1cc944092c03c8375e8672a4210cb62bb41ce2ada
SHA2568017b9f673f7158c4118e63f7733afeaf47e756227d41b034863653a14ba0917
SHA512a33b605e5c4fa7e5cb5d417982b49b459bd39b19e84bd0ecffc45b6692582360e3f8e26d4e48a2bb975488ce711aaeed7177674746fb8202e67e7772412ff9ea
-
C:\Users\Admin\AppData\Local\Temp\781F.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\781F.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\781F.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\8109.exeFilesize
1.4MB
MD590b876266f4ba0fb897bb98e089a94b9
SHA15a460ffde15b92317df351a7ef2bad25648f7e93
SHA256c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e
SHA51289f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad
-
C:\Users\Admin\AppData\Local\Temp\8109.exeFilesize
1.4MB
MD590b876266f4ba0fb897bb98e089a94b9
SHA15a460ffde15b92317df351a7ef2bad25648f7e93
SHA256c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e
SHA51289f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad
-
C:\Users\Admin\AppData\Local\Temp\880F.exeFilesize
102KB
MD519468026f92b3efcfc92b1a0c9f48913
SHA18ade3bc4c79febe87f74674a4d90499d55ba21a8
SHA256d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16
SHA5124b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5
-
C:\Users\Admin\AppData\Local\Temp\880F.exeFilesize
102KB
MD519468026f92b3efcfc92b1a0c9f48913
SHA18ade3bc4c79febe87f74674a4d90499d55ba21a8
SHA256d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16
SHA5124b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5
-
C:\Users\Admin\AppData\Local\Temp\8D02.exeFilesize
289KB
MD5addadd44a657d8f48cdfcb5c26e4219b
SHA13d97e85c6a087a9d78477434a67a8f7da7c7bc32
SHA256a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb
SHA512936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8
-
C:\Users\Admin\AppData\Local\Temp\8D02.exeFilesize
289KB
MD5addadd44a657d8f48cdfcb5c26e4219b
SHA13d97e85c6a087a9d78477434a67a8f7da7c7bc32
SHA256a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb
SHA512936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8
-
C:\Users\Admin\AppData\Local\Temp\962A.exeFilesize
196KB
MD518eb88f87cb720ac06500688e0c91013
SHA139127d9e2982f6e01e9b2ab15f134c71da8e2113
SHA256ac89998f3f442daa08ffc0453be7fa0bbcf4b0fc1e4fe665e55ed5b94076a73d
SHA512e8a071d9a675d44464a24ff15b1be90692e159c7db426fb267b3eab9a3dbf02c3b1ae5a83544f2be40a6e3b4d94fb985cec3396ae859fe981363ce636cb009a3
-
C:\Users\Admin\AppData\Local\Temp\962A.exeFilesize
196KB
MD518eb88f87cb720ac06500688e0c91013
SHA139127d9e2982f6e01e9b2ab15f134c71da8e2113
SHA256ac89998f3f442daa08ffc0453be7fa0bbcf4b0fc1e4fe665e55ed5b94076a73d
SHA512e8a071d9a675d44464a24ff15b1be90692e159c7db426fb267b3eab9a3dbf02c3b1ae5a83544f2be40a6e3b4d94fb985cec3396ae859fe981363ce636cb009a3
-
C:\Users\Admin\AppData\Local\Temp\A1A5.exeFilesize
3.1MB
MD5145c17e590635b43bc7af1d43cf8bac8
SHA155e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3
SHA2569c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6
SHA5129701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c
-
C:\Users\Admin\AppData\Local\Temp\A1A5.exeFilesize
3.1MB
MD5145c17e590635b43bc7af1d43cf8bac8
SHA155e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3
SHA2569c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6
SHA5129701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c
-
C:\Users\Admin\AppData\Local\Temp\A908.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\A908.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\BDDA.exeFilesize
4.2MB
MD5ae75a902d204f6b27ef4c142d690277c
SHA17b4ed1d2672d547bdc6c522381c83027d4f59106
SHA256b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2
