Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
04-02-2024 18:36
General
-
Target
976f6386a6c31fad6a4e2996306bbf3d.exe
-
Size
7.1MB
-
MD5
976f6386a6c31fad6a4e2996306bbf3d
-
SHA1
82018f85cab8337f8fe294a3864bada0cc5d845e
-
SHA256
a2e56b293874962f8ccf1fc3d1a6f96b01222f470a6891d7cad95b70bc3e99c4
-
SHA512
c72cf4eb4fab0e9e3cae2fbe5f39a4aa1b9b031b982f6e98453bcfcf72303a045269244f73966023eb4415038a726d2507d9f594d24919fb294e700199ff83f9
-
SSDEEP
196608:SqVSV1KkmYUVB9daURUyUlYS1yaxK8gb2ZcsS:SXV1r4DOYS1yaE89ZcsS
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload 2 IoCs
-
Detect ZGRat V1 3 IoCs
-
Detected Djvu ransomware 7 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Fabookie
Fabookie is facebook account info stealer.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 13 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 25 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 52 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\976f6386a6c31fad6a4e2996306bbf3d.exe"C:\Users\Admin\AppData\Local\Temp\976f6386a6c31fad6a4e2996306bbf3d.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\nsf58B.tmpC:\Users\Admin\AppData\Local\Temp\nsf58B.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 24044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 3723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 3883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 4043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 8083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 7403⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 6524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 6644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 6644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 7204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 7284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 7444⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4045⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 6845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7245⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 9205⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 9325⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 9525⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\rty25.exe"C:\Users\Admin\AppData\Local\Temp\rty25.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2856 -ip 28561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3252 -ip 32521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4464 -ip 44641⤵
-
C:\Users\Admin\AppData\Local\Temp\96BD.exeC:\Users\Admin\AppData\Local\Temp\96BD.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C2A0.exeC:\Users\Admin\AppData\Local\Temp\C2A0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C2A0.exeC:\Users\Admin\AppData\Local\Temp\C2A0.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\604e615a-0a01-4f7c-8ed1-28c832a47961" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\C2A0.exe"C:\Users\Admin\AppData\Local\Temp\C2A0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\C2A0.exe"C:\Users\Admin\AppData\Local\Temp\C2A0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3956 -ip 39561⤵
-
C:\Users\Admin\AppData\Local\Temp\F932.exeC:\Users\Admin\AppData\Local\Temp\F932.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 10922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 10602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Users\Admin\AppData\Local\Temp\AE6.exeC:\Users\Admin\AppData\Local\Temp\AE6.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\119E.exeC:\Users\Admin\AppData\Local\Temp\119E.exe1⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