SHA51210d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c
-
C:\Users\Admin\AppData\Local\Temp\BDDA.exeFilesize
4.2MB
MD5ae75a902d204f6b27ef4c142d690277c
SHA17b4ed1d2672d547bdc6c522381c83027d4f59106
SHA256b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2
SHA51210d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ky4jmpcu.etl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dllFilesize
89KB
MD587f59221122202070e2f2670720627d5
SHA1dc05034456d6b54ce4947fa19f04b0625f4e9b2b
SHA256531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533
SHA512b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dllFilesize
89KB
MD587f59221122202070e2f2670720627d5
SHA1dc05034456d6b54ce4947fa19f04b0625f4e9b2b
SHA256531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533
SHA512b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dllFilesize
89KB
MD587f59221122202070e2f2670720627d5
SHA1dc05034456d6b54ce4947fa19f04b0625f4e9b2b
SHA256531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533
SHA512b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dllFilesize
89KB
MD587f59221122202070e2f2670720627d5
SHA1dc05034456d6b54ce4947fa19f04b0625f4e9b2b
SHA256531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533
SHA512b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\clip64.dllFilesize
89KB
MD587f59221122202070e2f2670720627d5
SHA1dc05034456d6b54ce4947fa19f04b0625f4e9b2b
SHA256531395ff7f51401515a8ce9b8974f6c42adf13cb78a40a57df7b9e6be7144533
SHA512b9feb993ba22b1f97693b877fd1aa10bc73704fe46067cb48e138c1700f173ed40a7e016c46971562d448ac0bd98cc86fb6b8b01512d3a2a1ef291282f7edde0
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred64.dllFilesize
1.0MB
MD57e3f36660ce48aeb851666df4bc87e2c
SHA1260131798c9807ee088a3702ed56fe24800b97a3
SHA256e6ad6ff5a9fcc6f39e145381e7c93b5f46d11a2c84aa852cc62614692e8fadcd
SHA512b8de126b91c37c96adf870a115b788252593e77f71e1151a465e171c8b17d09e3c66aed57df779b17943ba62b112e7b4fd408ec2a9ad75766768464db65745b6
-
C:\Users\Admin\Desktop\How To Restore Your Files.txtFilesize
272B
MD59cee3cd6590c1a7902e92daf03ef467b
SHA1ef31096205e95601d124de1e69652a24fb0a0968
SHA256bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d
SHA51213d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e
-
C:\Users\Admin\Documents\Are.docx.aliceFilesize
11KB
MD5bbffb0bf4edbefda3832dd6ee8d1bb5f
SHA1c0b8c699d73f296b66dba151bd0d458d291e496f
SHA25610303b71523e9c83330ca89983d0cabcd5d96632577ea66d529496947764a7b1
SHA512c2ab984ff789d5cbcff9c84dc821435cc99187a0ba0e2335131b5fe702fe8a21e06d2ca5624c999c14a3ab08d063ee1807fd8d3f5ca74fb5f8478c73e984de69
-
C:\Users\Admin\Documents\ExitOpen.doc.aliceFilesize
353KB
MD5cbb3eea53bd7bddbd8292d6df86792aa
SHA17912309e16e361c0ece607ab2206d1c0d2ebaf19
SHA256563f62a32f00a279434c84d57d98cf64901a6020597dd6470dba979ef46f8330
SHA512bb18f486403833c2feef0f03a7d3cda17d83b25a4f83125a60f94dc3652ba278776dda8bb0631ac7db0d7317ade29bf634a843e32b20c6e1a3365613ba73b0a8
-
C:\Users\Admin\Documents\Files.docx.aliceFilesize
11KB
MD5887462e726f4c715ed14592b3a16d999
SHA1f51a5ecaf208de3915287fa1c44c1c240f404bdb
SHA256444e729f95e8321a8fd74f1498012d15c0b58990231ce3e50a87620cc15b2cdc
SHA512c5ca9e2ede75635a0ff4d3ffd4be50fcc2b5d20d1d192355e25f7b1c6f0372c12af038579682db983d8dc4a80b86fce4e57952190efb96dec97f5067862ec1e9
-
C:\Users\Admin\Documents\How To Restore Your Files.txtFilesize
272B
MD59cee3cd6590c1a7902e92daf03ef467b
SHA1ef31096205e95601d124de1e69652a24fb0a0968
SHA256bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d
SHA51213d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e
-
C:\Users\Admin\Documents\Opened.docx.aliceFilesize