-
C:\Windows\system32\cmd.exe"cmd" /C tasklist2⤵
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exe"cmd" /C "dir "2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3956 -ip 39561⤵
-
C:\Users\Admin\AppData\Local\Temp\28C1.exeC:\Users\Admin\AppData\Local\Temp\28C1.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\486F.exeC:\Users\Admin\AppData\Local\Temp\486F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 9963⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1000001001\plaza.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\plaza.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\073191680435_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000002001\ladas.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\ladas.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000004001\RDX.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\RDX.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\55555.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\55555.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 3163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 10643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 10803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 11483⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000006001\1233213123213.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\1233213123213.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\sadsadsadsa.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\sadsadsadsa.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\goldklassd.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\goldklassd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000009001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\lumma1234.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3312 -ip 33121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4144 -ip 41441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4144 -ip 41441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4144 -ip 41441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4144 -ip 41441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4144 -ip 41441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Temp\1000001001\plaza.exeFilesize
1.1MB
MD50749a701f3f686203e5d7b34ca80acfb
SHA1ce00aa0b01f84e40d3d341931c3378bafbb29454
SHA256956c464c761ef40e82e07788f2ec2bfe847b9917d7800d16d9d68cb361d3869d
SHA5123867bd227bbf9bbb0d3bcbb81ab9b04dc0be4fff75514c7dae66b01945b398d788a7b3ae1863aa8528e4346fc31b9e61d5837c3b6b0718c17ac25bed94814044
-
C:\Users\Admin\AppData\Local\Temp\1000002001\ladas.exeFilesize
2.2MB
MD50fe2b018c120446c837d7c7396c7c0e8
SHA1b3c2bf3733e5cd01fc2cc7aea6dac95d31567d30
SHA256af303b73a61c54da686d6250f49b0c5bc053e9dd7324b883a237a63f26a0dd86
SHA512374340eaa437dd622e483abd96ee92243aae916f7d2a4a74685791ae1b7792395ae88b3dc92c33d7fc8b9a50bd07181bcb7acbcc650e4cc18598650c473b8e1b
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
1.7MB
MD5a615f2eee64c5d7449a8792cc782b6d6
SHA1cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA2564e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA5129b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
-
C:\Users\Admin\AppData\Local\Temp\1000004001\RDX.exeFilesize
313KB
MD5f733785f9d088490b784d4dc5584ebfb
SHA16c073d4208fee7cc88a235a3759b586889b91adf
SHA256e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59
SHA51243589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899
-
C:\Users\Admin\AppData\Local\Temp\1000005001\55555.exeFilesize
655KB
MD5167c40ace009f5d5cda541008804c3b3
SHA1541bc50815f39227b9e01e5e4db6a08c02cedf4d
SHA256620bace13215ee69bcbdf8ac237798e8ab2ff052492303e2bac32d0a5a03f44a
SHA51260aa62eb8803bc2a8e95ea3ecadeb93e3859288d1b06a1d63451f48b10b8bbeef862c978143b419cf82d9f0fb6e1792cf82dd466f184173ca9bc8a7ffae09c15
-
C:\Users\Admin\AppData\Local\Temp\1000006001\1233213123213.exeFilesize
2.6MB
MD5b69036a695b48549380a64c8df3a00f1
SHA11f70d2f6e9b3172291fba309d60adea856af6be0
SHA256e5c80844063be3cea01fa549f22c23723909ce5e596e2f9001b8c37099657210
SHA5124d5c763842c556eca464cb6aceb3cb6b68ed16794f159c06f28873f32580ee977cef9e9697b92b2f3b1c1d72592f03460b53964ff5d2593a05b7f6a7aafd9cf3
-
C:\Users\Admin\AppData\Local\Temp\1000007001\sadsadsadsa.exeFilesize
313KB
MD55a6358bb95f251ab50b99305958a4c98
SHA1c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA25654b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA5124ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0
-
C:\Users\Admin\AppData\Local\Temp\1000008001\goldklassd.exeFilesize
399KB
MD5a647afc0219638fb62a777cd2f32a4bd
SHA1ef5ad8aaac4adcf8856a939e8d17259cccb22035
SHA256b5e5a6adbbb37ddc7b3aa54df9bfb61c2038d887db8f44d1deb63e64fddf4436
SHA512411a4a24aa37242276798cda5cce488165b828d9929c71891d5af926229068161796684e9f6476f8ca460d79facbc45fa8125c030c3645a3dcab7dca2ebfa044
-
C:\Users\Admin\AppData\Local\Temp\1000009001\lumma1234.exeFilesize
631KB
MD51850ff637de86020fe977b676b5c81ca
SHA13e4774068a1412a979644427ed505c9a1ae72f8e
SHA25658ace8404d8fbfca96c562f3415948073f713c799eb466627dbd9988cabd1c56
SHA51273597991c552f44cab018b57278a416a32ee42b886bfa9b6697bb6a6040093b2ec9980b20c58b28f57939e5a80fa7850862ea7f8f8c1d556d8d3fb814c5c4d0b
-
C:\Users\Admin\AppData\Local\Temp\119E.exeFilesize
1.7MB
MD55b32fd55fe0d459269f2c09bb286cddf
SHA173343cbf7c655f92226cfdd5454c1440bbb720cf
SHA256bc72ff9af642f90aed120dbd3c9c0ff0315b88f9badf6b59f55943252c7c366f
SHA5128b3be98fe15db6d15af13a6022e9ab0613a9314d1a351b7c824bfcf174fe7836d91e517d1d9be5f573d8d0ce10f679bf937a8a9fad772697f5ae1e836409fa41
-
C:\Users\Admin\AppData\Local\Temp\28C1.exeFilesize
2.5MB
MD505aef2221ea6cc47def254618a61d437
SHA12d9e79b680ab3e570761d337857e674280f8c64f
SHA2569da4c067d4be2414c6dd9a7dc7ee89faa4ad19b474b55e73605c707405a71339
SHA512ae233a76fac1d7b7d9a9fabecd1c6c1178a1a5fe6be8e6f8325f579773806c0333a9081381f63a79af1e19dfba2f4708ca0ba1db431a927c3ae3ef7aff104f3e
-
C:\Users\Admin\AppData\Local\Temp\486F.exeFilesize
1.9MB
MD5ecc17de55de15cc4516843d8d0aa3f9f
SHA16219e7ca33efd332dcb0cd8665d7019302ee7caf
SHA256bf8699ebf5013f027ece4d5f87ca3b9278ac430d5d35a2b44dd40ec1b1afcb61
SHA5124c33b67810f44ba56a93da7a9124b90cf86f59ccf6ee5a71ae4fb66b7fb374ba654f157b6fc1cb6e7081faade04d8360b88cd930b655413224ded6cf563e4a99
-
C:\Users\Admin\AppData\Local\Temp\486F.exeFilesize
2.9MB
MD5b6b6574d3f4732654ccfb60ce86ee64f
SHA1f3a0f83bfaf4b2c1098bd7b9ffd8c9feb70c49f4
SHA256d2e348332e82410206d1a5b00d943b3cd7ad9d601ce1b8b1dd14db42fb651484
SHA512f20146fbc5ef28a8410cc37311bf1e45e6bec178ffe512d3a462f965b722f05803caa0030fe03ef11c74588826caa079b68c1c0f80cc37039ae5ddd969edf92a
-
C:\Users\Admin\AppData\Local\Temp\AE6.exeFilesize
1.3MB
MD56543dfd527080cd599e8905c90903b33
SHA12e4acc0fa59d8fd5cf6ce164add913216a69ed01
SHA256a58bc51e98ea724efade706eac4e09fec449312f0ba08362560d551324d179e6
SHA5123f176226f5b2b2030769a2600566976cb9db79d2072d254e1e9dfe2d4474bcaab75d3929a9d6051cf7b4bb478d9ab292c9adb5690ca3bef63058939c60f64589