11KB
MD5b891bd306331bbe0b54b333fde8fe44b
SHA1f87437ff5e936ac5039b476c5a4efb484ba675dd
SHA256bd12eb68c24a587da8c5a12515ccb3ecd217761abe28765b0383cd75e3238777
SHA5120f5b9dd8ee9ddcd575a2952f8413a5bee55f65c2e557427c0d57554741ea67474893538f252a718750b066ab4a8313c0604a5bae53d43e3293a28cad74dee9e2
-
C:\Users\Admin\Documents\Recently.docx.aliceFilesize
11KB
MD5480ffc52726e7750c207b7f7a306acb5
SHA12fc4e4aa2375b2223a7a352b91fe30bd079d1d4a
SHA25687a4ca16db8656105e8b73aa8ec6bcb81be670f9ac833b977bb54a41f76ed179
SHA5128b91e791e810ae99f1a975b3f42f71920f74dfebe464ae0a8880b3ed0a379aac9f2a2bda969930340f3420b2a634858537c079b261eae0800e4d1e3b41358106
-
C:\Users\Admin\Documents\These.docx.aliceFilesize
11KB
MD52153efb8a6ec90eb53c51ab4537e36e4
SHA1c1ee39dc85b2a390a4b4353ee645458d7b8ad752
SHA256ed8f472d62d8e192d6030889a3832fa6f60f026301a11a7bc3d3d399088a12f8
SHA51262ebd81542657d59b521c9811c6bd64a3216495bcac67b52b04a994473ae13577f00766b07bacc98a6f241581da71e00522d666adb62427fd4d2ec84cb0b2a28
-
memory/228-829-0x0000000000100000-0x000000000056A000-memory.dmpFilesize
4.4MB
-
memory/228-625-0x0000000000100000-0x000000000056A000-memory.dmpFilesize
4.4MB
-
memory/296-1165-0x0000000000C20000-0x0000000000C47000-memory.dmpFilesize
156KB
-
memory/296-1216-0x0000000000C50000-0x0000000000C72000-memory.dmpFilesize
136KB
-
memory/1800-908-0x0000000000D00000-0x0000000000D44000-memory.dmpFilesize
272KB
-
memory/1800-641-0x0000000000D00000-0x0000000000D44000-memory.dmpFilesize
272KB
-
memory/1816-1220-0x0000000000770000-0x0000000000775000-memory.dmpFilesize
20KB
-
memory/1816-1223-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/2252-1105-0x0000000000930000-0x0000000000935000-memory.dmpFilesize
20KB
-
memory/2252-1108-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/2320-235-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2320-276-0x0000000005170000-0x0000000005180000-memory.dmpFilesize
64KB
-
memory/2320-258-0x0000000004F30000-0x000000000503A000-memory.dmpFilesize
1.0MB
-
memory/2320-266-0x0000000004EC0000-0x0000000004EFC000-memory.dmpFilesize
240KB
-
memory/2320-262-0x0000000004E60000-0x0000000004E72000-memory.dmpFilesize
72KB
-
memory/2320-689-0x0000000005170000-0x0000000005180000-memory.dmpFilesize
64KB
-
memory/2320-230-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2320-250-0x00000000053E0000-0x00000000059F8000-memory.dmpFilesize
6.1MB
-
memory/2408-135-0x0000000000700000-0x0000000000716000-memory.dmpFilesize
88KB
-
memory/2468-189-0x000000000F630000-0x000000000F77A000-memory.dmpFilesize
1.3MB
-
memory/2980-256-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2980-237-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3112-1160-0x0000000000C90000-0x0000000000C9C000-memory.dmpFilesize
48KB
-
memory/3112-1156-0x0000000000CA0000-0x0000000000CA6000-memory.dmpFilesize
24KB
-
memory/3232-1271-0x0000000000150000-0x0000000000156000-memory.dmpFilesize
24KB
-
memory/3232-1274-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/3384-151-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3420-178-0x0000020C3CD70000-0x0000020C3CD80000-memory.dmpFilesize
64KB
-
memory/3420-179-0x0000020C3CD70000-0x0000020C3CD80000-memory.dmpFilesize
64KB
-
memory/3420-595-0x0000020C3CD70000-0x0000020C3CD80000-memory.dmpFilesize
64KB
-
memory/3420-592-0x0000020C3CD70000-0x0000020C3CD80000-memory.dmpFilesize
64KB
-
memory/3420-447-0x0000020C3CD70000-0x0000020C3CD80000-memory.dmpFilesize
64KB
-
memory/3640-1020-0x0000000000490000-0x0000000000497000-memory.dmpFilesize
28KB
-
memory/3640-1022-0x0000000000480000-0x000000000048B000-memory.dmpFilesize