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeFilesize
640KB
MD50d13b2f0e75a0ffa55b688f1c6b627ca
SHA129330be89b4b854b6190fc600f7b386c0aece103
SHA25603c847db446562df0a88f996c5be14f916948b7adc91036fe8ae02898bde84ca
SHA51290d1713c6fcb24913972a8fda35b18b6e6407c8eb7c2e32019a71cdc783205db7dbc8bfa401fe9d7084b2cf301841c90445c4d72c70a11e14a30034aeadddbe9
-
C:\Users\Admin\AppData\Local\Temp\C2A0.exeFilesize
774KB
MD5a775dae66ce141797fe36ee3509c6177
SHA1b822ee79f6cdfe299c70bbb14cb96f9560edb4f6
SHA2568c007c45f95884050ef0d13ab45605edbf1cb1cd26ca415bf0127cd8e6ca6dcf
SHA512c94d0bfc21d4ac08b13b45aacb30a7411cf59d01139c6a5c78146cfcdafa7375b55f48be4192b331ae47a86e4a591cebe95f2a2878dc963e9160e62c9d42590f
-
C:\Users\Admin\AppData\Local\Temp\F932.exeFilesize
5.5MB
MD5b93a21b8150139fcd2cf5288ff1d5139
SHA1ec8694ce461ff6eda5a438dd12e23ff2ca57866f
SHA2565cdc5563e76016b0227a6c0627b2101ffc2c8092100b420e1ac04ccc7f92bb6f
SHA512ded51d249e6f55db0a2a0cb70a98877754560d07eb5cfe8297de15b5fbcc54d5f5a7909959e16088742afd7495e920d8a70e1561f037d07035e01a7abb598062
-
C:\Users\Admin\AppData\Local\Temp\F932.exeFilesize
5.6MB
MD5618c676243b5c21a46202776e3a49f67
SHA1ed71f13ddf8a0826e506a3277eb55c44a2344480
SHA25648d750b761b3c12a8c19abe1aeef8eb8da5f085e12e29d08c89d8b7307917658
SHA5124a5accb3d2bd247f21d8b7514a9132b75777563526fbfb8d9d60a9b66694f975e8ff16f193d2a1fc62a44771f471343374d50c4f51abd1ced94e82169a761b43
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exeFilesize
832KB
MD58e69ace63f36fe41124f9e26ee9c6455
SHA17aea810409bf64cb3db4da2964fca21b399d53ce
SHA256a9c8133056108c2a28e544f1976d397ad19eb716a2caf94bc0ceac2c197ceedb
SHA512eecf50f5b90ea7bb4fe93cd73ae48def85b20584fad379f072150543e7f12bd87d3dd3a58f36fe0b9d8d356bc10942e2aab0969f8000538e225d0f8929456502
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exeFilesize
2.0MB
MD5b1a9afd3bc46ae4c4b74865631c601a5
SHA116c1f5d71c5a32eed997784dc0cc7eeee5cd9b34
SHA256dabe25fc56340aef9cdb1841199b90fd5ed0b2854c2dfc2eac7406bacba015d2
SHA512da40c07a1acffc9e952fa4a15de2f0aa54168a1a8f177530940fdb23b893e91db1b95a32ff53db78ee0f4174696b8aee22b4bd540aacbe11b22c0ded0b8c723b
-
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_anakcb11.flz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
3.1MB
MD5026e9695ffe87b63c1797bee49404384
SHA172636d587ce62486473c2e45bead9c091176ca65
SHA2563017e5c925236ad760ce90f426c9aaf2718f944f0ab4cb488d4974c2dae26771
SHA5121e25b094b24c078c8014201e8bbcd13d1b16abfa4d4439c29af2f273b074a893b5269f96b45901395629ff9bb0960fcdcc4124b1478931e4f3a1e80451e799a1
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
896KB
MD59e3d41fad3a17de5dbbc62a9a31bd332
SHA17fa0226a7593c50e72168f7330d95c9d145bd8c1
SHA25649114ce0154a412923c645876b8c2e749d216106a96dd1de0632976566b8643c
SHA5123b8cc1ab2b7b0fb174e109e523ea9234af0683a562328f3af72074c4f324cb20ad429f54a84914e57f287f70556845ce67d9e7db4eff4eebb230d183896bc5c5
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
1.8MB
MD5d8bf737a36f77b912dac14f1a0aeba0f
SHA1a9341a8b579f8d080c9d8d0c935272427960ab14
SHA25658d25939ce3a8e7baf13b5bc0cfbd4ac7788650e6148a762f66172905b2b310c
SHA512a1d898389c4c1ed1ae317df366ff8a3d5f75c314d3c059ec8d89f9c63db72c7e86396ef0aa1423c870aa517af73a09c16792c169b654fea2068ba04f3aa6e1d0
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exeFilesize
1.1MB
MD52920038060c6c297dcce3ba8cf9c53c4
SHA150d6658998a6ff48c9a43004d60f98702fa3187d
SHA256f56960c7e4682a8e6dfe286f3d30e2d6e8cbb05cc7fd0274bd5f4ef2a1009e86
SHA5120b1324082d7ebf794ab36e4259575d931e14e41120f96082d11e9621b7865c0b35327ecf41f1c58c24382e65bf6f8490740ce9e8faa01f3b27f3244aa974ae4c
-
C:\Users\Admin\AppData\Local\Temp\nsf58B.tmpFilesize
287KB
MD58631575486d7c2fa771a0878c4a43e91
SHA1ea4fbb4a1f2e1324815743ff75c4e2a8996a4fed
SHA2560f929d45b2cf8bcd6a55a6fb6f8e7d61fe65b0dfbe0b27b56850644567027922
SHA512032d5019045cdaa86c9181d71cfc34d9e6bc33facfc5d18db6a9cea28fdd4fe94427c37b19881c38dab093c849383f1c8fa05737697bf3e61338c066097d74a4
-
C:\Users\Admin\AppData\Local\Temp\nsqFA9D.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
C:\Users\Admin\AppData\Local\Temp\rty25.exeFilesize
640KB
MD557a1416ef8f3b7ef6d50ceaf9aa5007e
SHA1c1850891459401c4a5363940ceeec77ecebbce55
SHA256d3e4799c37a853945917238bdd8cfa76626f990e03d7db0dab216466611dc079
SHA5125c5cc16d1f1a92feb3c1ea930687c3df8a98a2ae7606c0571fb8f2ea503cc08a4c28c8a964af2c95441ecdd6d059ba16d76e161128054726961ded4b048b5ac9
-
C:\Users\Admin\AppData\Local\Temp\rty25.exeFilesize
128KB
MD5ce3033fe7ef081c32a5b7969dd6e3648
SHA18bba2a76423f38e7a30930a4c06b3840e693d069
SHA256c9bd8d2ac6fed35669781eaea6e35eab0c77b8176ad6108236e0139d45c9d2a5
SHA512879b00a328fb0c0a2bc33564db292fccc18a91a6c4c8e31bf4e9b7e6a8f27b94ce994d24d0a4fb250a728f8b26d8e6f9b89a2ec9ae93ff55abfeff90bbeb1988
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exeFilesize
238KB
MD58c20d9745afb54a1b59131314c15d61c
SHA11975f997e2db1e487c1caf570263a6a3ba135958
SHA256a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exeFilesize
325KB
MD53058f10b2fe431d9f8a487a35cd89ba3
SHA1adf31cfada940e96a02305177bea754d4ee41861
SHA25673e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA5124f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exeFilesize
313KB
MD55ea776e43112b097b024104d6319b6dc
SHA1abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA51283667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55b539898b54c76c9c25eb0981a833166
SHA18531e7e581839432f765fae0c19481efd892c8ca
SHA2569ad589fdbc61a011021925b4a87f2de6501e401c66799eb4d30cdbd93d083f55
SHA5123a3d531cad24c8920953d431343baf5c0396a55c44f5150aa2f35704bf4dc124ba9584b7abc2f776267613cbb66fe6e5d394be8c46a7a8837859e23a362d21de
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD504bb8a6540653fbeeba3304323458d2b
SHA15d5444da2de6911e6368c8f351c5448b16e1bf1f
SHA2568316a4156e9cfc403ce7dfc83ed4bb7354ddbb4da7a89ae6fa08bdc851b00c5d
SHA5122e37849a4ecb3f38338190f3b30ae46f8ac46e1d631fc4074b98ae9234ad0e881cca00beda6e875f93b0befc80e41613dd5824c76040ac90a6d6a6da1502f464
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f4906d2c90db6670f1ce2f3e23b09e49
SHA1ce55c0ac30305c435f5c0b3f58aecc5a8196b131
SHA25620655df2dc74610b4e245b324dd5003066aa01b557ea91044977836327d02cde
SHA51268623f929ece53699c2d148e206babf8c7261fa001d8b32c1dd4290ee63c68aef379690016706c76a40be5b298407dd07e082dc69c2c7cf2ece1d88917a85ad6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b85302450a88959dc320d1ea19fd522a
SHA1561b9fe87eaca0d0e98cd8943dd49db6190ea8b4
SHA25600d8d8a666897bb58acb8bdcea48717dce0d066bc430ecf762481b0a4035ad30
SHA512880d4fcd1dea4624c25b569f31ff6e14a2f6d7f74073eab89336aee15adb0a18ef3ae03f97fbf769e29513ac01219f4488d5a6ce0a681cad0f26b61eb7d031c1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD563ce2e92f65ea5de03f5ed34279be262
SHA1a4e68d0fc25bbfb114f0a54db9547ede27010410
SHA25603e5338636787739b31d88ae20a382a3dfe8e4eb01c88f56f0c30fff2485bd63
SHA512ee7baf8e2e0f10682d6a8f0ee1faad0fb5defc4d6734f6d8a2cb01da4b5937b413bb75f96d776205b525f64e8e1d3ed3881f0a2b150c739e7b477131da9689df
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD59d786177258efa030e9246dea62af319