44KB
-
memory/3852-709-0x0000000001550000-0x0000000001552000-memory.dmpFilesize
8KB
-
memory/3852-993-0x00000000015F0000-0x000000000160C000-memory.dmpFilesize
112KB
-
memory/3852-755-0x0000000002F80000-0x0000000003F80000-memory.dmpFilesize
16.0MB
-
memory/3852-745-0x00000000015F0000-0x000000000160C000-memory.dmpFilesize
112KB
-
memory/3944-321-0x000002B9D62E0000-0x000002B9D62F0000-memory.dmpFilesize
64KB
-
memory/3944-162-0x000002B9BA580000-0x000002B9BA810000-memory.dmpFilesize
2.6MB
-
memory/3944-163-0x000002B9D6270000-0x000002B9D6292000-memory.dmpFilesize
136KB
-
memory/3944-164-0x000002B9D62E0000-0x000002B9D62F0000-memory.dmpFilesize
64KB
-
memory/4196-698-0x0000025946780000-0x0000025946790000-memory.dmpFilesize
64KB
-
memory/4196-686-0x0000000140000000-0x0000000140092000-memory.dmpFilesize
584KB
-
memory/4196-1153-0x0000025946780000-0x0000025946790000-memory.dmpFilesize
64KB
-
memory/4372-627-0x0000000001250000-0x0000000001294000-memory.dmpFilesize
272KB
-
memory/4372-599-0x0000000001250000-0x0000000001294000-memory.dmpFilesize
272KB
-
memory/4412-868-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-302-0x0000000000A30000-0x0000000001218000-memory.dmpFilesize
7.9MB
-
memory/4412-1268-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-828-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-784-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-706-0x0000000000A30000-0x0000000001218000-memory.dmpFilesize
7.9MB
-
memory/4412-614-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/4412-1326-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-628-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4412-607-0x0000000000A30000-0x0000000001218000-memory.dmpFilesize
7.9MB
-
memory/4412-889-0x0000000006680000-0x0000000006712000-memory.dmpFilesize
584KB
-
memory/4412-612-0x0000000000A30000-0x0000000001218000-memory.dmpFilesize
7.9MB
-
memory/4416-1062-0x0000000000BC0000-0x0000000000BCF000-memory.dmpFilesize
60KB
-
memory/4416-1059-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB
-
memory/4824-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-191-0x00000000020A0000-0x00000000020EB000-memory.dmpFilesize
300KB
-
memory/4824-657-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4824-248-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-222-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-224-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-236-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-244-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-655-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4824-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-214-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4824-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-193-0x0000000004DE0000-0x0000000005384000-memory.dmpFilesize
5.6MB
-
memory/4824-192-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4824-220-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-240-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-638-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4824-226-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-228-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4824-232-0x0000000004CC0000-0x0000000004CFE000-memory.dmpFilesize
248KB
-
memory/4832-134-0x0000000002DF0000-0x0000000002DF9000-memory.dmpFilesize
36KB
-
memory/4832-136-0x0000000000400000-0x0000000002B97000-memory.dmpFilesize
39.6MB
-
memory/4856-1333-0x0000000000910000-0x000000000091D000-memory.dmpFilesize
52KB
-
memory/4856-1328-0x0000000000920000-0x0000000000927000-memory.dmpFilesize
28KB