SHA1f0e9ac0f3e511cd3c727604b753bff27a5929e74
SHA256d27ce412607298a308906801084e836679cfd97721264d45af61696c26baac69
SHA5124cf2814e1c268601408722030380e0b493381408841c1481d7fe8f3381e99698c168dc30b8d51b5c783a37c998d5851a89e99bf87c875989693272e3a4495e68
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/904-70-0x0000000000490000-0x000000000049B000-memory.dmpFilesize
44KB
-
memory/904-73-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/904-128-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/904-68-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB
-
memory/1684-396-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1684-394-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1684-393-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2260-249-0x0000000002C20000-0x0000000002D4C000-memory.dmpFilesize
1.2MB
-
memory/2260-45-0x00007FF7AEF80000-0x00007FF7AF037000-memory.dmpFilesize
732KB
-
memory/2260-81-0x0000000002C20000-0x0000000002D4C000-memory.dmpFilesize
1.2MB
-
memory/2260-80-0x00000000029E0000-0x0000000002AEA000-memory.dmpFilesize
1.0MB
-
memory/2856-163-0x0000000002E50000-0x000000000373B000-memory.dmpFilesize
8.9MB
-
memory/2856-44-0x0000000002E50000-0x000000000373B000-memory.dmpFilesize
8.9MB
-
memory/2856-39-0x0000000002A50000-0x0000000002E4C000-memory.dmpFilesize
4.0MB
-
memory/2856-171-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2856-244-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2856-48-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2856-270-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2856-144-0x0000000002A50000-0x0000000002E4C000-memory.dmpFilesize
4.0MB
-
memory/2856-130-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3252-75-0x0000000000820000-0x0000000000920000-memory.dmpFilesize
1024KB
-
memory/3252-162-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/3252-86-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/3252-213-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/3252-77-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/3252-76-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/3496-126-0x0000000002DF0000-0x0000000002E06000-memory.dmpFilesize
88KB
-
memory/3496-303-0x0000000003740000-0x0000000003756000-memory.dmpFilesize
88KB
-
memory/3956-458-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4216-290-0x0000000007B10000-0x0000000007BB3000-memory.dmpFilesize
652KB
-
memory/4216-280-0x00000000749F0000-0x0000000074D44000-memory.dmpFilesize
3.3MB
-
memory/4216-253-0x00000000734C0000-0x0000000073C70000-memory.dmpFilesize
7.7MB
-
memory/4216-254-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/4216-255-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/4216-261-0x0000000006300000-0x0000000006654000-memory.dmpFilesize
3.3MB
-
memory/4216-269-0x0000000006E50000-0x0000000006E9C000-memory.dmpFilesize
304KB
-
memory/4216-279-0x000000007FC70000-0x000000007FC80000-memory.dmpFilesize
64KB
-
memory/4216-271-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/4216-278-0x0000000074510000-0x000000007455C000-memory.dmpFilesize
304KB
-
memory/4292-385-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4292-358-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4292-351-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4292-353-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-313-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4448-140-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB
-
memory/4448-55-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/4448-208-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/4464-291-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4464-336-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4464-250-0x0000000002A50000-0x0000000002E50000-memory.dmpFilesize
4.0MB
-
memory/4464-410-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4464-251-0x0000000002E50000-0x000000000373B000-memory.dmpFilesize
8.9MB
-
memory/4464-252-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4704-194-0x0000000006290000-0x00000000062AE000-memory.dmpFilesize
120KB
-
memory/4704-164-0x0000000004CB0000-0x0000000004CE6000-memory.dmpFilesize
216KB
-
memory/4704-185-0x0000000005DB0000-0x0000000006104000-memory.dmpFilesize
3.3MB
-
memory/4704-209-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/4704-174-0x0000000005BD0000-0x0000000005C36000-memory.dmpFilesize
408KB
-
memory/4704-195-0x00000000062E0000-0x000000000632C000-memory.dmpFilesize
304KB
-
memory/4704-173-0x00000000052A0000-0x00000000052C2000-memory.dmpFilesize
136KB
-
memory/4704-172-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/4704-207-0x00000000067E0000-0x0000000006824000-memory.dmpFilesize
272KB
-
memory/4704-243-0x0000000072E70000-0x0000000073620000-memory.dmpFilesize
7.7MB
-
memory/4704-460-0x0000000002D20000-0x0000000002D21000-memory.dmpFilesize
4KB
-
memory/4704-462-0x0000000002D60000-0x0000000002D61000-memory.dmpFilesize
4KB
-
memory/4704-464-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/4704-465-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/4704-461-0x0000000002D30000-0x0000000002D31000-memory.dmpFilesize
4KB
-
memory/4704-466-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/4704-170-0x00000000054A0000-0x0000000005AC8000-memory.dmpFilesize
6.2MB
-
memory/4704-166-0x0000000004E60000-0x0000000004E70000-memory.dmpFilesize
64KB
-
memory/4704-165-0x0000000072E70000-0x0000000073620000-memory.dmpFilesize
7.7MB
-
memory/4704-175-0x0000000005C40000-0x0000000005CA6000-memory.dmpFilesize
408KB
-
memory/4704-240-0x00000000079F0000-0x00000000079F8000-memory.dmpFilesize
32KB
-
memory/4704-239-0x0000000007A00000-0x0000000007A1A000-memory.dmpFilesize
104KB
-
memory/4704-238-0x00000000079B0000-0x00000000079C4000-memory.dmpFilesize
80KB
-
memory/4704-237-0x0000000007990000-0x000000000799E000-memory.dmpFilesize
56KB
-
memory/4704-236-0x0000000007950000-0x0000000007961000-memory.dmpFilesize
68KB
-
memory/4704-235-0x0000000007A50000-0x0000000007AE6000-memory.dmpFilesize
600KB
-
memory/4704-234-0x0000000007940000-0x000000000794A000-memory.dmpFilesize
40KB
-
memory/4704-233-0x0000000007860000-0x0000000007903000-memory.dmpFilesize
652KB
-
memory/4704-232-0x0000000007800000-0x000000000781E000-memory.dmpFilesize
120KB
-
memory/4704-222-0x0000000071790000-0x0000000071AE4000-memory.dmpFilesize
3.3MB
-
memory/4704-221-0x0000000073770000-0x00000000737BC000-memory.dmpFilesize
304KB
-
memory/4704-220-0x0000000007820000-0x0000000007852000-memory.dmpFilesize
200KB
-
memory/4704-219-0x000000007F170000-0x000000007F180000-memory.dmpFilesize
64KB
-
memory/4704-210-0x00000000075B0000-0x0000000007626000-memory.dmpFilesize
472KB
-
memory/4704-212-0x0000000007650000-0x000000000766A000-memory.dmpFilesize
104KB
-
memory/4704-211-0x0000000007CB0000-0x000000000832A000-memory.dmpFilesize
6.5MB
-
memory/4816-47-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/4816-0-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/4816-1-0x0000000000980000-0x00000000010A6000-memory.dmpFilesize
7.1MB